The cyberattack, which hit a Pittsburgh brewery in addition to the Municipal Water Authority of Aliquippa, was part of a targeted Thanksgiving campaign by a terrorist group tied to the Iranian government, the FBI said Wednesday. The FBI called the intrusions a "significant escalation" over previous hacks.
Another cyberattack could come around Christmas, agent Wolfgang Moser said at a Wednesday webinar hosted with the Environmental Protection Agency and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. He later clarified the FBI has no specific intelligence predicting a holiday attack.
The warning came as White House officials prepare to visit Pittsburgh on Monday to discuss how the region's cybersecurity workforce fits into the federal government's digital security strategy, a visit that was planned independently of the recent attacks. A report outlining the strategy, released in March, does not specifically address the kinds of control systems that were targeted by the hackers.
In the attacks, hackers affiliated with Iran's Islamic Revolutionary Guard Corps. penetrated programmable logic controllers, or PLCs — industrial computers made to control heavy machines that are used in factories and public utilities.
In this case, the PLCs were made by Israel and are used in plants throughout the United States, the FBI said. Officials said the attacks were an apparent retaliation for U.S. support for Israel as that nation wages a bloody war with Hamas, the terrorist group that attacked Israelis in a stunning and deadly operation in early October.
Full Pint Beer, the brewery affected by the Dec. 1 hack, manually overrode its PLC control system to keep its beer cold after the attack. The Aliquippa water authority took similar swift action to make sure water kept flowing to nearby townships.
Other utilities weren't as fortunate. Cole Dutton, cybersecurity specialist for EPA's Water Infrastructure and Cyber Resilience Division, said it took one utility five hours to get its system back online because it didn't have proper backups. He said the EPA offers free assessment tools to help organizations including utilities evaluate their resilience to cyberattacks.
With the possibility of more attacks looming, it "would be very prudent" for organizations to take even basic steps to beef up their security, such as changing default passwords on the programmable logic controllers targeted in the first attack, Mr. Moser said.
In a joint statement, the agencies said an attack powerful enough to shut off control units could have also used those same intrusions to penetrate even more further into the internal networks of the organizations that were targeted.
"It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved," the agencies said.
The Pittsburgh shutdowns were some of the first operational technology hacks in the city's history, although there was one ransomware attack on a physical system earlier this year, said Dawn Cappelli, director of the Operational Technology-Cyber Emergency Readiness Team at Dragos, an international cybersecurity firm with offices in Pittsburgh.
Dragos began offering free resources last year to small businesses that often can't afford comprehensive solutions on their own, and Ms. Cappeli said she has been meeting with regional business owners and the the Pittsburgh nonprofit Catalyst Connection monthly to explore their options.
Scott Johnson, an FBI intelligence analyst in the bureau's Middle East unit, said Wednesday that Iran typically favors proportional attacks rather than an escalation.
While this attack was a simple "defacement," intended to send a message, he said, "it could have been a lot worse."
© 2023 the Pittsburgh Post-Gazette. Distributed by Tribune Content Agency, LLC.
