Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G1027: CyberAv3ngers

The CyberAv3ngers are a suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT group. The CyberAv3ngers have been known to be active since at least 2020, with disputed and false claims of critical infrastructure compromises in Israel.[1]

In 2023, the CyberAv3ngers engaged in a global targeting and hacking of the Unitronics Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). This PLC can be found in multiple sectors, including water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the devices user interface.[1]

ICSG1027GroupObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

CyberAv3ngers matters because the ATT&CK entry ties the group to cyber-physical environments, specifically opportunistic global targeting and defacement of Unitronics PLCs with HMI capability across sectors such as water and wastewater, energy, food and beverage manufacturing, and healthcare. For executives, the practical issue is not just website-style defacement; it is whether internet-exposed or weakly governed industrial control assets could become public evidence of compromise and trigger operational, regulatory, and public-confidence decisions.

Executive priority

Treat this as an ICS resilience and governance priority. Leaders should ask whether the organization has an accurate inventory of PLC/HMI assets, whether any Unitronics Vision Series or similar PLC/HMI devices are externally reachable, who owns emergency response decisions for plant-floor systems, and what evidence would be available for regulators, insurers, customers, and public-sector partners after an incident. Because ATT&CK provides no detection detail for this group object, priority should be on confirming asset exposure, access controls, logging, backup/restore readiness, and incident communications for critical operations.

Technical view

SOC, IR, OT, and engineering teams should validate visibility around PLC/HMI administration paths, remote access into OT networks, changes to HMI screens or device configuration, authentication activity, and network connections to exposed industrial devices. The relationship to the Unitronics Defacement Campaign makes Unitronics Vision Series PLCs with HMI the most relevant validation focus. Since ATT&CK lists no tactics, platforms, or detection guidance for this object, defenders should avoid assuming standard enterprise endpoint telemetry is sufficient; coverage depends heavily on OT asset inventory, network monitoring, device configuration records, and engineering workstation/change-management evidence.

Likely telemetry

  • OT asset inventory showing PLC/HMI model, firmware, network location, ownership, and exposure status
  • Firewall, VPN, remote access, and network flow logs for traffic into OT segments and industrial devices
  • PLC/HMI authentication, configuration, project upload/download, and administrative change records where available
  • Engineering workstation logs and change-management records tied to PLC/HMI maintenance
  • Screenshots, HMI project files, or operator reports documenting unauthorized user-interface changes

Detection direction

  • Validate whether Unitronics PLC/HMI assets are known, monitored, and segmented; unknown or unmanaged devices are the primary blind spot suggested by the campaign context.
  • Tune monitoring for unauthorized HMI screen changes, unexpected PLC configuration changes, new remote sessions to OT assets, and administrative access outside approved maintenance windows.
  • Correlate OT events with firewall/VPN/jump-host activity rather than relying only on endpoint alerts, because ATT&CK provides no group-specific detection analytics.
  • Account for false positives from legitimate engineering maintenance, vendor support, and emergency operational changes by requiring approved change records and named asset owners.
  • Use the campaign relationship to prioritize hunting and exposure review around Unitronics Vision Series PLCs with HMI, while avoiding unsupported assumptions about other platforms.

Mitigation priorities

  • First establish or refresh an OT asset inventory, with specific attention to Unitronics PLC/HMI deployments and any internet or remote-access exposure.
  • Reduce exposed management paths to PLC/HMI assets through segmentation, controlled remote access, and documented approval for engineering access.
  • Strengthen identity and access governance for OT administration, including named accounts, least privilege, and review of vendor or shared access where present.
  • Require change control and recoverable backups for PLC/HMI projects and configurations so defacement or unauthorized changes can be investigated and reversed.
  • Prepare an ICS incident response playbook that covers operational safety, engineering validation, communications, and evidence preservation for public-facing or critical infrastructure incidents.
Analyst notes and limits

The official object describes CyberAv3ngers as a suspected Iranian Government IRGC-affiliated APT group and notes disputed and false claims of critical infrastructure compromises in Israel. The strongest decision-relevant context is the 2023 Unitronics PLC/HMI defacement activity across multiple sectors and the attributed Unitronics Defacement Campaign relationship. Because this is an ICS group object with no tactics, platforms, or detection text, the defensible takeaway is to validate OT exposure, asset ownership, monitoring, and response readiness rather than infer a complete intrusion playbook.

ATT&CK does not provide detection guidance, tactics, or platforms for this group object, and the supplied relationship context is limited. This take does not assert current activity, confirmed exposure of any organization, guaranteed detection coverage, or techniques not present in the supplied fields. Local asset inventory, architecture, logging, and incident history are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

CyberAv3ngers

The CyberAv3ngers are a suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT group. The CyberAv3ngers have been known to be active since at least 2020, with disputed and false claims of critical infrastructure compromises in Israel.[1]

In 2023, the CyberAv3ngers engaged in a global targeting and hacking of the Unitronics Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). This PLC can be found in multiple sectors, including water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the devices user interface.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Campaign ICS

C0031: Unitronics Defacement Campaign

The Unitronics Defacement Campaign was a collection of intrusions across multiple sectors by the CyberAv3ngers, where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs' HMIs.[1][2]

Relationship explorer

All related ATT&CK context

attributed to · Campaign C0031: Unitronics Defacement Campaign ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a75a88e75f7bfd6b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a75a88e75f7b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    CISA AA23-335A IRGC-Affiliated December 2023

    DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.

    Open source URL
  2. [2]
    Soldiers of Soloman

    CyberAv3ngers reportedly has connections to the IRGC-linked group Soldiers of Solomon.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)

  3. [3]
    mitre-attack G1027
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use