This article was published with the support of RAKIA.AI!

RAKIA Group has pioneered technology operations globally to help solve today's most complex and harmful criminal challenges including terrorism, money laundering, fraud, illegal immigration, and human trafficking.

We empower real-world heroes by unifying more of what you need to know in real-time to stay ahead and act faster.

It’s big data for good.

What’s Happening?

According to a joint cybersecurity advisory from agencies like the FBI, CISA, and NSA, these hackers have been exploiting Unitronics Vision Series PLCs. These controllers are commonly used in water systems, energy facilities, and manufacturing sectors. Once inside, the attackers mess with logic files, disable remote access, and leave behind defaced splash screens reading:
"You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target."

It’s not just a technical breach—it’s cyber warfare with geopolitical undertones.

How They’re Breaking In

Here’s a breakdown of their tactics:

1. Default Credentials: They’re exploiting devices with no password or default credentials.

2. Disrupting Operations: Logic files are erased and replaced, rendering systems nonfunctional.

3. Defacement: Operators see propaganda messages instead of their usual interface.

4. Downgrade Attacks: Software versions are rolled back to older, vulnerable builds.

It’s low-effort hacking with high-impact consequences.

Why It Matters

These attacks aren’t just about causing chaos—they’re targeting critical infrastructure that people rely on every day. Disrupting water systems or manufacturing plants isn’t just an inconvenience; it’s a potential national security threat.

The Bigger Picture

This isn’t CyberAv3ngers’ first rodeo. Since 2020, they’ve claimed responsibility for cyberattacks targeting Israel and Western-aligned technologies. But now, they’re expanding operations globally, focusing on systems where basic cybersecurity hygiene is ignored.

How to Defend Against It

The advisory lays out clear mitigation steps:

• Change Default Passwords: Yes, this one’s obvious, but still ignored way too often.

• Disconnect Internet-Exposed PLCs: If a device doesn’t need to be online, keep it offline.

• Patch and Update: Ensure firmware and software are running the latest versions.

• Enable Multifactor Authentication (MFA): Add an extra layer of security wherever possible.

• Segment Networks: Isolate critical systems from the rest of your network.

The Bottom Line

This is another wake-up call for industries relying on legacy systems with poor cybersecurity practices. State-sponsored groups like CyberAv3ngers are exploiting simple vulnerabilities to send political messages and cause real-world damage.

👉 Don’t be the next victim. Update your systems, train your teams, and take cyber hygiene seriously.

IRGC’s Cyber Warfare Evolution

The Islamic Revolutionary Guard Corps (IRGC) is not only a key military and political force in Iran but also a dominant player in cyber warfare. Over the past decade, the IRGC has heavily invested in its cyber capabilities, leveraging them as tools for both espionage and sabotage. These operations aim to counter foreign adversaries, project power regionally, and safeguard Iran’s internal stability.

Notable Units within IRGC Cyber Operations

1. Cyber Defense Command (CDC):
   This unit focuses on both defensive and offensive operations. It ensures the security of Iran’s critical infrastructure while conducting cyber-attacks on adversaries.

2. CyberAv3ngers:
   Known as an affiliated group rather than an official IRGC division, CyberAv3ngers has taken credit for a range of cyberattacks, primarily targeting Israeli and Western-linked infrastructure.

3. Payame Noor University Cyber Division:
   A hub for training and recruiting cyber talent in Iran, this division collaborates with the IRGC to identify and nurture skilled cyber operatives.

4. Shahid Kaveh Cyber Unit:
   Focused on hacking industrial systems and critical infrastructure, this unit specializes in exploiting vulnerabilities like default credentials and poorly segmented networks.

5. Basij Cyber Council:
   Part of the IRGC-affiliated Basij organization, this council mobilizes civilian hackers and social media operatives to amplify cyber campaigns.
   

   

Key IRGC Cyber Tactics

• Targeting Critical Infrastructure:
  The IRGC frequently exploits vulnerabilities in industrial systems, such as programmable logic controllers (PLCs), to disrupt water, energy, and manufacturing sectors. Their goal is to create both physical and psychological impact.

• Propaganda and Defacement:
  Many attacks include bold propaganda messages, such as those left during CyberAv3ngers' campaigns. These serve dual purposes: demoralizing targets and signaling Iran’s technological prowess.

• Advanced Persistent Threats (APTs):
  IRGC cyber operations often fall under the umbrella of Advanced Persistent Threat groups, such as APT33 (Elfin) and APT34 (OilRig), which specialize in long-term espionage campaigns.

• Supply Chain Attacks:
  By compromising trusted vendors or third-party software, IRGC-affiliated hackers can infiltrate high-value targets indirectly.

Global Reach of IRGC Cyber Operations

The IRGC's cyber campaigns are not confined to regional adversaries like Israel. They have been implicated in:

• Attacks on U.S. Infrastructure:
  Multiple attempts have been made to infiltrate energy grids, water systems, and even financial institutions.

• Espionage in Europe:
  IRGC operatives have targeted European think tanks, academic institutions, and government entities to gather intelligence on foreign policies and sanctions.

• Disruptive Operations in the Gulf:
  Neighboring Gulf states, particularly Saudi Arabia and the UAE, have reported attacks on oil and gas infrastructure linked to Iranian hackers.
  

  

The Strategic Use of Cyber Operations

The IRGC views cyber warfare as a low-cost, high-impact tool in its asymmetric warfare strategy. It allows Iran to challenge technologically superior adversaries like the U.S. and Israel without direct military confrontation. Furthermore, these operations often provide plausible deniability, shielding Iran from immediate retaliation.

Iran’s cyber warfare strategy has long viewed Israel as one of its primary adversaries, and over the years, IRGC-affiliated groups have launched a barrage of cyberattacks against Israeli critical infrastructure, industries, and public services. From disrupting water systems to data leaks and propaganda campaigns, the intent is clear: to undermine Israel’s technological prowess and sow chaos.

Recent High-Profile Cyberattacks Against Israel

1. Water System Hacks (2020):
   Iranian hackers targeted Israel’s water facilities in an attempt to manipulate chemical levels in water supplies. Though unsuccessful, this attack highlighted the potential for cyber warfare to create tangible physical harm.

2. Shields Down Campaign (2021):
   IRGC-affiliated hackers launched a widespread campaign against Israeli transportation systems and financial institutions, disrupting operations and causing significant financial damage. This attack included phishing campaigns and Distributed Denial-of-Service (DDoS) attacks.

3. Medical Data Breach (2022):
   Iran-backed cyber groups leaked sensitive medical data of millions of Israeli citizens, publishing it on dark web forums. The breach was both a privacy invasion and a psychological warfare tactic.

4. Insurance Company Attack (2023):
   An attack on Shirbit, a major Israeli insurance company, resulted in the theft of sensitive corporate and customer data. Hackers demanded a ransom and leaked the data when their demands weren’t met.

5. Critical Industry Targeting (2023-2024):
   CyberAv3ngers and other IRGC-linked groups launched sophisticated attacks on Israeli energy and defense contractors. These attacks included industrial espionage and attempts to disrupt production lines.
   

   

Tactics Used in Attacks on Israel

1. Propaganda-Driven Defacements:
   Many cyberattacks are accompanied by propaganda messages, including calls for Israel's destruction. Websites and systems are defaced with phrases like “Down with Israel” and pro-Iranian slogans.

2. Phishing and Malware Deployment:
   Iranian hackers use highly tailored phishing emails to penetrate organizations. Once inside, they deploy malware designed to exfiltrate sensitive data or disrupt operations.

3. Supply Chain Exploitation:
   By infiltrating third-party vendors or software providers, attackers gain indirect access to high-value Israeli targets, such as defense systems or governmental agencies.

4. Zero-Day Exploits:
   Iranian cyber units frequently use zero-day vulnerabilities to compromise systems. They often target poorly secured industrial systems, taking advantage of default configurations or outdated software.

5. Psychological Operations:
   Beyond operational disruptions, Iranian cyberattacks often aim to erode public trust in Israel’s technological capabilities. Data leaks, especially those involving personal information, are weaponized to instill fear and uncertainty.

Motivations Behind Iran’s Cyber Campaign Against Israel

1. Geopolitical Rivalry:
   Iran views Israel as its key regional adversary, and cyber warfare provides a means to project power without engaging in direct military conflict.

2. Strategic Disruption:
   By targeting critical infrastructure, Iran seeks to weaken Israel’s economic and technological foundations while projecting a narrative of vulnerability.

3. Domestic Propaganda:
   Successful cyberattacks against Israel are leveraged within Iran to reinforce the regime’s image as a strong force resisting Western and Israeli influence.
   

   

Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.

Link to the advisory:

https://acrobat.adobe.com/id/urn:aaid:sc:AP:00569c62-c1e4-44f7-b295-1022f32122be?viewer%21megaVerb=group-discover