US Offers Reward for Iranian Hackers Behind Unitronics Water Utility Intrusions
The U.S. State Department offered up to $10 million for information on six Iranian government hackers allegedly linked to the Islamic Revolutionary Guard Corps Cyber-Electronic Command and the CyberAv3ngers campaign targeting Unitronics Vision Series PLCs used in critical infrastructure, including U.S. water utilities. U.S. officials said the group exploited internet-exposed devices with default credentials and, in late 2023, defaced compromised systems with anti-Israel messages while claiming the attacks were retaliation for Israel’s actions in Gaza.
One of the most visible incidents hit the Municipal Water Authority of Aliquippa, Pennsylvania, which temporarily shifted to manual operations after an intrusion reached a pressure-regulating pump, though officials said water treatment and safe drinking water were not affected. In response, CISA began directly contacting water utilities with exposed Unitronics devices and urged operators to change default passwords, while the FBI and EPA said only a small number of utilities were known to be impacted but warned that exposed PLCs could provide a foothold for deeper network access and potential physical damage.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
State Department names six Iranian hackers and offers $10 million reward
The U.S. State Department identified six Iranian government hackers allegedly tied to the IRGC Cyber-Electronic Command and offered up to $10 million for information on their whereabouts. The officials were accused of involvement with CyberAv3ngers and attacks on Unitronics devices used by U.S. water utilities and other critical infrastructure.
CISA starts direct outreach to water utilities using exposed Unitronics devices
CISA said it was identifying water utility operators with internet-exposed Unitronics devices and notifying them to reduce cyberattack risk. The agency urged operators to change default passwords and harden exposed systems.
CISA, FBI and EPA disclose limited impact and warn utilities
U.S. officials said only a small number of water utilities were known to be impacted and that they had seen no access to operational water systems or disruption to safe drinking water. They warned that exposed PLCs could still provide a foothold for deeper network access and possible physical damage.
CyberAv3ngers publicly claims water utility attacks
In October 2023, the CyberAv3ngers campaign became public when the group claimed the attacks were retaliation for Israel’s actions in Gaza and defaced compromised devices with anti-Israel messages. The claims drew attention to the use of exposed Unitronics controllers in U.S. critical infrastructure.
Aliquippa water authority hit by Unitronics PLC intrusion
The Municipal Water Authority of Aliquippa in Pennsylvania was affected by an intrusion involving a Unitronics Vision series controller, prompting the utility to take systems offline and switch to manual operations. Officials said the compromise reached a pressure-regulating pump but did not affect water treatment or safe drinking water.
CyberAv3ngers begins compromising exposed Unitronics devices
U.S. officials said the Iran-linked group had been compromising default credentials on internet-exposed Unitronics programmable logic controllers since at least 2023-11-22. The activity targeted devices used in critical infrastructure, including water utilities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
US offers $10 million for info on Iranian leaders behind CyberAv3ngers water utility attacks | The Record from Recorded Future News
therecord.media
Open sourceCISA reaching out directly to water utilities about exposed Unitronics devices | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cyber Av3ngers Exploited Unitronics PLCs at Water Utilities in the U.S. and Ireland
A cyberattack on the Municipal Water Authority of Aliquippa in Pennsylvania exposed a broader campaign targeting **Unitronics Vision Series PLCs** used in water and wastewater operations. Attackers linked to the pro-Iran **Cyber Av3ngers** group reportedly defaced facility screens and disrupted a remote water pressure station, prompting operators to take affected equipment offline and switch to manual or backup processes; officials said drinking water quality and core service were not affected because the compromised system was isolated from the main treatment plant. Reporting also cited a separate incident at a North Texas utility, underscoring concern that internet-exposed industrial control systems are being actively targeted across the sector. U.S. and Irish authorities later tied similar activity to exploitation of weakly secured or internet-accessible Unitronics controllers, including default or poor password practices and the vulnerability tracked as `CVE-2023-6448`, which was added to CISA's Known Exploited Vulnerabilities catalog. In Ireland, attackers disrupted water service to about 160 households in County Mayo after compromising a PLC at a private group water scheme. CISA warned water operators to remove PLCs from direct internet exposure, change default credentials, enforce multifactor authentication where possible, and back up device configurations as officials and experts warned that undersecured operational technology poses an ongoing risk to critical infrastructure.
May 27, 2026
Iranian CyberAv3ngers Target Unitronics PLCs in Critical Infrastructure
**Iran-linked CyberAv3ngers** activity targeting **Unitronics Vision PLCs** in internet-exposed operational technology environments is the clearest common security event in the provided material. The reporting describes campaigns against critical infrastructure, especially **water and wastewater systems**, with attackers exploiting **default credentials**, weak segmentation, and exposed OT assets to gain access and potentially disrupt operations or manipulate industrial processes. The activity is framed as part of broader Iranian state-linked cyber operations aligned with regional geopolitical tensions, with emphasis on U.S. and allied infrastructure at risk of operational and possible physical consequences. One reference provides technical and threat-context detail on the **CyberAv3ngers/IRGC-linked** targeting of Unitronics devices, while another discusses the wider cyber dimension of conflict involving Iranian groups pre-positioning in U.S. networks and threatening sectors such as water, hospitals, finance, and power. That second piece is relevant as contextual support for the same Iran-linked critical infrastructure threat environment, though it is broader and less specific to the **Unitronics PLC** intrusion pattern. The remaining references cover unrelated topics including malicious npm packages, GitHub repository compromise, Ivanti EPMM exploitation, a Ukraine-focused backdoor campaign, AI security commentary, and vendor detection updates, and do not describe the same incident or disclosure.
Mar 21, 2026
Iranian-Linked Actors Exploit Internet-Facing Rockwell PLCs in US Critical Infrastructure
A joint U.S. government advisory said Iranian-affiliated cyber actors are actively exploiting internet-facing operational technology devices across multiple U.S. critical infrastructure sectors, with a particular focus on **Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs)**. The activity has affected organizations in Government Services and Facilities, Water and Wastewater Systems, and Energy, where attackers maliciously interacted with project files and manipulated data displayed on **HMI** and **SCADA** systems, causing operational disruption and financial losses for some victims. The campaign has been observed since at least March 2026 and shows similarities to prior **CyberAv3ngers** activity linked to the IRGC Cyber Electronic Command. According to the advisory, the actors used overseas IP infrastructure, **Rockwell Studio 5000 Logix Designer**, OT-related ports including `44818`, `2222`, `102`, `22`, and `502`, and **Dropbear SSH** for remote access. U.S. authorities urged operators to remove PLCs from direct internet exposure, harden remote access, enable logging, place controllers in run mode where appropriate, and review published indicators of compromise and ATT&CK-mapped TTPs alongside Rockwell Automation security guidance.
Apr 17, 2026