Hunt3r Kill3rs and the Italian Critical Infrastructure risks

A new cyber-criminal group known as Hunt3r Kill3rs has recently emerged, claiming responsibility for a series of attacks on critical infrastructure with the final political goal of attacking Israeli companies and Israeli allies. This group has primarily focused on industrial control systems (ICS), communication networks, and vulnerable web applications. Their activities represent a significant threat to the stability and security of various operational technology (OT) systems.

Based on their Telegram profile image, the group appears to be a Russian hacktivist group. However, a closer examination of associated users and affiliations reveals a strong correlation with Middle Eastern cyber groups. Notably, by reviewing the group description, we can identify the administrator's username and two associated groups:

By searching in Maltego for the group's administrator with the username @R351574N7 and the title стойкий, an interesting pivot point is identified: a Twitter account that could likely be related to the same individual with high confidence.

As previously mentioned, this user appears to be more closely associated with Middle Eastern cyber groups. Furthermore, by pivoting on the group link in the Telegram description, it is possible to retrieve a list of administrators. This allows us to take a closer look at the main administrator and an interesting partner:

The user R00t Kernel, with the username mikepawn3r, appears to have two Telegram profiles: the one already mentioned and another with the name “Mr Hunt3r Kill3r” and the username mikepawn3r1. This second profile could potentially be the real administrator of the group. 

Finally, the partnership with the Cyber Anon group, which is affiliated with many other groups in the Middle Eastern cyber space (like: Anonymous Islamic {‮طوفان الأقصى‬}, Anonymous Palestine, AnonymousSudan Chat, Arab cyber society, Islamic Hacker Army group, ᥲᥣ-ᥲᎥᥲᥣᥲ ﹉ ‮الـعـيـالـة‬, ‮اتحاد الجامعات السورية‬‭ 🇸🇾‬ ,‮مناقشة امبراطورية‬‭ 🇺🇳MT‬), further underscores the complex network of associations and influences within this cyber landscape.

Hunt3r Kill3rs has demonstrated a particular interest in disrupting OT systems, which are crucial for the management and operation of industrial processes. The group has claimed responsibility for recent attacks on companies that utilize exposed programmable logic controllers (PLCs) and CCTV systems. They have exploited poor cybersecurity configurations to infiltrate these systems, causing substantial disruptions. The group's ability to target such specific and vital components of infrastructure underscores the sophistication and danger of critical operations. 

Evidence in telegram messages suggests that Hunt3r Kill3rs may be linked to the Iranian Advanced Persistent Threat (APT) group, Cyber Av3ngers. The similarities in their attack methodologies and chosen targets indicate a possible connection. Both groups have shown a propensity for targeting critical infrastructure and employing advanced tactics to bypass security measures. In addition to their possible ties with Cyber Av3ngers, Hunt3r Kill3rs is also associated with the Cyber Army of Russia. This connection is evident through their involvement in numerous attacks on critical infrastructure within the United States. The collaboration between these groups, whether direct or through shared tactics and goals, amplifies the threat they pose on a global scale.

The types of attacks launched by Hunt3r Kill3rs are varied and sophisticated, targeting a range of OT infrastructures. A recent screenshot from their Telegram channel showcases their claims of successful infiltrations and disruptions. This evidence highlights their capability and willingness to attack vulnerable systems, making them a formidable adversary in the realm of cybersecurity.

In a recent announcement in their Telegram channel, they claimed a large-scale attack on Unitronics PLCs on the Italian perimeter:

Unitronics devices have been the target of multiple tampering incidents. Below is a list of other successful attacks on these devices:

Unitronics devices

Unitronics, an Israeli company, produces PLCs integrated with HMI (Human-Machine Interface) capabilities, offering advanced control functionality and versatility for industrial automation. Their software suite serves as an interface for programming and configuring devices, enabling engineers to define their logic efficiently. According to documentation, these devices support the VNC protocol for remote access, which poses a security risk. Attackers can potentially use specific Shodan searches to identify Unitronics devices with open VNC ports and check if authentication is disabled. The use of default, known, or easily guessable passwords further exposes these systems to brute force attacks.

 Unitronics devices are primarily used to control national critical infrastructure, such as water and wastewater treatment facilities, managing and monitoring various stages and processes, including pump operations, chemical flow adjustments, compliance data collection, and critical alarm alerts.

Recently, CISA published an advisory for CVE-2023-6448, highlighting the use of default administrative passwords in Unitronics Vision Series PLCs and HMIs. 

Additionally, Team82 from Claroty reported eight vulnerabilities that allow a remote unauthenticated attacker to bypass authentication and fully control the UniStream PLC, executing arbitrary commands. 

Due to the increasing frequency of attacks on Unitronics PLCs, their rising vulnerabilities, and their crucial role in critical infrastructure necessitate the implementation of robust cybersecurity controls and standards in the OT environment to protect public and environmental safety.

Italian exposure

In this article, we will explore the exposure of Unitronics devices in Italy to better understand the risks the country faces from potential cyberattacks.  The following results correspond to a research made between 31 May 2024 and 07 June 2024 (results may vary based on scan period). 

A simple search for the keyword “Unitronics” reveals 80 exposed PLCs.

By examining these results more closely, we can gain a better understanding of how the Unitronics environment operates. Typically, the PLCs are exposed on port 20256/TCP. In some cases, an HMI is also exposed on different ports to monitor and interact with the PLC. In the following case, without any authentication:  

The interesting part resides in the URL path “<IP>:<PORT>/Module1/Home” that is the same for each PLC that exposes an HMI. By searching for this particular path it is possible to find 36 exposed IPs. Another possibility to find more exposed services is to search for the favicon used by Unitronics in the HMI webpage, in this case the retrieved results are 32.

Putting all together to exclude possible duplicate results, the Italian exposure of such devices is in the order of 120 unique devices.  The distribution of the types of systems controlled by the devices found through OSINT searches is the following one:

The following graphs gives an overview of the distribution of such Devices for their location ( can be not accurate ), ASN and ISP.

Recommendations

Given the previously described threat landscape, CISA recommends to Unitronics users to: 

• Change the default password (1111) on all PLCs and HMIs
• Implement multifactor authentication for remote access from internal and external networks to OT systems
• Remove PLCs from the internet
• Secure remote connections with a firewall or VPN; multi factor authentication may be deployed on the firewall or VPN should the PLC or HMI not support it
• Ensure PLC and HMI applications are backed up and available
• Change default ports that may be targeted (20256 for Unitronics and 5900 for VNC)
• Ensure PLC versions are current

Conclusions

In conclusion, hacktivists will likely continue to align their activities with military and political conflicts, extending their reach beyond regions of kinetic conflict. Even seemingly trivial attacks can be disruptive, underscoring the importance for organizations to adhere to cybersecurity standards and recommendations. The recent attacks on Unitronics PLCs serve as a stark reminder that operational technology and control systems are vulnerable and can be targeted, leading to disruptions in critical services and jeopardizing personal safety. Robust cybersecurity measures are essential to safeguard these vital systems and ensure public and environmental safety.