Cyber Threat Actor: Cyber Avengers
| Actor Type | Location | Known Incidents |
Activist
|
Iran
|
3 incidents |
|---|
Profile
CyberAv3ngers, also known as Cyber Avengers, is a threat actor group identified with aliases that appear in multiple public reports and is associated with an Iranian origin based on available location information. The group describes itself as pro‑Iranian and has been linked to actions targeting critical infrastructure in both the United States and Israel, with observed activity against water management facilities and energy sector entities. Their reported objectives include causing operational disruption, as seen when a compromised pump station was taken offline and a message was displayed, and attempting to extort victims through ransomware claims, as indicated by the ransomware group that later asserted responsibility for the Florida water agency incident. While the group has asserted actions aimed at leaking sensitive industrial control system data, victims have disputed the authenticity of such leaks, leaving the exact strategic intent behind those claims unverified.
Observed tactics, techniques, and procedures involve distributed denial‑of‑service attacks that rendered websites inaccessible, the use of ransomware‑style extortion attempts, and a focus on specific industrial hardware such as Unitronics components in compromised pump stations. The actors have also claimed exploitation of a Check Point firewall device to gain access to internal networks, although the vendor and the affected organization denied any validity to those assertions. In addition, the group has purportedly leaked screenshots of SCADA systems, including diagrams of flare gas recovery units and PLC code, though the targeted organization characterized the material as entirely fabricated. No specific malware families or initial access vectors are detailed in the source material beyond these claims and the noted targeting of particular control‑system technologies.
Representative operations attributed to CyberAv3ngers include the October 2023 compromise of the Municipal Water Authority of Aliquippa’s pump station, where an isolated computer network was breached and a protest message displayed, and the June‑July 2023 DDoS campaign against the Bazan Group’s oil refinery website that coincided with claims of SCADA screenshot leakage. The November 2023 suspicious IT activity detected by the St. Johns River Water Management District in Florida, which prompted a ransomware claim and containment measures, is another incident referenced in broader warnings about Iranian‑linked actors targeting water sector infrastructure, although the group’s direct involvement in that case was not explicitly confirmed. These examples illustrate a pattern of targeting essential services with a mix of disruption tactics and asserted data‑theft attempts.
