Image source: HakanGider, Shutterstock
CISA, FBI, other agencies say organizations across multiple critical sectors have experienced operational disruptions and financial losses from the attacks.
Iran-affiliated advanced persistent threat groups have successfully compromised programmable logic controllers manufactured by Rockwell Automation/Allen-Bradley across several US critical infrastructure sectors prompting an urgent April 7 advisory from the US Cybersecurity and Infrastructure Agency (CISA).
The attacks are part of a broader campaign targeting Internet-facing operational technology (OT) devices and have already caused operational disruptions and financial losses to victim organizations. Among those impacted in the attacks so far organizations in Government Services and Facilities which helps federal, state, local and tribal facilities against attacks, operators of water and wastewater systems and energy firms.
Review Now
“U.S. organizations should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the Mitigations section of this advisory to reduce the risk of compromise,” CISA said.
According to CISA, the attacks have involved the adversaries tampering with system settings on PLCs and altering what operators get to see on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, making the data unreliable.
The agency wants organizations in the crosshairs of the attackers to remove PLCs from direct Internet exposure; to query available logs for IoCs that CISA has released, to check logs for suspicious traffic via ports associated with OT devices and take other measures. “If owners and operators discover an affected internet-accessible device in their environment, additional technical measures may be necessary to evaluate the risk of compromise,” the advisory said in urging affected organizations to contact CISA, the FBI, the NA or any of the other authors of the advisory.
CISA also wants organizations using PLCs manufactured by Rockwell Automation/Allen Bradley to review previous guidance from the manufacturers on how to strengthen their security of their OT deployments. The two documents listed in the advisory are PN1550 | CVE-2021-22681: Authentication Bypass Vulnerability Found in Logix Controllers, published in 2021, and SD1771 | Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats, published in 2026.
Downloadable IoC’s from CISA
- AA26-097A STIX XML (35KB)
- AA26-097A STIX JSON (12 KB)
Initial Access and Post Compromise
CISA described the threat actors as gaining initial access and maintaining control over targeted Internet–exposed PLCs using legitimate engineering software such as Studio 5000 Logix Designer. By leveraging standard tools and externally hosted infrastructure, they were able to establish trusted connections that blended in with normal administrative activity, CISA said. The actors also communicated over a range of ports associated with industrial protocols and remote access (including 44818, 2222, 102, 22, and 502), suggesting potential targeting beyond Rockwell devices, including systems like Siemens S7 PLCs. In some cases, they deployed SSH tools like Dropbear to maintain persistent remote access.
Once inside, the actors extracted PLC project files and manipulated data displayed on HMI and SCADA systems, giving them both visibility into system configurations and the ability to interfere with operator decision-making. The access enabled not just reconnaissance but potential disruption of industrial processes. CISA’s advisory included indicators of compromise and IP addresses linked to the activity, which organizations can use for retrospective log analysis to identify possible exposure. However, CISA recommended that affected organizations validate findings before taking action which could end up indiscriminately blocking legitimate traffic as well.