Threat Intelligence Tarot
wands · 3
Iran (IRGC - Islamic Revolutionary Guard Corps)
★★★★★
risk 4/5
✦ The Wrench ✦
Cyber Av3ngers
CyberAv3ngers · IRGC Cyberspace Battalion
US water utilitiesIsrael-linked OT vendorsCritical infrastructure with Israeli-made equipment
Active since ~2020 · US/Israel critical infrastructure targeting, OT/ICS disruption, Water system attacks
It found Israeli-made programmable logic controllers in American water plants and changed their setpoints. It was not subtle - it left its name on the screen. The Wrench is not a scalpel; it is a statement. Your infrastructure runs on components with origins it finds objectionable.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Aliquippa, PA water authority - Unitronics PLC compromise (Nov 2023)
- ◆Multiple US water utilities targeted via default credentials
- ◆CISA emergency alert for water sector (Dec 2023)
- ◆US Treasury sanctions on IRGC Cyberspace Battalion officers (2024)
Defenses
- ▸Default credential elimination on all OT/ICS and SCADA systemsICS-CERT guidance ↗
- ▸Network segmentation isolating OT from internet and ITNIST SP 800-82 ↗
- ▸Inventory and patch management for internet-exposed PLCsCIS Control 1 ↗
- ▸Water sector ISAC membership and threat intelligence sharingNIST CSF: ID.RA ↗
Reversed: Their Weakness
Cyber Av3ngers' use of default credentials as its primary attack vector reveals the defensive gap it exploits: the water sector's chronic underinvestment in basic cybersecurity hygiene, not sophisticated tradecraft, enabled the intrusion.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.