US cybersecurity agencies are warning that Iranian-affiliated hackers are actively targeting internet-exposed industrial control systems, causing disruptions across multiple critical infrastructure sectors.
The campaign focuses on programmable logic controllers (PLCs), with some victims already reporting operational outages and financial losses.
The alert attributes the activity to an Iranian-aligned advanced persistent threat (APT) group. According to the advisory, the attackers have been exploiting operational technology (OT) devices since at least March 2026 by directly connecting to internet-facing PLCs using legitimate engineering tools such as Rockwell Automation’s Studio 5000 Logix Designer.
Investigators determined that the attackers leveraged overseas-hosted infrastructure to establish connections with exposed devices, particularly Rockwell Automation/Allen-Bradley PLCs, including CompactLogix and Micro850 models. Once access was obtained, the threat actors extracted project files and manipulated data displayed on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems. These actions enabled them to interfere with industrial processes without necessarily deploying traditional malware.
The affected devices are widely used in critical infrastructure environments to automate industrial operations. Rockwell Automation, a major US-based industrial automation vendor, supplies PLCs and control systems deployed across manufacturing, energy, and public utilities.
The campaign spans multiple sectors, including government services, water and wastewater systems, and the energy sector. In several confirmed cases, organizations experienced disruptions caused by unauthorized changes to control logic or by falsified operational data presented to operators, highlighting the risks of both physical and informational manipulation.
CISA notes that the tactics observed in this campaign resemble earlier operations attributed to the IRGC-linked group known as CyberAv3ngers (UNC5691), which compromised dozens of PLC devices in 2023. The current activity suggests a continued focus on industrial systems, likely driven by geopolitical tensions.
From a technical standpoint, the attackers are targeting commonly used OT communication ports, including 44818, 2222, 102, 502, and 22. In some cases, they deployed Dropbear SSH to maintain remote access.
CISA
To mitigate risk, CISA emphasizes that the most critical step is eliminating direct internet exposure of PLCs. Organizations are advised to place OT devices behind secure gateways, enforce strict access controls, and monitor network traffic for unusual activity. Additional recommendations include enabling multi-factor authentication (MFA), disabling unused services such as Telnet or FTP, applying timely patches, and maintaining offline backups of PLC configurations.
Operators are also urged to set PLCs to “run” mode to prevent unauthorized remote modifications and to audit connections originating from foreign infrastructure providers. Where remote access is necessary, it should be mediated through VPNs or jump hosts with strong authentication and logging.
Leave a Reply