How CyberAv3ngers Threaten OT Systems Around the World

CyberAv3ngers is a hacktivist group believed to originate in Iran. It is reportedlyaligned with Iran’s IRGC military unit and driven by pro-Palestinian, anti-Israeli ideology.

Active since 2020, the group first made headlines by claiming a hack of Israel’s railway network shortly after the killing of IRGC General Qasem Soleimani.

CyberAv3ngers maintains an active online presence on Telegram and Twitter (X), where it posts propaganda videos and claims of cyberattacks to rally support.

In late November 2023, CyberAv3ngers briefly took control of the Municipal Water Authority of Aliquippa’s Unitronics PLC in Pennsylvania, shutting down a pump and displaying an anti-Israel message.

This attack was part of a broader campaign. The group targeted multiple water utilities in the U.S. and even a brewery, as well as sites overseas using Israeli-made equipment.

CyberAv3ngers often boast of massive cyberattacks – claiming to infiltrate everything from water plants to power stations, but many of these claims have been debunked as exaggerations.

U.S. authorities have attributed CyberAv3ngers’ activities to an IRGC-linked threat campaign and warned that its operations span multiple states and countries.

Although the actual disruptions so far have been limited, the campaign’s high profile prompted cybersecurity advisories (including a CISA alert) from government agencies.

1. Regularly apply security patches to both IT and OT systems to fix known vulnerabilities.
2. Segregate OT/ICS networks from IT and internet access. Use firewalls, VPNs, and MFA to restrict remote connections.
3. Continuously monitor OT and IT environments for anomalies or indicators of compromise, especially on ICS devices.
4. Train employees on phishing awareness and enforce best practices (e.g., removing default passwords on systems).

Spotting Black Basta ransomware quickly is important to reduce damage. IT teams and security tools should keep an eye out for early ransomware warning signs and indicators of compromise (IOCs):

1. Unusual file extensions – The appearance of files ending in .basta (or .tmp files converting to .basta) is a sign of Black Basta encryption in progress. Likewise, multiple directories containing a new readme.txt ransom note indicate a ransomware payload has been executed.
2. Sudden system slowdowns – File encryption causes high disk activity. Users may notice systems becoming extremely slow or unresponsive, a common early ransomware sign as files are being encrypted in bulk.
3. Disabled security tools – If endpoint detection and response, antivirus, or logging agents unexpectedly turn off or crash, it could be attackers trying to impair defenses. Black Basta is known to disable EDR and antivirus via scripts and custom tools.
4. Suspicious network activity – Monitor for unusual outbound traffic, especially to Tor nodes or unfamiliar IPs. Black Basta often uses trojans like Qakbot for command-and-control (C2) communications and uses tools like Rclone to send data out.
5. Safe mode or wallpaper changes – A system unexpectedly rebooting into safe mode without user action may indicate ransomware attempting to evade defenses. Also, any sudden change in desktop background to a ransom image or text is an obvious, blatant sign of compromise.

1. CISA ICS Advisories – official alerts on critical infrastructure threats (e.g., Unitronics PLC exploitation guidance.
2. Dragos Threat Intel – specialist reports on cyber threat actors targeting OT/ICS.
3. Industry Blogs – threat intelligence reports from cybersecurity firms tracking threats like CyberAv3ngers.
4. Custom Feeds – custom configured threat intel feeds from curation providers (Feedly is one good example).

With groups like CyberAv3ngers exploiting vulnerabilities in both IT and OT systems, proactive cybersecurity is more important than ever.

Protect your organization from these threats with BlackFog’s advanced threat prevention solutions.

Visit BlackFog.com to learn how our real-time data protection and anti data exfiltration technology can protect your networks from hacktivist group activities and beyond.