WASHINGTON – The US has imposed sanctions on six officials in Iran’s powerful Islamic Revolutionary Guard Corps (IRGC) which it says are responsible for the cyber-attacks on American water plants late last year.
This comes as the US prepares its response to the drone attack that killed three US soldiers in Jordan, close to the Syrian border, on Sunday.
The US has said an Iranian-backed militia group is responsible for that attack.
“The deliberate targeting of critical infrastructure by Iranian cyber actors is an unconscionable and dangerous act,” said Brian Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence, in the announcement.
The sanctioned individuals are part of the IRGC’s Cyber-Electronic Command (IRGC-CEC), and include Hamid Reza Lashgarian, the head of the cyber organisation, and also a commander in the IRGC-Quds Force.
The Quds Force is Iran’s shadowy overseas operations arm, which the US accuses of being responsible for attacks in the Middle East.
Nelson added that “the United States will not tolerate such actions and will use the full range of our tools and authorities to hold the perpetrators to account”.
The US Cybersecurity & Infrastructure Security Agency (Cisa) calls America’s water systems that residents rely on to drink clean water ‘target-rich, cyber-poor’.
“It’s why Cisa moves with such urgency,” said the agency’s executive assistant director for cyber-security, Eric Goldstein, in an interview with the BBC.
He said there could be “a hypothetical scenario where [the cyber-attacks] had life-safety impact and affected the potability of water”.
Late last year, a group named Cyber Av3ngers affiliated with the IRGC targeted the Municipal Water Authority of Aliquippa, in western Pennsylvania, along with several other water systems.
These facilities’ use of technology manufactured by Unitronics, an Israeli company, made them unsuspecting targets.
The cyber group posted an image on compromised screens with their digital calling card, and the words “down with Israel”.
“If you told me to list 10 things that would go wrong with our water authority, this would not be on the list,” Matthew Mottes, the chairman of the authority, told the BBC’s US partner CBS.
According to Cisa, thanks to a simple default password – like 1, 2, 3, 4, 5, 6 – the Iranian hackers were able to disable a monitor regulating water pressure, but plant managers were able to take over manually.
It was considered a low-level hacking attempt, but federal officials are concerned that these attacks are not only ramping up but are also exposing how vulnerable America’s water systems are.
“Many water utilities likely didn’t know they were running a default password,” said Mr Goldstein.
Following the attacks, Pennsylvania Senators Bob Casey and John Fetterman, and Congressman Chris Deluzio sent a letter to Attorney General Merrick Garland urging “the Department of Justice to conduct a full investigation and hold those responsible accountable”.
In a statement to the BBC, Mr Deluzio’s office said: “No-one expects to be in the crosshairs of a war in the Middle East, but in this day and age, cyber-attacks and cyber-warfare can occur anywhere – and everyone has to be prepared.”
Cisa has warned there are several countries that are exploiting this lack of cyber-security awareness.
“Iranians cyber actors continue to mature and invest in their capabilities. China is the pacing threat that the US faces in cyberspace; there is malicious Russian activity, but North Korea and Iran continue to invest in their capabilities,” Mr Goldstein told the BBC.