CyberAv3ngers is an Iranian state-backed cybercriminal group affiliated with the Islamic Revolutionary Guard Corps (IRGC), specifically its Cyber-Electronic Command (IRGC-CEC). The group is also sometimes referred to as CyberAveng3rs or Cyber Avengers. It has become one of Iran’s most active hacking collectives focused on industrial control systems (ICS), targeting critical infrastructure sectors such as water, wastewater, oil and gas, energy, and manufacturing—primarily in the United States and Israel, but also in other countries.
Origins and Affiliation
• State Sponsorship: CyberAv3ngers is directly linked to the IRGC, a branch of Iran’s military apparatus, and operates as a state-sponsored hacktivist group.
• Leadership: The group is reportedly led or overseen by senior IRGC-CEC officials, including Mahdi Lashgarian.
• Connections: CyberAv3ngers has reported ties to other IRGC-linked groups, such as Soldiers of Solomon.
Tactics and Modus Operandi
• Primary Targets: The group is best known for attacking programmable logic controllers (PLCs) and SCADA systems—especially those manufactured by Israeli company Unitronics, which are widely used in water, energy, and other critical sectors.
Attack Methods
• Exploiting internet-facing devices with default or no passwords.
• Defacing compromised PLCs with anti-Israel messages, such as “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target”.
• Publicizing attacks and sometimes exaggerating their impact through Telegram and other social media channels.
• Development and use of custom malware, such as IOControl, to infiltrate ICS and IoT devices.
Notable Incidents
• November 2023: Compromised PLCs at U.S. water utilities, including the Municipal Water Authority of Aliquippa, leading to public warnings and advisories.
• Multiple claims (some later disproven) of attacks on Israeli infrastructure, including water treatment facilities, railway systems, and electricity grids.