Iran-linked Attacks Highlight Nation-State Proxy Strategies for Plausible Deniability


December 4, 2023

World map

A Cybersecurity and Infrastructure Security Agency (CISA) representative say that an Iran-linked threat actor known as CyberAv3ngers is "actively targeting and compromising" multiple U.S. water treatment facilities.

The attackers are exploiting an Israeli-made programable logical controller (PLC) device predominantly used in water treatment but are also in use for food and beverage production and the healthcare sector.

"These compromised devices were publicly exposed to the internet with default passwords," NPR reports the CISA spokesperson as stating.

Takeaway: PLCs are relatively simple devices that were likely never designed to be internet facing yet are in wide use in manufacturing and physical systems. Israeli-made PLCs in use on the US are being leveraged to compromise critical infrastructure providers is not surprising.

The attackers are likely using automated scans to identify and target these devices, and the fact that some are in the US is just icing on the cake for threat actors given the US's support for the Israeli military operation in Gaza.

At some point, these ransomware attacks are going to cross the line from cybercriminal activity to a national security event, especially when we are talking about attacks on critical infrastructure Defense Industrial Base targets.

We know rogue nations tacitly or directly supports and/or controls these ransomware operators to an extent, and these attacks are starting to look more and more like state-sponsored terrorism, and perhaps we should be addressing them as such.

Even if the ransomware attack itself is resolved, the fact remains that the attackers may have exposed incredibly valuable intelligence for foreign adversaries, and this can potentially mean that an entirely different set of rules kick into place.

Cybercriminal activity is the purview of law enforcement. They investigate, collect evidence of a crime, indict and prosecute when possible. But when an attack drifts into the national security space, there are different rules of engagement, and they can include offensive action deemed appropriate and proportional.

In the 2004 National Military Strategy, the Joint Chiefs of Staff designated cyberspace as a “domain of conflict alongside the air, land, sea, and space domains,” noting that the US Department of Defense will “maintain its ability to defend against and to engage enemy actors in this new domain.”

While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space here and there, overall law enforcement has had basically zero impact on disrupting ransomware operations.

While Cyber Av3ngers present themselves as hacktivists, it is more than likely that they are being influenced by a nation-state such as Iran.

This overlap of cybercriminal activity with nation-state-supported operations conveniently allows for some plausible deniability, but rogue nations who support these attacks need to be very careful that they don't trigger an international incident that would elicit a military response from the US or their allies.

Using ransomware gangs or other seemingly independent threat actors as a proxy to conduct the attacks with the intent to maintain plausible deniability and thwart attribution is the strategy here, but it could backfire on them.

Cyber operations have become such an important aspect of larger geopolitical issues, but attribution is in many cases extremely difficult, so the US and allied governments are in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining true attribution for the attacks.

Ultimately, it's the adversarial governments that are providing safe harbor for criminal elements conducting ransomware attacks with impunity and is very likely even influencing some of their targeting.  

Until the US government and our allies directly sanction rogue regimes for their direct or tacit support, we will not see this spate of ransomware attacks abate any time soon.  

And it's only a matter of time before we see another massively disruptive attack against a critical infrastructure or other target that threatens our national security, and then we could see the whole conversation around ransomware attacks and our collective response change significantly. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.