IRGC-affiliated group targeting water treatment facilities and industrial control systems, notably hacking Unitronics PLCs in the US. This profile is mapped to MITRE ATT&CK G1027 and covers attribution, tooling, targeting, and defensive recommendations based on observed campaigns.
Overview & Attribution
CyberAv3ngers (also tracked as Soldiers of Solomon) is a threat group attributed to Iran. The group primarily targets Water, energy, ICS/SCADA for intelligence collection and operational objectives aligned with state interests.
This group is tracked as G1027 in the MITRE ATT&CK framework. All techniques referenced in this report are mapped to ATT&CK for consistent threat modeling and detection engineering.
Arsenal & Tools
Known tools and malware associated with CyberAv3ngers include:
- Custom ICS/SCADA exploits
Targeting & Operations
CyberAv3ngers operations focus on Water, energy, ICS/SCADA. The group typically gains initial access through spear-phishing, exploitation of public-facing applications, or strategic web compromises before deploying custom implants for persistent access and data exfiltration.
Organizations in the Water sector should treat CyberAv3ngers as a relevant threat and validate their detection coverage against the MITRE ATT&CK techniques listed below.
MITRE ATT&CK Mapping
Key techniques observed in CyberAv3ngers operations:
| Technique ID | Technique Name | Tactical Context |
|---|---|---|
| T1190 | T1190 | Observed in CyberAv3ngers campaigns |
| T1078 | T1078 | Observed in CyberAv3ngers campaigns |
| T1485 | T1485 | Observed in CyberAv3ngers campaigns |
| T1565.001 | T1565.001 | Observed in CyberAv3ngers campaigns |
Full ATT&CK mapping: https://attack.mitre.org/groups/G1027/
Notable Campaigns
This threat group has been active in operations targeting Water, energy, ICS/SCADA. Security researchers have documented campaigns involving Custom ICS/SCADA exploits and other tools deployed against organizations in multiple countries. Attribution confidence varies by campaign, but consistent infrastructure and TTP overlap links activity to Iran-nexus operations.
Detection & Defense
Recommended defensive measures against CyberAv3ngers:
- Network monitoring: Detect C2 beaconing patterns associated with Custom ICS/SCADA exploits and related implants
- Endpoint detection: Deploy behavioral rules for the ATT&CK techniques above, particularly T1190 and T1078
- Email security: Implement robust phishing defenses including URL sandboxing and attachment detonation
- Patch management: Prioritize patching of internet-facing applications exploited by this group
- Threat hunting: Proactively hunt for IOCs and behavioral indicators mapped to G1027 in MITRE ATT&CK
How Mjolnir Security Can Help
Defend Against CyberAv3ngers
Mjolnir Security provides tailored threat intelligence, detection engineering, and incident response services to help organizations defend against Iran-nexus threat actors.
Contact us: mjolnirsecurity.com
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts