{ "Event": { "analysis": "1", "date": "2024-12-18", "extends_uuid": "", "info": "[Threat Intel] IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities", "protected": false, "publish_timestamp": "1772407259", "published": true, "threat_level_id": "2", "timestamp": "1772407257", "uuid": "388ebf8c-e4e4-42eb-916c-39b353101dac", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"CISA\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"iran\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Water\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Brute Force - T1110\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Access Removal - T1531\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Default Accounts - T1078.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Endpoint Denial of Service - T1499\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Defacement - T1491.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stored Data Manipulation - T1565.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-assets=\"Field Controller/RTU/PLC/IED\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-assets=\"Human-Machine Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772369876", "to_ids": false, "type": "link", "uuid": "e282e613-ec3f-4290-bdad-6794a203f15a", "value": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772386636", "to_ids": false, "type": "link", "uuid": "8b855bf3-2113-4cc1-9008-6ab79a2d2aa0", "value": "https://www.cisa.gov/sites/default/files/2024-12/aa23-335a-irgc-affiliated-cyber-actors-exploit-plcs-in-multiple-sectors.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772386636", "to_ids": false, "type": "link", "uuid": "eef97fb1-9965-4ed2-b8a0-e44b0ea15e01", "value": "https://www.cisa.gov/sites/default/files/2023-12/aa23-335a-irgc-affiliated-cyber-actors-exploit-plcs-in-multiple-sectors-1.pdf" }, { "category": "Payload delivery", "comment": "Crucio Ransomware No sample in VT\r\nLast check:02/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772394170", "to_ids": true, "type": "md5", "uuid": "7d3c4114-33f4-428c-b9aa-ef1f8336a7a7", "value": "ba284a4b508a7abd8070a427386e93e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Crucio Ransomware No sample in VT\r\nLast check:02/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772394170", "to_ids": true, "type": "sha1", "uuid": "74260248-4d28-43d7-84a2-fd4c73455ebe", "value": "66ae21571faee1e258549078144325dc9dd60303", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Crucio Ransomware No sample in VT\r\nLast check:02/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772394171", "to_ids": true, "type": "sha256", "uuid": "940d01f8-c94b-43e6-9f96-d2a4067a1ad6", "value": "440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP address associated with Crucio Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1772394997", "to_ids": true, "type": "ip-dst", "uuid": "5b6cd2c4-5cb2-4a92-b4b7-f2e2ad7a88d0", "value": "178.162.227.180", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP address associated with Crucio Ransomware", "deleted": false, "disable_correlation": false, "timestamp": "1772395018", "to_ids": true, "type": "ip-dst", "uuid": "4e64d5ad-7591-4e4c-b34b-ff6c74c44bbd", "value": "185.162.235.206", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772386899", "to_ids": false, "type": "threat-actor", "uuid": "3267a098-ec3f-4aa6-a78e-f4bfc0650be8", "value": "CyberAv3ngers" } ] } }