The County Mayo Water Hack: How a Default Password Took 180 Homes Offline

‍​​​‌​​‌​‌‌​‌​​‌‌‌​‌‌​‌‌‌‌​​‌​​​‌​​‌​‌‌‌​​​‌‌‌​​‌‌​‌​​‌​​​‌​‌​​​‌‍In early December 2023, approximately 180 homes in the Erris area of County Mayo, Ireland, lost their water supply. The pumping system that served the Binghamstown/Drum private water scheme had stopped working. When operators checked the pumphouse, the screen on the Unitronics controller displayed a message: "You have been hacked. Down with Israel."

The controller's default administrative password was 1111. It had not been changed, and the device was accessible from the internet. A group affiliated with the Islamic Revolutionary Guard Corps (IRGC) in Iran had found it, logged in, and taken control. Water service was restored two days later using a manual backup pumping system.

This was not an isolated incident, though. Between November 2023 and January 2024, the same group compromised at least 75 Unitronics devices across multiple countries in four separate waves of attacks. The vulnerability they used was assigned a CVSS (Common Vulnerability Scoring System) score of 9.8 out of 10, which is the highest severity band. The technical complexity required to exploit it was effectively zero.

What everyone thinks happened

The media narrative ran along familiar lines: Iranian hackers attacked an Irish water supply, 180 homes lost water, and it sounded like the kind of sophisticated state-sponsored operation that makes headlines. Several early reports framed it as a targeted attack on Ireland, raising concerns about critical infrastructure security across the country.

The reality is less dramatic but more concerning. Ireland was not targeted, and the Binghamstown/Drum water scheme was not chosen because of its location, its function, or anything about its operations. The CyberAv3ngers (tracked by MITRE ATT&CK as Group G1027) were scanning the internet for Unitronics Vision Series programmable logic controllers (PLCs) and human-machine interfaces (HMIs). They found devices running with default credentials and logged in with the factory password. The device in County Mayo happened to be one of them.

The UK's National Cyber Security Centre (NCSC), which co-authored the joint advisory with CISA (the Cybersecurity and Infrastructure Security Agency), the FBI, the NSA (National Security Agency), and four other agencies, assessed the exploitation as being "of limited sophistication." WaterISAC (the Water Information Sharing and Analysis Centre) described the actors as "low-skilled actors using unsophisticated tactics." Both assessments are accurate, and that is exactly what makes this incident worth examining. The most dangerous thing about this campaign was not the skill of the attackers. It was how little skill they needed.

What actually happened

The vulnerability: CVE-2023-6448

Unitronics Vision Series PLCs and Samba Series PLCs shipped with a default administrative password of 1111. This password was not unique to each device. Every unit shipped with the same credentials. The devices also had no mandatory password change requirement on first setup, meaning an operator could install the PLC, connect it to a network, and start using it without ever being prompted to change the default.

These PLCs communicate using the PCOM (Programmable Controller Communication) protocol, a proprietary Unitronics protocol that runs over serial connections or TCP on port 20256 by default. At the time of the attacks, PCOM had no password protection for network communications. An attacker who could reach the device on TCP 20256 could connect using the VisiLogic engineering workstation software, authenticate with the default password, and take full administrative control. That control included the ability to modify PLC logic, change HMI displays, and disrupt whatever physical process the controller was managing.

CISA assigned CVE-2023-6448 on 14 December 2023 and added it to the Known Exploited Vulnerabilities (KEV) catalogue on 11 December 2023. The CVSS v3.1 vector string tells the story: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Network accessible, low attack complexity, no privileges required, no user interaction needed, and high impact across confidentiality, integrity, and availability, giving it a score of 9.8 out of 10.

The campaign: November 2023 to January 2024

The CyberAv3ngers began accessing US water and wastewater facilities via Unitronics PLCs on 22 November 2023. The attacks were politically motivated rather than operationally strategic. The group targeted Israeli-made equipment specifically, and the defacement message left on compromised devices read: "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target."

The most widely reported US incident hit the Municipal Water Authority of Aliquippa in Beaver County, Pennsylvania. On 24 to 25 November 2023, the attackers compromised a Unitronics Vision Series PLC at a booster station that monitors and regulates water pressure for Aliquippa and portions of two neighbouring townships. An alarm triggered immediately, and crews switched to manual operation. No customer water supply was disrupted at Aliquippa because the alarm system worked and manual controls were available.

CISA published an initial alert on 28 November 2023, six days after the first wave began. On 1 December 2023, a joint advisory (AA23-335A) was published by seven agencies: CISA, the FBI, the NSA, the EPA (Environmental Protection Agency), the INCD (Israel National Cyber Directorate), CCCS (Canadian Centre for Cyber Security), and the UK NCSC. That advisory confirmed that at least 75 devices had been compromised in total, with at least 34 of those in the US water and wastewater sector.

The County Mayo attack came after both the CISA alert and the joint advisory had been published. The Binghamstown/Drum water scheme is a private group scheme, not part of the national Irish Water utility. Private group water schemes in rural Ireland are managed locally by their communities. They serve small populations, they operate on limited budgets, and they typically do not have dedicated IT or cybersecurity staff. Ireland's own NCSC stated that it "identified all of the equipment in Ireland vulnerable to this attack, and notified the owners." The National Federation of Group Water Schemes (NFGWS) warned its members to be vigilant.

But the device in Erris had already been compromised. Unlike Aliquippa, where the alarm triggered and manual controls prevented disruption, the County Mayo system lost its water supply entirely. Approximately 180 homes had no water for two days (a Thursday and Friday in early December 2023) before operators restored service using a backup pumping arrangement.

The technical simplicity

To be clear about what "exploitation" meant in this campaign: the attackers connected to internet-facing PLCs on the default PCOM port and logged in with the default password. Claroty Team82, which later published detailed forensic research and developed open-source tools for analysing PCOM communications, confirmed that the attackers connected remotely using VisiLogic engineering workstation software. The PCOM protocol itself had no password protection at the time, meaning once the attacker reached the device, there was no additional authentication barrier.

Claroty's researchers had to reverse-engineer the proprietary PCOM protocol to build forensics tooling. They released two open-source tools on GitHub: PCOM2TCP (which converts serial PCOM to TCP PCOM messages) and PCOMClient (which connects to Unitronics PLCs and extracts forensic data). These tools were presented at Black Hat. The irony is that the forensic analysis of the attack required considerably more technical skill than the attack itself.

Myth vs fact

Myth: This was a sophisticated state-sponsored attack.

The NCSC assessed it as "of limited sophistication." WaterISAC described the actors as "low-skilled." The attack used default credentials on internet-exposed devices. No zero-day vulnerability was involved, no novel exploitation technique was required, and no malware was deployed during this phase of the campaign. The attackers logged in with factory default passwords that had never been changed. The fact that the group is affiliated with the IRGC does not make their methods sophisticated. State sponsorship provides resources, motivation, and legal protection for the operators. It does not retroactively elevate the complexity of typing 1111 into a login prompt.

Myth: Only water systems are affected by this type of vulnerability.

Unitronics PLCs are deployed across multiple sectors, not just water. The same devices are used in energy, food manufacturing, and other industrial applications. More broadly, default credentials on internet-exposed industrial control systems (ICS) are not unique to Unitronics. The broader problem is that operational technology (OT) equipment across many manufacturers has historically shipped with default or no passwords, with the expectation that network isolation would provide security. When those devices end up on the internet, the assumption breaks down entirely. The CyberAv3ngers later developed a custom malware platform called IOCONTROL that targets IP cameras, routers, PLCs, HMIs, and firewalls from eight different vendors, including Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.

Myth: The County Mayo attack was a targeted operation against Ireland.

Ireland was not selected as a target. The Binghamstown/Drum water scheme was not chosen for any strategic reason. The CyberAv3ngers were scanning for Unitronics devices globally, filtering by manufacturer because the equipment is Israeli-made. The defacement messages left on compromised devices confirm this. Any Unitronics device that was internet-accessible and running default credentials was a potential target, regardless of what country it was in or what it was controlling. The campaign hit facilities in the US, Ireland, and other countries in the same sweep.

Myth: A small water scheme in rural Ireland is not a real target for nation-state actors.

It was not a "target" in the traditional sense. Nobody at IRGC headquarters decided to attack a water scheme in Erris. But the distinction between targeted and opportunistic does not reduce the impact for the 180 homes that lost water, because opportunistic attacks hit whatever is exposed. Small utilities with limited budgets and no cybersecurity staff are disproportionately exposed because they are least likely to have changed default credentials, segmented their networks, or restricted internet access to their control systems. The fact that an attack is unsophisticated does not mean it is harmless.

What would have stopped this

The CISA joint advisory (AA23-335A) and the subsequent ICS advisory (ICSA-23-348-15) included specific mitigations. Every one of them would have prevented the County Mayo compromise.

Changing the default password would have been sufficient on its own. The default password was 1111 on every Unitronics Vision and Samba Series PLC, and changing it to any non-default value would have prevented the attackers from authenticating. This is the single most basic security control in any environment, and it was not in place.

Disconnecting the PLC from the internet would have removed the attack surface entirely. The device was accessible from the public internet on TCP port 20256. PLCs controlling physical infrastructure should not be directly reachable from the internet. If remote access is needed, it should go through a firewall and VPN (Virtual Private Network) with multi-factor authentication (MFA). Direct internet exposure of a PLC means that anyone who can find the device can attempt to interact with it, and in this case, the default credentials meant that interaction required no special access.

Using a non-default PCOM port would have reduced discoverability. Even if the device had to be internet-accessible for operational reasons (which is rarely justified), changing the PCOM port from the well-known default of TCP 20256 would have made it harder to discover through automated scanning. This is not a strong defence on its own, but it reduces the attack surface against mass scanning campaigns that target known default ports.

Updating the firmware would have closed the vulnerability at source. Unitronics released VisiLogic 9.9.00 in late 2023, which introduced mandatory password change requirements on first setup, password protection for PCOM communications over Ethernet, and the ability to block remote access actions via PCOM. That shifts the security model from hoping operators remember to change passwords to enforcing the change at the protocol level.

Network monitoring for PCOM traffic would have detected the intrusion in progress. The Claroty Team82 forensics tools demonstrate that PCOM traffic is analysable and can be monitored. Organisations running Unitronics equipment can monitor for unexpected connections on port 20256 or whichever port they configure. Any connection from an IP address outside the organisation's known range should trigger an alert.

The uncomfortable fact about all five of these mitigations is that they are basic. None of them require specialist knowledge, specialist tools, or significant investment. Changing a password takes minutes, adding a firewall rule takes minutes, and updating firmware takes an hour at most. The County Mayo water scheme was not compromised because the defences were overcome. It was compromised because the defences were not present.

What changed after

Sanctions and attribution

On 2 February 2024, the US Treasury sanctioned six officials from the IRGC Cyber-Electronic Command (IRGC-CEC) under Executive Order 13224 (counterterrorism authority). The sanctioned individuals include Hamid Reza Lashgarian, who is both the head of the IRGC-CEC and an IRGC-Qods Force commander, along with five senior IRGC-CEC officials: Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian.

The US State Department's Rewards for Justice programme offered up to USD 10 million for information identifying or locating the six individuals. All property and interests held by these individuals within US jurisdiction were blocked under OFAC (Office of Foreign Assets Control) sanctions.

The attribution was confirmed jointly by CISA, the FBI, the NSA, the EPA, Israel's INCD, Canada's CCCS, and the UK NCSC. Seven agencies across four countries co-authored the advisory. That level of joint attribution for an attack that amounted to logging in with a default password tells you something about how seriously governments took the implications, even if the technical execution was trivial. (referenced in the quarterly posture benchmarking report).

The VisiLogic patch

Unitronics released VisiLogic version 9.9.00 in late 2023, introducing three security controls that directly address CVE-2023-6448: mandatory password changes during setup, password protection for PCOM communications over Ethernet, and the ability to block remote access actions via the PCOM protocol. These are meaningful improvements that move the security model from "the operator should change the password" to "the operator must change the password before the device will function."

The escalation: IOCONTROL malware

The CyberAv3ngers did not stop at default password exploitation. Claroty Team82 published research in December 2024 detailing IOCONTROL, a custom-built IoT and OT malware platform attributed to the group. IOCONTROL targets devices from eight vendors: Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics. It uses MQTT (Message Queuing Telemetry Transport) protocol through port 8883 for command and control communication and DNS over HTTPS (DoH) to resolve C2 domains, which helps it evade network monitoring that inspects standard DNS queries.

The malware's configuration is encrypted with AES-256-CBC. The CyberAv3ngers also used IOCONTROL to attack fuel management systems made by Orpak Systems and Gasboy, claiming via Telegram that they had hit 200 gas stations in Israel and the US.

This escalation matters because it shows a progression. The Unitronics campaign in late 2023 used the simplest possible technique: default passwords. The IOCONTROL platform discovered a year later is a purpose-built malware tool designed to persist across multiple device types. The group moved from opportunistic exploitation to building dedicated offensive capability for industrial control systems. Any organisation that dismissed the initial campaign as unsophisticated should take note of where the same actors went next.

The exposure problem

The UK NCSC's assessment was that the Unitronics exploitation was "highly unlikely to cause any disruption to the routine supply of water" in the UK, with "very low potential risk, if the threat is unmitigated, to some small suppliers." That assessment was specific to the UK's water infrastructure, and it was probably accurate at the time.

But the underlying problem extends well beyond water, and well beyond Unitronics. Industrial control systems were designed to be reliable, not to be secure against network-based attacks. Many OT environments were built on the assumption that the network itself would provide isolation. When those devices move onto networks that touch the internet, whether deliberately for remote monitoring or accidentally through misconfiguration, the security model that protected them disappears entirely.

The CyberAv3ngers' campaign worked because they found internet-exposed devices with default credentials. That combination exists across thousands of OT deployments globally. The specific manufacturer and the specific default password will differ, but the pattern is consistent: a device designed for a trusted network, placed on an untrusted one, with no authentication change to account for the difference.

For the 180 homes in Erris that lost water for two days, the technical sophistication of the attacker was irrelevant. The water stopped, the screen said they had been hacked, and a manual backup system brought the supply back two days later. The attack cost nothing to execute and the defence would have cost almost nothing to implement. That gap between the cost of attack and the cost of prevention is where the real problem sits, and it is not unique to a private water scheme in County Mayo.

---

---

Related articles

• The HSE Ireland Ransomware Attack: Eight Weeks of Missed Signals
• The Stryker Attack: When Your Own Device Management Becomes the Weapon
• The CrowdStrike Outage: What Actually Happened Inside 8.5 Million Machines

netsec-canary-c3b617d29fdf.