CyberAv3ngers and the Unitronics PLC Campaign: How Iran Reached Inside US Critical Infrastructure

Starting in November 2023, an Iranian state-linked hacking group compromised at least 75 operational technology devices inside US critical infrastructure — not with sophisticated zero-days, but with a four-digit default password that operators had never changed. The story of CyberAv3ngers and the Unitronics PLC campaign is a case study in how geopolitical conflict translates into real-world cyber-physical risk, and why the gap between IT and OT security posture still costs us.

When the Municipal Water Authority of Aliquippa, Pennsylvania — a small facility about 30 miles outside Pittsburgh — announced in late November 2023 that Iranian hackers had seized control of one of its booster pump stations, it drew an unusual level of attention from the White House. The breach did not poison the water supply or disrupt service to residents. But the image that appeared on the station's human-machine interface told a blunt story: "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target." The device that displayed it was a Unitronics Vision Series programmable logic controller. Its password was the factory default.

Who Are CyberAv3ngers?

CyberAv3ngers is a hacking persona operated by, or on behalf of, Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command — the IRGC-CEC. The IRGC itself has been designated a foreign terrorist organization by the United States and Canada. The IRGC-CEC functions as the IRGC's dedicated cyber arm, and it operates through a network of front companies and contracted actors to maintain a degree of deniability while conducting offensive operations against adversaries of the Iranian regime.

The group's public Telegram channel, active since at least mid-2023, became both an operational coordination tool and a propaganda instrument. Between September and October 2023, as the conflict in Gaza intensified, CyberAv3ngers used the channel to claim credit for attacks against Israeli PLCs in the water, energy, shipping, and distribution sectors — though CISA and partner agencies later assessed that some of those early claims were exaggerated or fabricated. The group also reportedly has connections to another IRGC-linked crew known as Soldiers of Solomon.

"The deliberate targeting of critical infrastructure by Iranian cyber actors is an unconscionable and dangerous act." — Brian E. Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence, February 2024

What distinguishes CyberAv3ngers from many Iranian APT groups is their explicit focus on operational technology — the industrial control systems, PLCs, and supervisory systems that underpin physical processes like water treatment, fuel distribution, and power generation. This is not an espionage-first group. Their stated goal has been disruption, defacement, and psychological impact on the operators of Israeli-made technology wherever it runs, including inside the United States.

The Unitronics PLC: A Target by Design

Unitronics is an Israeli manufacturer of programmable logic controllers and human-machine interface systems. Their Vision Series PLCs are widely deployed across a range of industries in the United States and globally, including water and wastewater treatment, food and beverage manufacturing, healthcare, energy, and transportation. A key selling point of the Vision Series is its all-in-one design: the PLC and HMI are integrated into a single unit, making deployment and configuration straightforward for operators without deep industrial automation expertise.

That same approachability created the attack surface. By default, Unitronics Vision Series PLCs communicate over TCP port 20256. By default, the password protecting access to the device is 1111. Many operators deploying these devices either left the default password in place or set no password at all. Compounding matters, a significant number of these devices were internet-connected — accessible directly from the public internet with no VPN, no firewall restriction, and no multi-factor authentication standing between the open web and control of physical infrastructure.

It is worth being precise about what a PLC compromise means in practice. A programmable logic controller is not a file server or an email system. It is an industrial computer that controls physical processes: turning pumps on and off, filling tanks, maintaining pressure, regulating chemical dosing. In a water treatment facility, the PLC is what ensures chlorination levels stay within safe bounds and that wastewater moves through treatment stages correctly. An attacker with authenticated access to one of these devices does not merely observe — they can issue commands to the physical world.

How the Campaign Unfolded

The US campaign began on November 22, 2023. According to the joint advisory issued by CISA, the FBI, NSA, EPA, and Israel's National Cyber Directorate (INCD), IRGC-affiliated actors accessed multiple US-based water and wastewater facilities operating Unitronics HMI-capable PLCs. The method of access was straightforward: they authenticated to internet-exposed devices using default or absent passwords over the device's default TCP port. No exploit code was required. No phishing campaign preceded it. The operators had simply left the front door unlocked.

The defacement message — "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target" — appeared on the screens of compromised devices across multiple US states, as well as in the United Kingdom, which CISA's updated advisory noted was likely part of a wider campaign against Israeli-origin technology. The Municipal Water Authority of Aliquippa was the most publicly prominent victim in the US, with the breach drawing a response from then-Deputy National Security Adviser Anne Neuberger.

The campaign did not stop at defacement. CISA's updated advisory — revised in December 2024 — disclosed previously unreported tactics that went significantly further than initial reporting suggested. Beyond posting the defacement message, the actors supplanted existing ladder logic files with custom versions they had written for specific device types. They renamed devices, likely to obstruct owner access. They reset software versions to older builds. They disabled upload and download functions on compromised units and changed default port numbers to hamper remediation. The IRGC-affiliated actors had developed custom ladder logic files for multiple Unitronics device versions — including older models not originally highlighted in the first advisory.

"These attacks were 'unsophisticated' but still managed to breach multiple American organizations." — Anne Neuberger, then-Deputy National Security Adviser, December 2023

Between November 2023 and January 2024, CISA assessed that CyberAv3ngers conducted approximately four separate waves of attacks. In total, at least 75 devices were confirmed compromised, including at least 34 in the Water and Wastewater Systems Sector. Victims spanned multiple US states. The UK's National Cyber Security Centre (NCSC) also observed targeting of PLC devices in the United Kingdom during the same period, and CISA's updated advisory reflected coordination with international partners on the shared threat.

IOCONTROL: From Defacement to Cyberweapon

The Unitronics campaign was not the group's only operational thread. Running concurrently and continuing into 2024, CyberAv3ngers conducted a separate but related campaign against fuel management systems using a custom-built malware framework that security researchers at Claroty's Team82 unit eventually identified and named IOCONTROL.

Team82 extracted a sample of IOCONTROL from a Gasboy fuel control system — specifically from the device's payment terminal, known as OrPT. Gasboy is a US-made product; Orpak Systems, a related fuel management platform targeted in the same campaign, is Israeli-made. CyberAv3ngers claimed on Telegram to have compromised 200 gas stations in Israel and the US, releasing screenshots of management portals and leaked data as evidence. Claroty's analysis confirmed that one particular attack wave compromised several hundred Orpak and Gasboy fuel management devices across both countries.

IOCONTROL is a Linux-based backdoor with a modular configuration built to target a broad range of device architectures. Its list of affected vendors, identified in Claroty's December 2024 report, includes Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and others — a roster that spans IP cameras, routers, PLCs, HMIs, and firewalls. The malware uses the MQTT IoT messaging protocol for command-and-control communications, and it leverages Cloudflare's DNS over HTTPS service to resolve hostnames, meaning that even if a network tap exists on the target environment, the DNS traffic is encrypted and would not reveal the C2 destination in plaintext.

Claroty's researchers noted that IOCONTROL stores itself in the /usr/bin/ directory under the filename iocontrol and uses a persistence script — S93InitSystemd.sh — to execute on every system boot. Restarting a compromised device does not remove it. The malware supports remote OS command execution and can delete itself on demand, and its modular design means the same codebase can be reconfigured to operate against fundamentally different device types without rebuilding the tool from scratch.

"We've assessed that IOCONTROL is a cyberweapon used by a nation-state to attack civilian critical infrastructure." — Claroty Team82, December 2024

The implications of IOCONTROL's presence inside a fuel payment terminal are specific and serious. An attacker with full control over the OrPT payment terminal could have shut down fuel services entirely at affected locations and could have stolen payment card data from customers. The Claroty team reported that as of December 10, 2024, 21 of 66 VirusTotal antivirus engines detected the sample — after a period in which detections remained at zero as late as September 2024. The malware had spent months inside the ecosystem before the security community had reliable signatures for it.

OpenAI separately reported that CyberAv3ngers used ChatGPT to assist with PLC exploitation research, to develop custom bash and Python scripts, and to plan post-compromise activities. The group's use of AI-assisted scripting reflects a broader trend in nation-state and criminal threat actor development: lowering the barrier to custom tooling without requiring deep in-house expertise at every stage.

The US Government Response

The federal response unfolded across multiple agencies and timelines. On December 1, 2023, CISA issued advisory AA23-335A — a joint publication with the FBI, NSA, EPA, and Israel's INCD — detailing the Unitronics campaign, providing indicators of compromise, and urging operators to take immediate action. The guidance was direct: change default passwords (specifically, stop using the Unitronics default password 1111); take PLCs offline or place them behind a VPN; apply multi-factor authentication where remote access is required; create configuration backups; and update to the latest firmware. Unitronics itself released VisiLogic version 9.9.00 on December 12, 2023, which specifically required users to change default passwords as part of the update process.

On February 2, 2024, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned six officials of the IRGC-CEC under Executive Order 13224, citing their roles in the Unitronics attack campaign. The six individuals sanctioned were Hamid Reza Lashgarian — head of the IRGC-CEC and an IRGC-Qods Force commander — along with senior officials Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian. All property and interests belonging to the designated individuals that exist within US jurisdiction were blocked as a result of the action.

The State Department's Rewards for Justice program subsequently posted a reward of up to $10 million for information leading to the identification or location of CyberAv3ngers members involved in the attacks against US critical infrastructure. The reward notice specifically named the six sanctioned IRGC-CEC officials and linked Mahdi Lashgarian directly to CyberAv3ngers' use of IOCONTROL against worldwide ICS and SCADA devices. CISA updated the advisory again in December 2024 to reflect newly identified TTPs from the expanded investigation, removing outdated indicators of compromise and adding the previously unreported ladder logic tampering and persistence techniques.

Key Takeaways

1. Default credentials in OT environments are an existential risk: The entire Unitronics campaign succeeded because devices were internet-accessible and protected only by factory default passwords. This is not a novel vulnerability — it is a chronic failure of operational practice that persists across industrial sectors. The four-digit password 1111 should never reach a production environment.
2. Geopolitical targeting extends to supply chain and technology origin: CyberAv3ngers did not target US water facilities because of anything those facilities did. They were targeted because they ran Israeli-made hardware. Organizations that procure OT equipment should assess supply chain origin as part of their threat modeling, particularly during periods of elevated regional conflict.
3. Defacement is not the ceiling of impact: The public narrative around the Unitronics campaign focused on screen defacement and the fact that no service was disrupted. CISA's updated advisory makes clear the actors went further — replacing ladder logic, blocking remediation, and establishing persistence. The IOCONTROL framework demonstrates the group is capable of and willing to build purpose-built cyberweapons targeting civilian critical infrastructure.
4. OT device internet exposure requires the same rigor as any internet-facing system: Industrial control systems connected directly to the public internet with no intervening firewall, VPN, or authentication layer represent an unacceptable attack surface. CISA's guidance to remove these devices from direct internet exposure or place them behind strong access controls reflects a baseline standard that many operators have not yet met.
5. Nation-state actors are integrating AI tooling into OT attack development: OpenAI's reporting on CyberAv3ngers' use of ChatGPT for PLC research and exploit scripting signals a shift in capability scaling. Groups that previously lacked in-house depth to develop custom industrial control system exploits can now reduce that barrier significantly using AI-assisted development — a trend that applies across the threat landscape.

The CyberAv3ngers campaign against Unitronics PLCs was, in technical terms, a low-sophistication operation. It required no zero-day vulnerabilities, no supply chain compromise, and no sustained phishing campaign. It required only that operators had not changed a four-digit default password on an internet-connected device that controls physical infrastructure. That it succeeded at scale — across multiple states, multiple industries, and multiple countries — is the more important signal. The sophistication of the attacker did not determine the severity of the breach. The security posture of the defenders did. As IOCONTROL demonstrates, the same threat actors are now investing in capability development that will not require even that minimal opening.