What We've Learned From The Israeli Reservoir Attack on Dec 1st

03 Dec 2020

What Happened?

On the night of December 1st, 2020, an Iranian threat-actor published a video of a breach in an Israeli reclaimed water reservoir HMI system.

The reservoir’s HMI system was connected directly to the internet, without any security appliance defending it or limiting access to it. Furthermore, at the time of the publication, the system did not use any authentication method upon access. This gave the attackers easy access to the system and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature and more. All the adversaries needed was a connection to the world-wide-web, and a web browser.

As of the morning of December 2, 2020, the HMI web application already requires authentication to access the system. However, the system is still accessible through the internet without any barrier. Although this may prevent unskilled adversaries from accessing the system, those with a minimal toolbox can most likely compromise the system.

Additionally, the system still allows communications on port 502, which is used for Modbus protocol. Modbus/TCP does not require any authentication/encryption. It is a bad practice to expose this interface directly to the worldwide web. OTORIO researchers believe the ICS system used in this specific site is “T-Box” by Ovarro.

Was it a targeted attack?

From experience gained in multiple attacks researched by the OTORIO team, we can assume that the main reason the reservoir was targeted is that it provided easy, unprotected access. Moreover, it is our understanding that the attackers did not possess any deep industrial capabilities or knowledge. The breach was initially published over the Telegram channel of an Iran-based hacker group, named “Unidentified TEAM”. This group is responsible for other attacks on marginal American websites, one of which is a governmental education website in Texas. In that case, the attackers stated they are avenging the death of Iranian nuclear scientist Mohsen Fakhrizadeh, who was assassinated at the end of November 2020.

These cases emphasize the need for proper cyber-protection on infrastructure in conflicted destinations, as they are constantly being targeted.

How to prevent attacks on your assets?

The findings we present here highlight that there is a worrying lack of awareness of ICS cyber protection by SCADA engineers and system designers. In the case of the Israeli reservoir, even minimal steps, such as authentication and restricting access, were not taken. This led to an easy compromise of the system.

In order fully protect SCADA devices, a more active approach should be applied. This includes secure remote access (e.g. VPN), access restriction based on Firewall rules, and active defense-in-depth methods.

Visit our OTORIO blog page to learn more about how you can better protect your operational network.

Noam Even
Cyber Intelligence Researcher