Cyber Av3ngers Exploited Unitronics PLCs at Water Utilities in the U.S. and Ireland
A cyberattack on the Municipal Water Authority of Aliquippa in Pennsylvania exposed a broader campaign targeting Unitronics Vision Series PLCs used in water and wastewater operations. Attackers linked to the pro-Iran Cyber Av3ngers group reportedly defaced facility screens and disrupted a remote water pressure station, prompting operators to take affected equipment offline and switch to manual or backup processes; officials said drinking water quality and core service were not affected because the compromised system was isolated from the main treatment plant. Reporting also cited a separate incident at a North Texas utility, underscoring concern that internet-exposed industrial control systems are being actively targeted across the sector.
U.S. and Irish authorities later tied similar activity to exploitation of weakly secured or internet-accessible Unitronics controllers, including default or poor password practices and the vulnerability tracked as CVE-2023-6448, which was added to CISA's Known Exploited Vulnerabilities catalog. In Ireland, attackers disrupted water service to about 160 households in County Mayo after compromising a PLC at a private group water scheme. CISA warned water operators to remove PLCs from direct internet exposure, change default credentials, enforce multifactor authentication where possible, and back up device configurations as officials and experts warned that undersecured operational technology poses an ongoing risk to critical infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Irish incident tied to Cyber Av3ngers and broader Unitronics campaign
Reporting linked the County Mayo outage to the pro-Iran Cyber Av3ngers group, which had targeted Israeli-made Unitronics devices elsewhere. The incident aligned with international concern over exploitation of Unitronics Vision Series PLCs and references to CVE-2023-6448 being added to CISA's Known Exploited Vulnerabilities catalog.
County Mayo water outage in Ireland linked to Unitronics exploitation
A cyberattack disrupted water service for about 160 households in the Erris area of County Mayo, Ireland, after attackers exploited a vulnerability in a programmable logic controller used by a private group water scheme. Irish authorities said the incident was part of a broader global exploitation campaign rather than necessarily a targeted attack on Ireland.
Cyber Av3ngers campaign reported across multiple U.S. states
Further reporting indicated the Cyber Av3ngers group had hacked industrial controllers in multiple U.S. states, expanding the apparent scope of the activity beyond isolated incidents. The campaign reinforced concerns about insecure internet-connected industrial control systems.
Second U.S. utility incident disclosed amid Unitronics concerns
Reporting on CISA's warning noted a separate cyber incident affecting a North Texas utility serving about 2 million people. While no confirmed link to Unitronics PLCs was established, the disclosure marked a broader escalation of concern beyond the Aliquippa case.
CISA warns of active exploitation of Unitronics PLCs
CISA issued an alert that threat actors were actively exploiting internet-exposed Unitronics Vision Series PLCs used in water and wastewater systems. The agency cited weak password practices and direct internet exposure as likely intrusion paths and urged mitigations including changing default passwords, enabling MFA, removing PLCs from the public internet, and backing up configurations.
U.S. officials begin assisting Aliquippa cyberattack response
Federal authorities began assisting the investigation into the Aliquippa water utility intrusion, and public officials including Rep. Chris Deluzio said they were monitoring the situation. The incident drew broader attention to cybersecurity risks facing U.S. water utilities.
Cyber Av3ngers message appears in Aliquippa incident
Attackers displayed a message associated with the pro-Iran Cyber Av3ngers group on screens at the compromised Aliquippa facility, suggesting ideological targeting of Israeli-made technology. The affected pump system was reportedly isolated from the primary network and physically separate from the main treatment plant.
Aliquippa water authority hit via Unitronics-connected pressure station
The Municipal Water Authority of Aliquippa in Pennsylvania suffered a cyberattack affecting a remote water pressure station that used Unitronics equipment. Operators took the affected system offline and used backup/manual processes, while officials said drinking water quality and overall service were not impacted.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Two-day water outage in remote Irish region caused by pro-Iran hackers | The Record from Recorded Future News
therecord.media
Open sourceCyber Av3ngers gang hacks industrial controllers across multiple US states | news | SC Media
scworld.com
Open sourceCISA warns of attacks on Unitronics tool used by water utilities, wastewater systems | The Record from Recorded Future News
therecord.media
Open sourceCISA warns of threat groups exploiting Unitronics PLCs in water treatment hacks | Cybersecurity Dive
cybersecuritydive.com
Open sourceFederal officials investigating after pro-Iran group allegedly hacked water authority in Pennsylvania | CNN
cnn.com
Open sourceNorth Texas water utility serving 2 million hit with cyberattack | The Record from Recorded Future News
therecord.media
Open sourcePennsylvania water authority hit with cyberattack allegedly tied to pro-Iran group | The Record from Recorded Future News
therecord.media
Open sourceMunicipal Water Authority of Aliquippa hacked by Iranian-backed cyber group - CBS Pittsburgh
cbsnews.com
Open sourceMunicipal Water Authority of Aliquippa hacked by Iranian-backed cyber group - CBS Pittsburgh
cbsnews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iranian CyberAv3ngers Target Unitronics PLCs in Critical Infrastructure
**Iran-linked CyberAv3ngers** activity targeting **Unitronics Vision PLCs** in internet-exposed operational technology environments is the clearest common security event in the provided material. The reporting describes campaigns against critical infrastructure, especially **water and wastewater systems**, with attackers exploiting **default credentials**, weak segmentation, and exposed OT assets to gain access and potentially disrupt operations or manipulate industrial processes. The activity is framed as part of broader Iranian state-linked cyber operations aligned with regional geopolitical tensions, with emphasis on U.S. and allied infrastructure at risk of operational and possible physical consequences. One reference provides technical and threat-context detail on the **CyberAv3ngers/IRGC-linked** targeting of Unitronics devices, while another discusses the wider cyber dimension of conflict involving Iranian groups pre-positioning in U.S. networks and threatening sectors such as water, hospitals, finance, and power. That second piece is relevant as contextual support for the same Iran-linked critical infrastructure threat environment, though it is broader and less specific to the **Unitronics PLC** intrusion pattern. The remaining references cover unrelated topics including malicious npm packages, GitHub repository compromise, Ivanti EPMM exploitation, a Ukraine-focused backdoor campaign, AI security commentary, and vendor detection updates, and do not describe the same incident or disclosure.
Mar 21, 2026
US Offers Reward for Iranian Hackers Behind Unitronics Water Utility Intrusions
The U.S. State Department offered up to **$10 million** for information on six Iranian government hackers allegedly linked to the Islamic Revolutionary Guard Corps Cyber-Electronic Command and the **CyberAv3ngers** campaign targeting **Unitronics Vision Series PLCs** used in critical infrastructure, including U.S. water utilities. U.S. officials said the group exploited internet-exposed devices with default credentials and, in late 2023, defaced compromised systems with anti-Israel messages while claiming the attacks were retaliation for Israel’s actions in Gaza. One of the most visible incidents hit the Municipal Water Authority of Aliquippa, Pennsylvania, which temporarily shifted to manual operations after an intrusion reached a pressure-regulating pump, though officials said water treatment and safe drinking water were not affected. In response, **CISA** began directly contacting water utilities with exposed Unitronics devices and urged operators to change default passwords, while the FBI and EPA said only a small number of utilities were known to be impacted but warned that exposed PLCs could provide a foothold for deeper network access and potential physical damage.
Apr 1, 2026
Hackers Breached Water Treatment Plants Through Exposed ICS and Weak Passwords
Poland disclosed cyberattacks on five water treatment plants after intruders breached industrial control systems and, in some cases, gained the ability to change settings for pumps, alarms, and treatment equipment. Investigators said the compromises were enabled by basic security failures, including weak passwords and internet-exposed systems, and Polish authorities linked parts of the activity to Russian-aligned actors seeking to disrupt public services and probe infrastructure resilience. The incidents echo the earlier intrusion at a Florida water plant, where attackers reportedly exploited outdated software and poor password practices to gain access to operational systems. Together, the cases underscore a persistent risk across municipal water utilities: insecure remote access, exposed human-machine interfaces, aging control technology, and weak authentication can turn preventable weaknesses into threats to service continuity and public safety.
May 25, 2026