C0031: Unitronics Defacement Campaign
The Unitronics Defacement Campaign was a collection of intrusions across multiple sectors by the CyberAv3ngers, where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs' HMIs.[1][2]
Analyst context for executives and security teams
This campaign matters because it shows how exposed industrial controllers with HMI functions can become a business and public-service disruption issue, not just an IT incident. The reported activity involved opportunistic global targeting and defacement of Unitronics Vision Series PLC/HMI devices found in sectors such as water and wastewater, energy, food and beverage manufacturing, and healthcare. For leaders, the key lesson is to verify whether internet-accessible control devices and default credentials exist in the environment before they become an operational resilience, safety, or public-confidence problem.
Executive priority
Prioritize this as an ICS exposure and readiness issue. Executives should ask whether Unitronics Vision Series PLC/HMI assets, or similar internet-accessible control devices, are inventoried; whether default credentials have been eliminated where possible; and whether operations can continue safely if HMI visibility or device availability is disrupted. The campaign’s ATT&CK relationships point to potential denial of service, loss of availability, loss of view, and loss of productivity/revenue, making it relevant to continuity planning, incident response escalation, compliance evidence, and cyber-physical risk governance.
Technical view
SOC, OT, and IR teams should validate exposure and monitoring around internet-accessible PLC/HMI assets, especially Unitronics Vision Series devices where present. ATT&CK provides no official detection text or platforms for this campaign, so coverage should be assessed through local asset inventory, remote access review, credential hygiene checks, and OT network telemetry. Relationship context indicates the campaign used Internet Accessible Device and Default Credentials techniques and is associated with impacts including Denial of Service, Loss of Availability, Loss of View, and Loss of Productivity and Revenue. Detection engineering should therefore focus on exposed-device discovery, authentication patterns, configuration or HMI content changes, device responsiveness, and operator visibility loss rather than relying on a single signature.
Likely telemetry
- OT/ICS asset inventory showing PLC and HMI model, firmware, network location, and ownership
- External exposure data for internet-accessible control devices and remote management interfaces
- Authentication and account-use records where available, especially default or shared account usage
- PLC/HMI configuration change records, project downloads/uploads, and HMI display/content modification evidence where logged
- OT network traffic metadata to and from PLC/HMI devices, including unexpected external connections
Detection direction
- Start with asset and exposure validation because the campaign is linked to internet-accessible devices and default credentials.
- Tune monitoring for unexpected HMI changes, defacement-like display modifications, device unresponsiveness, communication loss, or loss of operator view.
- Correlate OT alarms with network and authentication evidence; a loss of view may occur without immediate physical process disruption.
- Treat routine maintenance, vendor support, and engineering changes as major false-positive sources and require change-window context.
- Confirm whether PLC/HMI devices produce usable logs; many ICS environments have sparse endpoint telemetry, so network and operational alarms may be decisive.
Mitigation priorities
- Inventory Unitronics Vision Series PLC/HMI devices and similar internet-connected control assets, then assign business owners and operational criticality.
- Remove or protect direct internet exposure for control devices wherever feasible; require controlled remote access paths rather than exposed device interfaces.
- Change manufacturer or supplier default credentials where possible and document compensating controls where credentials cannot be changed.
- Segment OT networks and restrict access to PLC/HMI management functions to approved engineering paths.
- Maintain tested operational procedures for loss of view, device unavailability, and manual/local intervention scenarios.
Analyst notes and limits
The strongest decision value in this object is the linkage between opportunistic targeting of PLC/HMI devices and basic control failures: exposed devices and default credentials. The campaign description and relationships support a focus on ICS asset visibility, remote exposure reduction, credential hygiene, and resilience to loss of view or availability. Sector references should be treated as examples of where these PLCs can commonly be found, not proof that any specific organization is affected.
ATT&CK provides no official detection guidance, no specified platforms or tactics, and limited campaign detail in the supplied fields. Local confirmation is required to determine whether relevant Unitronics devices exist, whether they are internet-accessible, what telemetry is available, and whether observed HMI or availability issues are malicious, accidental, or maintenance-related.
Unitronics Defacement Campaign
The Unitronics Defacement Campaign was a collection of intrusions across multiple sectors by the CyberAv3ngers, where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs' HMIs.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0826 | Loss of Availability | During the Unitronics Defacement Campaign, the CyberAv3ngers caused multiple businesses to halt operations due to the unavailability of the Programmable Logic Controller (PLC) and Human-Machine Interface (HMI). These victims covered multiple sectors.CitationJamie Tarabay and Katrina Manson December 2023 |
| ICS | T0814 | Denial of Service | During the Unitronics Defacement Campaign, the CyberAv3ngers defaced controllers’ Human-Machine Interface (HMI), which prevented multiple entities from being able to operate their devices normally.CitationCISA AA23-335A IRGC-Affiliated December 2023CitationCISA Unitronics November 2023CitationJamie Tarabay and Katrina Manson December 2023CitationFrank Bajak and Marc Levy December 2023 Additionally, the CyberAv3ngers caused a communications failure in a remote pumping station.CitationWPXI Aliquippa Water November 2023 |
| ICS | T0829 | Loss of View | During the Unitronics Defacement Campaign, the CyberAv3ngers replaced the existing graphic on the Programmable Logic Controller (PLC) Human-Machine Interface (HMI) with their own, thereby preventing PLC owners and operators from viewing PLC information on the HMI.CitationCISA AA23-335A IRGC-Affiliated December 2023CitationJamie Tarabay and Katrina Manson December 2023 |
| ICS | T0883 | Internet Accessible Device | During the Unitronics Defacement Campaign, the CyberAv3ngers exploited devices connected to the public internet, such as internet connected Unitronics Programmable Logic Controller (PLC) with Human-Machine Interface (HMI) and networking equipment such as cellular modems found in OT environments.CitationCISA AA23-335A IRGC-Affiliated December 2023CitationLisa Zahner December 2023 |
| ICS | T1694.001 | Default Credentials Sub-technique | During the Unitronics Defacement Campaign, the CyberAv3ngers discovered and exploited default credentials found on many Unitronics Programmable Logic Controller (PLC) Human-Machine Interface (HMI). For many of these devices, the default password was set to ‘1111’.CitationCISA AA23-335A IRGC-Affiliated December 2023CitationCISA Unitronics November 2023 |
| ICS | T0828 | Loss of Productivity and Revenue | During the Unitronics Defacement Campaign, the CyberAv3ngers caused multiple businesses to halt operations in their industrial environments, impacting their typical business operations. These victims covered multiple sectors.CitationJamie Tarabay and Katrina Manson December 2023 |
Groups, software, and campaigns
G1027: CyberAv3ngers
The CyberAv3ngers are a suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT group. The CyberAv3ngers have been known to be active since at least 2020, with disputed and false claims of critical infrastructure compromises in Israel.[1]
In 2023, the CyberAv3ngers engaged in a global targeting and hacking of the Unitronics Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). This PLC can be found in multiple sectors, including water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the devices user interface.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 74ac4a9862b7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA AA23-335A IRGC-Affiliated December 2023
DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.
Open source URL -
[2]
Frank Bajak and Marc Levy December 2023
Frank Bajak and Marc Levy. (2023, December 2). Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say. Retrieved March 25, 2024.
Open source URL -
[3]
Lisa Zahner December 2023
Lisa Zahner. (2023, December 15). Hackers in Iran attack computer at Vero Utilities. Retrieved March 25, 2024.
Open source URL -
[4]
mitre-attack C0031Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.