Iran's Water-Plant Crew Just Got a Permanent File in Our Index. Defenders Have a Right to the Same Picture the Attackers Work From.

This week we did something quiet and overdue: we gave CyberAv3ngers — the IRGC-Cyber-Electronic-Command crew that has been compromising internet-exposed water and energy controllers by reading the manual, not the zero-day — a permanent, structured profile in our adversaries index, and we ingested the one cleanly-attributed sample of their custom OT implant. Not a blog mention. A file. The same kind of file a defender at a water utility can query at three in the morning when a PLC starts behaving strangely. Here is what is in it, what we deliberately left out, and why the whole exercise comes down to a simple principle: the people running the pumps have a right to defend them.

The win, stated plainly

We have written about Iran's cyber operations more than sixty times. We called the dual-wing structure early — the IRGC-CEC running the operational-technology campaigns while the Ministry of Intelligence and Security runs the wiper-and-leak side through the Handala persona — and CISA later confirmed exactly that shape. But coverage in prose is not the same as a structured profile an analyst or an automated system can pivot on. CyberAv3ngers had the former and not the latter. As of this week it has both.

The profile carries the full alias set the field uses to talk past each other — Shahid Kaveh, Storm-0784, Bauxite, Hydro Kitten, UNC5691, the MITRE designation G1027 — so a defender who only ever heard one of those names lands on the same file as everyone else. It carries the attribution chain that makes "IRGC-affiliated" more than a label: the US Treasury sanctions against six IRGC-CEC officials, the Justice Department indictment of four more, the named front companies, the ten-million-dollar Rewards for Justice bounty. And it carries the campaign arc, from the Unitronics programmable-logic-controller defacements that put the group on the map, through the custom Linux implant, to the Rockwell controller exploitation that drew a six-agency joint advisory this spring.

That is the hoorah, and we are allowed one. A threat actor that has been operating against American water systems since before most people noticed now has a clean, queryable record in our index, alongside the malware sample that proves the toolset is real.

The discipline behind the hoorah

Here is the part we are prouder of than the profile itself. When we went to attach indicators to the new file, we found two domains in our own data that an earlier piece of ours had described as CyberAv3ngers command-and-control infrastructure. It would have been easy, and satisfying, to staple them to the profile and call it a richer record.

We did not, because the data did not support it. One of those domains is tagged in our feed as belonging to a completely different and unrelated malware framework — a fake-software-update delivery system that has nothing to do with Iranian operational-technology targeting. The other carries no actor attribution at all in the underlying data; the link to the Iranian group rested on a coincidence between the domain's name and one of the group's vendor aliases, and the domain was registered in Russia, which cuts against the attribution rather than for it.

So we kept them out. The profile holds one indicator we can stand behind without flinching: the file hash of the group's custom operational-technology implant, documented by two independent research teams, scored at a confidence level that makes it eligible to block but honest about its provenance. One confirmed indicator you can act on beats six coincidental ones that send a defender chasing ghosts. We cap our own confidence at ninety-five percent for a reason — something is always wrong — and the fastest way to find the wrong thing is to stop pretending everything is right.

What this group actually does, and the context it sits in

CyberAv3ngers does not need a nation-state's exotic capabilities, and that is precisely what makes it dangerous to ordinary utilities. Its signature move is to find a programmable logic controller exposed to the open internet, log in with the default password the vendor shipped, and either deface the operator screen or quietly tamper with the process. The custom implant extends that reach to routers, cameras, firewalls, and fuel-management systems, beaconing home over an encrypted messaging channel and resolving its controllers through privacy-preserving DNS to stay quiet. This spring the group moved on to exploiting a known authentication-bypass flaw in a major brand of industrial controller across water, energy, and government facilities.

The timing is not an accident. This activity rises and falls with the shooting war. The United States and Israel ran a military operation against Iran earlier this year — the Americans codenamed it Epic Fury, the Israelis called it Roaring Lion — and the Iranian cyber response, the operational-technology disruption and the wiper attacks alike, is exactly that: a response. As the kinetic conflict flared again across the Gulf in recent days, with strikes touching energy and water facilities, the cyber side moves in lockstep. Energy and water are the targets on both planes at once.

We take no side in the war between governments. That is not our lane, and it is not our business. Our lane is the water operator in Pennsylvania, the energy cooperative in the Midwest, the manufacturer whose plant-floor controllers were never meant to face the internet. Those organizations are not combatants. They are the civilian infrastructure that gets caught in the blast radius, and they have an unambiguous right to defend themselves — to see the threat clearly and to shut the door before someone walks through it.

How to shut the door

First, find your exposed controllers before someone else does. Every programmable logic controller, human-machine interface, and remote-access gateway reachable from the public internet is a candidate. Most operators cannot produce that inventory on demand, which is exactly why this attack class keeps paying.

Second, kill the default credentials. The Unitronics campaign that made this group famous did not break encryption or burn a zero-day. It logged in with the password printed in the manual. Change it, everywhere, and put multi-factor in front of any remote access.

Third, get the controllers off the open internet. Segment operational technology behind a firewall, require a VPN for remote engineering access, and patch the known controller flaws — the authentication-bypass vulnerability this group is exploiting this year has had a fix available for a long time.

Fourth, watch for the implant's behavior, not just a known address. Encrypted beaconing on the messaging port these implants favor, controller resolution over privacy DNS from a device that has no business doing that, an engineering workstation suddenly pushing changes at odd hours — those patterns survive even when the specific infrastructure rotates. And block the implant's file hash, which now lives in our feed.

The principle

We built this file so that defenders do not have to be intelligence analysts to act like one. The attacker operates from a clear picture — known targets, known defaults, a tested toolset. For too long the people defending the pumps and the substations have operated from a foggier one, stitched together from advisories that arrive after the fact. Closing that gap is the entire job. The threat actor has a playbook; the defender deserves the same playbook, read in reverse.

Folks have a right to defend themselves. Our part is to make sure they can see what they are defending against, plainly, with the confident things marked confident and the uncertain things marked uncertain. This week CyberAv3ngers got a permanent file. The defenders got a little more daylight. We will take that, cap it at ninety-five percent, and keep watching.

DugganUSA builds threat intelligence from first-hand collection and a curated, inspectable corpus of more than 24 million documents. Attribution, victim figures, and adversary claims here are drawn from public reporting and government advisories and are treated as claims, not confirmed facts; we cap our confidence at 95% because something is always wrong. CyberAv3ngers is tracked in our adversaries index as a state-directed IRGC-Cyber-Electronic-Command group; the IOCONTROL implant sample referenced here is held in our indicator feed and is eligible for edge blocking.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register