Gil Messick (5:08)

ChatGPT AI machines.

Dena Temple Roston (5:11)

Satellite engine ignition. Click here and lift up. Jennifer Lynn Walker has a surprising preoccupation. She gets obsessed with the security of industrial facilities.

Jennifer Lynn Walker (5:24)

I just kind of obviously fell into it, but so I was a late bloomer in at call in college, graduated,

Dena Temple Roston (5:32)

she dabbled in computers, information systems management. And then.

Jennifer Lynn Walker (5:36)

And I just found an affinity for the cybersecurity. So this is, you know, going on, you know, 23, 24 years now.

Dena Temple Roston (5:44)

So you're like a cybersecurity early adopter?

Jennifer Lynn Walker (5:47)

Yeah, I was definitely. I've always, I've always been an early adopter in any of the cyber things. Did the malware analysis thing before that was really a thing. Cyber threat intel, before that was a thing.

Dena Temple Roston (5:58)

In other words, before the field really had a name, she was already doing the work. In fact, she'd tell you she's become a bit of an evangelist about it.

Jennifer Lynn Walker (6:12)

Welcome back to the Cybersecurity Evangelist. I'm Jennifer Lynn Walker, your host and evangelist.

Dena Temple Roston (6:22)

This is from her cybersecurity podcast. We edit the music. She's now the director of cyber defense at something called the WATER Information Sharing and Analysis center. Known as WATER ISAC for short. It's essentially an Industry association that helps water treatment facilities work on their cybersecurity.

Jennifer Lynn Walker (6:42)

I am watching threats and vulnerabilities across the water and wastewater sector. I should probably pull up our mission statement.

Dena Temple Roston (6:52)

So when something unusual happens, she notices. Like this thing that happened in November 2023.

Jennifer Lynn Walker (6:59)

This morning, a cyber group is taking credit for breaching a water treatment plant in Pennsylvania.

Dena Temple Roston (7:05)

Her mind went into overdrive.

Jennifer Lynn Walker (7:08)

What happened was this targeted thinking. Is there anything else going on? You know, what's being said, how it's.

Dena Temple Roston (7:19)

What she didn't know yet was that this would become a case study in modern hacktivism. The target was a small treatment facility about 18 miles northwest of Pittsburgh. So tell me about the Aliquippa Water Authority.

Jennifer Lynn Walker (7:34)

Aliquippa, I mean, it's a small water utility.

Dena Temple Roston (7:38)

It's in Beaver County, Pennsylvania, and it serves about 15,000 people.

Jennifer Lynn Walker (7:43)

That is small. But it doesn't matter how big or how small you are. It's what you have and data and. Or devices.

Dena Temple Roston (7:53)

Because in cyber attacks, size isn't the strategy accesses. In other words, a lot of the time, these attacks aren't about how big a plant is or even where it's located. Instead, it's about who makes the systems they're running, what kind of software they're using, what industrial control system is making

Jennifer Lynn Walker (8:17)

the whole operation run pumps and machinery and components that run the water plant. And those thoughts are coming through, you know, at light speed,

Dena Temple Roston (8:34)

Because Jennifer works on these kinds of problems for the water isac. She got pulled in to help, and before she knew it, she was in a zoom meeting with a bunch of state and federal officials, with the manager of Aliquippa talking them through what had happened.

Jennifer Lynn Walker (8:48)

The general manager received a phone call from an operator. They had gotten an alert, and the

Dena Temple Roston (8:54)

alert said that one of the devices that allowed the plant to monitor water pressure remotely was now flashing a strange message on its screen.

Jennifer Lynn Walker (9:03)

He didn't use the term defacement, but it had a message on it that said that it was from the Cyber Avengers.

Dena Temple Roston (9:09)

The Cyber Avengers. It's an Iranian hacktivist group. And their message made clear why they had chosen to target this obscure, tiny little water facility.

Jennifer Lynn Walker (9:20)

The message said, anything that was made in Israel, any components that were made in Israel, they were going to target these.

Dena Temple Roston (9:27)

There's something about hacking water treatment plants that feels like a Hollywood movie. It's the kind of threat that feels cinematic until you realize it's not. Holy Christ.

Gil Messick (9:39)

We're going to need some more FBI guys.

Dena Temple Roston (9:41)

I guess it just seems more sinister than your average Cyber attack. Because the thing they're attacking is the thing we need to stay alive.

FBI/Secret Service Agent (9:49)

The FBI and Secret Service cyber units are investigating the hacking of the municipal water supply system.

Jennifer Lynn Walker (9:57)

Hacking in Pinellas County, Florida. Investigators are trying to hunt down the

Dena Temple Roston (10:00)

person who tried to poison a public

Jennifer Lynn Walker (10:03)

water supply treatment plant that serves parts

Dena Temple Roston (10:07)

of the San Francisco Bay area. And to do damage to a water facility. What the bad guys crack into is the industrial computer systems that control them, often something known as programmable logic controllers or PLCs. Think of them as the computers that run the physical world, and they're used to monitor and run various operations in the water treatment process. Things like chemical additives, flow control, water pressure.

Jennifer Lynn Walker (10:37)

You know, at any given time, if the pressure is too high, it could break pipes or, you know, that could lead to other issues. If it's too low, then, you know, you wouldn't get water to your community.

Dena Temple Roston (10:50)

We talk a lot about hackers who launch cyber attacks using some coded weapon they've built, malware they've put together, or a backdoor that they've created. The Cyber Avengers hack on the water treatment plant wasn't like that. It was much simpler. All they appeared to have done is scan the Internet looking for people who were using the factory defaults on a particular kind of programmable controller. They wanted to find any PLC made by a company named Unitronics.

Gil Messick (11:20)

Unitronics is a public company with a strong international presence in more than 60 countries.

Dena Temple Roston (11:26)

And what made them focus on this one particular company? Well, Cyber Avengers is linked to Iran's Islamic Revolutionary Guard Corps. So perhaps it's no surprise that they targeted Unitronics not because of the systems it used, but because of where it was based in Israel. In other words, this wasn't about technology. It was about politics. You could be forgiven for never having heard of the Cyber Avengers. They've only been around since 2020. Though they're linked to the Iranian government, they don't appear particularly skilled in the dark arts of hacking. Their primary mission seems to be just to stir the pot, to make political points. And maybe because they are more lucky than good, they lie a lot. In October 2023, for example, they posted a promotional countdown video on Telegram. The group said it would be unveiling one of the greatest cyber attacks on Israel infrastructure ever. And then the next day, they claimed to have infiltrated 10 water treatment facilities there. They posted information they claimed they'd exfiltrated from the plants. But none of it was true. The real story came later, and it was much less dramatic. What they did instead, about a month later, is go after those water treatment plants in Pennsylvania. And it turns out finding their targets was child's play. All they had to do is use a search engine to find companies using

Jennifer Lynn Walker (13:06)

Unitronics controllers that was easily discoverable through open sources.

Dena Temple Roston (13:14)

They scan the Internet and look for people who had this particular thing right.

Jennifer Lynn Walker (13:18)

Exactly.

Dena Temple Roston (13:22)

And then once they'd identified the Unitronics PLCs, they looked for the ones that still had the factory presets in place, and in particular the factory default password, which was, and this is now public, the very complicated numerical combination of 1111

Jennifer Lynn Walker (13:42)

when the manufacturer ships the device, just like they would ship your thermostat or your connected truck or, you know, truck toy or something like that.

Dena Temple Roston (13:51)

And that's the part where they say in the instructions, please change the password.

Jennifer Lynn Walker (13:54)

And someone doesn't Absolutely, yes. Yes.

Dena Temple Roston (13:57)

So it was really something as simple as that?

Jennifer Lynn Walker (13:59)

It was really something as simple as that.

Dena Temple Roston (14:02)

That's crazy. It turns out that the Aliquippa water plant wasn't the only facility running Unitronics PLCs with a default password. When we come back, hackers are taking aim not just at the most obvious targets like water treatment plants, but but also places you wouldn't expect. Places that feel almost irrelevant to global conflict. Stay with us. Support for Click Here comes from Factor. This time of year always feels like the hardest time to stay consistent with cooking. There's so much going on and honestly, who wants to run out into the cold just to grab some groceries? Thankfully, Factor makes healthy eating easy with fully prepared meals designed by dietitians and crafted by chefs. With Factor, you get quality meals with hearty ingredients, including lean proteins, colorful veggies, and healthy fats. They're meant to fit your goals, and they're ready to eat in about two minutes. No prep, no stress, and it never gets boring. They have a hundred rotating weekly options, so there's always something new and delicious to look forward to. Personally, I love their black pepper and sage pork chop. And the Thai style peanut chicken grain bowl is perfect for lunch. It keeps you full all day in a good way. Head to FactorMeals.com clickhere50OFF and use the code clickhere50OFF to get 50% off your first Factor box, plus free breakfast for one year. You'd like a pro this month with Factor New subscribers only. Varies by plan. One free breakfast item per box for one year, while subscription is active. Support for Click Here comes from Quince. These days, I'm all about quality. Over quantity, especially in my closet. If it's not well made and versatile, it's just not worth it to me. That's why I love Quince. The fabrics feel elevated, the cuts are thoughtful, and the pricing actually makes sense. Quince makes high quality wardrobe staples using premium fabrics like 100% European linen, 100% silk and organic cotton poplin. And they come directly from safe ethical factories. They cut out the middleman so you don't pay extra for brand markups. It's just quality clothing at a good price and it's consistently rated 4.5 to 5 stars by thousands of customers. My new favorite sweater, my Quince cashmere quarter zip. I actually find excuses to wear it. It looks great, super soft and it's one of those classic pieces you keep going back to. Right now, if you go to quince.com clickhere you can get free shipping and 365 day returns. That's a full year to wear it and love it. And you will now available in Canada. Don't keep settling for clothes that don't last. Go to q U-I-N-E.com clickhere for free shipping and 365 day returns. Quince.com clickhere how do we maintain a

Jennifer Strong (17:21)

strong defense in a world that's rapidly changing? Join us on Strength in Numbers, a podcast from UVA's National Security Data and Policy Institute. I'm your host, Jennifer Strong. In each episode, we'll take a look at the materials powering today's most advanced technology, how it's being used on the battlefield, and ask how the United States can stay competitive against potential adversaries.

Dena Temple Roston (17:43)

Voters should be concerned about all this.

FBI/Secret Service Agent (17:44)

We want America to be strong, but we've got to be strong and smart.

Jennifer Strong (17:48)

That's all coming up this season of Strength in Numbers. Listen and follow wherever you get your podcasts.

Dena Temple Roston (18:08)

Oh, I can't wait to see you. This is from an open mic night at the Full Pint Beer. It's a brewery located about half an hour from the Aliquippa Water Treatment facility. And good beer here, Good beer service. Well, Full Pint was also attacked by the Cyber Avengers, which just seemed so random. Water treatment facilities? Sure, that makes sense. But a local craft brewery known for trivia nights and live music felt almost absurd. This is a song that I that

Gil Messick (18:46)

my sister and I wrote in 1994.

Dena Temple Roston (18:53)

Turns out this unassuming local bar, unbeknownst to them, had tiptoed into a global political fight. Breweries obviously need water, and thus water controllers. And you Guessed it, they had the Unitronics PLC in their system. And when the folks at Full Pint came to find out that they'd been attacked by some kind of political hacktivist trying to get even with Israel, they seemed sort of bemused. They didn't want to talk to us on the record about it, but they did make the hack public on their Facebook page. Ugh. Their message begins. The brewery control system received a cyber attack over the weekend. We're working to restore things to working order. Thank goodness for backups. They helpfully included a picture of the Cyber Avengers message. You have been hacked. It reads, down with Israel. And then they basically said in broken English that they believed anything made in Israel was a legitimate target. I asked Jennifer if she saw any deeper meaning in the fact that the Cyber Avengers had decided to target both water and beer.

Jennifer Lynn Walker (20:04)

I knew it just had nothing more to do than, you know, what, the fact that they were running the same type of component.

Dena Temple Roston (20:11)

Right. So if it was a pretzel factory, too, it might be a conspiracy, potentially.

Jennifer Lynn Walker (20:20)

I mean, no water, no beer. I mean, no pretzels.

Dena Temple Roston (20:24)

It was almost as if the Cyber Avengers were sending not just a political message, but an I Love the Simpsons message too.

FBI/Secret Service Agent (20:32)

Looks like there's beer coming out of the chimney.

Jennifer Lynn Walker (20:34)

I am proceeding on foot, calling a code A.

FBI/Secret Service Agent (20:38)

We need pretzels. Repeat, pretzels.

Dena Temple Roston (20:46)

According to cyber security firm Sentinel One, the Cyber Avengers Unitronics campaign didn't make much of a splash because there weren't that many devices for them to exploit. Sentinel 1 did a search of controllers and came up with just about 1800 Unitronics PLCs that were connected to the Internet and reachable globally. And about 280 of them were the kind in use at the Municipal Water Authority of Aliquippa. There was the potential for a lot of other industries to get mixed up in this. The Unitronics controllers are used in energy, food, and healthcare manufacturing, which means this could have spread far beyond water or beer. Though Jennifer Lynn Walker said it isn't just a Unitronics problem. Literally any system that's on a network could be vulnerable.

Jennifer Lynn Walker (21:40)

The message is, don't stop at Unitronics. Look at the other devices. Check all of your PLCs, especially the ones that are connected to the Internet, and remove them from the Internet if you really don't need them to be connected.

Dena Temple Roston (21:59)

Iranian hackers have been waging these kinds of shadowy cyber attacks against Israel for years. There are literally dozens of Iranian hacker groups with names like Karma or Muddy Waters. With apologies to the Chicago blues, what appears to have changed isn't the multitude of hacking groups. It's how they're showing signs of sophistication. While the Cyber Avengers so far have been relatively harmless, there are many groups that have done real damage, and increasingly so. And few people have watched this as closely as Gil Messick. He's the chief of staff at a cybersecurity company called Checkpoint. So let me just ask you, how long have you been sort of tracking Iranian threat actors?

Gil Messick (22:47)

When have we not? Iran is probably the most prominent cyber offensive player in the region and one of the biggest in the world.

Dena Temple Roston (22:55)

But Gil says over the past two years, Iranian hackers have been changing. They're cracking into security cameras in Israel and stepping up their regional espionage operations.

Gil Messick (23:06)

You could see them mostly in government agencies or ministries. You could see them in areas or companies which host large amounts of data.

Dena Temple Roston (23:17)

And they're starting to deploy malware that is leaps and bounds better than what they used to have in the past. They have malware that doesn't just infiltrate networks, but actually maps them out too, which can help if you're planning a future attack. They've also found ways to customize it so they can steal huge amounts of data and leave hardly a trace. And Gil, for his part, says he thinks he knows why this is happening now. Ukraine has turned out to be a testbed.

Gil Messick (23:46)

The war in Ukraine was a greenhouse for many cyber trends.

Dena Temple Roston (23:52)

Ukraine's IT army codified the use of activist hackers. They recruited IT professionals from around the world and then encouraged them to hack Russia.

Gil Messick (24:02)

Whatever happens in one war is being imitated and to some extent, improved in a different war. We're learning from this as what we call referring cyber defenders. But hackers are also learning from this as well. And you could see in their forums that they're sharing information and sharing experiences, and they're sharing capabilities. They're doing all these things.

Dena Temple Roston (24:29)

And while Ukrainian hacktivists didn't have any epic hacks, US Officials say they did something almost as important. They kept Russia's hackers on the back foot, defending instead of attacking. And that's certainly happening now in Israel, as hacker groups backed by Iran or Hamas or Hezbollah attack both Israel and its allies in ways both big and small. There is one hacking group in particular that he's been focused on.

Gil Messick (24:55)

Now. The most prominent One is called Cybertufan Cyber 2 Fund.

Dena Temple Roston (25:01)

It made a name for itself by hacking into an Israeli website hosting service called Signature It. Its stores, among other things, the Israel state archives and dozens of the nation's retailers, cybertufon hackers shut many of the sites down.

Gil Messick (25:17)

Think of an Israeli version of Home Depot that for over a weekend, didn't have a website for online shopping, which is quite significant.

Dena Temple Roston (25:27)

The group then posted the names, email addresses, and personal information of millions of Israeli customers on Telegram.

Gil Messick (25:35)

The list of victims were very, very large.

Dena Temple Roston (25:39)

And then cybertufan published a kind of manifesto, a decree on why they had chosen to hack the companies they hacked to ensure that no one thought it

Gil Messick (25:48)

was random, why it's so important in Israel, why we had to. Why they attacked them, and also to link it to specific actions that happened in the war.

Dena Temple Roston (25:58)

When cybertufan threatened to leak data of an Israeli medical company, it posted something on Telegram that said it was retribution for a very specific thing. We attacked this medical company, they said, because Prime Minister Benjamin Netanyahu and IDF forces had, quote, bombed our hospitals. Sometimes the hacks are more personal and even sinister. Back in October 2023, after Hamas stormed the border with Israel and took hundreds of hostages back to Gaza, the group took aim at the families of the people they had taken.

Gil Messick (26:34)

They sent them a text message, a designated text message saying, hi, we have captured your son or daughter. If you want to communicate with them, press this link. Write here your name, your email, and the message you want to send them, and click here.

Dena Temple Roston (26:50)

But if they clicked, they didn't connect with their loved ones. Instead, it would download malware to their phones.

Gil Messick (26:59)

If you would click it, then you could see that this was another way to basically exfiltrate information from the people who were victims of this attack.

Dena Temple Roston (27:10)

And how much after the kidnapping did that happen?

Gil Messick (27:13)

About a month.

Dena Temple Roston (27:19)

Gil said. It's the details here that make the effort remarkable. It means that cybertufon hackers know the personal phone numbers of individuals. They could connect specific family members to specific hostages, and that takes a lot of preparation and legwork.

Gil Messick (27:35)

Not the most sophisticated thing we've seen, but the level of details, the level of. Also of cruelness. In a way, this is something which is most alarming to me. So, as. As. As you know, as experts in cyber security, this is not the most advanced cyber security cyber attack we've seen, but on a human level, that's pretty harsh.

Dena Temple Roston (28:01)

And Gil says this is only the beginning. The Russian invasion of Ukraine is seen as the world's first truly hybrid war in which cyber weapons have been wielded right alongside more traditional ones. So we've only just started to understand what a hybrid war actually looks like.

Gil Messick (28:18)

And I'm sure that in the next war, then somebody else will learn from the lessons of this war and try to be better and greater.

Dena Temple Roston (28:26)

And that means what feels new now won't stay that way for long. This is Click Here. Click Here is a production of Recorded Future News and prx. Today's show was written and produced by Megan Dietrich, Sean Powers, Erica Gaeda, Sarah Zach Hirsch and Casey Georgie. It was edited by Karen Duffin and Sarah Cavato and Fact Checked by Darren Ancrum. Original music is by Ben Levingston with additional music from Blue Dot Sessions. Our staff writer is Lucas Riley, our illustrator is Megan Goff, and our sound designers and engineers are Jake Cook and Jesse Niswonger. I'm Dina Temple Raston and thanks for listening.

Recorded Future Representative (29:45)

Support for this program comes from Recorded Future. In cybersecurity, the biggest risk isn't what can be seen, it's what gets missed. Recorded Future analyzes billions of signals to help organizations stay ahead of threats. Recorded Future Know what matters?

FBI/Secret Service Agent (29:59)

Act first if you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up the day's most interesting and important cyber stories from our sister publication the Record, and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to the Record Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.