From Exploits to Forensics: Unraveling the Unitronics Attack

Team82 documents their reverse-engineering of Unitronics’ proprietary PCOM protocol and the development of two forensic tools (PCOM2TCP and PCOMClient) to extract evidence from Vision/Samba PLCs; their research uncovered two CVEs and detailed how an Iran-linked group (CyberAv3ngers) exploited weak authentication to deface water-treatment facility devices, while the report also enumerates PCOM opcodes and PLC-resident forensic artifacts (VisiLogic project file and signature log).