U.S. federal agencies are warning that cyber threat actors linked to Iran are actively exploiting internet-exposed programmable logic controllers (PLCs) used in critical infrastructure environments.
In a joint advisory issued by multiple government bodies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), authorities report that Iran-aligned hackers are targeting Rockwell Automation/Allen‑Bradley PLCs accessible from the public internet. The advisory outlines ongoing exploitation activity affecting operational technology (OT) systems across several critical infrastructure sectors.
“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity against internet-facing OT assets, including PLCs manufactured by Rockwell Automation/Allen‑Bradley,” the advisory states. “This activity has resulted in disruptions across multiple U.S. critical infrastructure sectors through malicious interaction with project files and manipulation of data displayed on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems, causing operational impacts and financial losses.”
According to the agencies, the campaign targets internet-connected OT devices across diverse sectors, with the apparent objective of disrupting essential services. Affected environments include government systems, water and wastewater utilities, and energy infrastructure.
The attacks involve unauthorized access to PLC project files and deliberate alteration of data presented on HMI and SCADA interfaces. In several instances, these actions have led to service interruptions and measurable economic damage. Organizations are urged to review indicators of compromise and implement recommended mitigations to reduce exposure. The activity has been linked to Iran-associated groups such as CyberAv3ngers, which is tied to Iran’s Islamic Revolutionary Guard Corps (IRGC).
Federal authorities advise organizations to identify and assess exposed OT assets, follow vendor-specific security guidance, remove PLCs from direct internet access where feasible, and work with government partners for incident response and remediation assistance.
“The FBI assesses that Iranian-affiliated APT actors are deliberately targeting internet-accessible PLCs to cause disruption,” the alert continues. “This includes tampering with project files and manipulating data displayed on HMI and SCADA systems within U.S. critical infrastructure environments. Targeting campaigns attributed to Iranian actors have intensified in recent months, likely in response to heightened geopolitical tensions involving Iran, the United States, and Israel.”
The advisory also references an earlier campaign that began in November 2023, during which IRGC-linked hackers operating under the name CyberAv3ngers targeted U.S.-based PLCs and HMIs, causing operational disruptions. Tracked under several aliases, the group compromised at least 75 devices, including Unitronics PLCs deployed in sectors such as water and wastewater systems.
“During a similar campaign beginning in November 2023, IRGC cyber threat actors known as ‘CyberAv3ngers’ targeted U.S.-based PLCs and HMIs, resulting in disruptive effects,” the advisory notes. “Private-sector and open-source reporting also identifies this group as Hydro Kitten, Storm‑0784, APT Iran, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and the Shahid Kaveh Group. These operations compromised at least 75 devices, primarily Unitronics PLCs with embedded HMI functionality used across multiple critical infrastructure sectors, including water and wastewater systems.”
Investigators determined that the attackers gained initial access by targeting publicly accessible Rockwell/Allen‑Bradley PLCs using overseas IP addresses and leased infrastructure. The actors leveraged legitimate engineering tools, including Studio 5000 Logix Designer, to interact with devices such as CompactLogix and Micro850 controllers. For command-and-control operations, they utilized ports such as 44818, 2222, 102, 22, and 502, and deployed SSH utilities like Dropbear to enable remote access. The activity suggests potential interest in additional vendors’ PLCs, including Siemens devices.
The attacks enabled threat actors to exfiltrate PLC project files and alter HMI and SCADA data, resulting in operational degradation and service disruption.
Government experts recommend disconnecting PLCs from the internet whenever possible, deploying firewall protections, monitoring OT-specific ports for anomalous activity, reviewing logs for compromise indicators, enabling multifactor authentication, applying firmware updates, disabling unused services and default credentials, and maintaining continuous monitoring of OT networks.
Separately, in mid-March, the European Union imposed sanctions on several Chinese and Iranian companies and individuals for cyber operations targeting critical infrastructure systems, which reportedly affected more than 65,000 devices across EU member states.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
