Iran-affiliated threat actors are conducting unauthorized campaigns against US critical infrastructure by targeting internet-exposed operational technology (OT) devices. The activity spans multiple sectors, including energy, water and wastewater, and government facilities.
This security alert coincides with recent geopolitical developments, emerging shortly before a tentative ceasefire agreement in the ongoing conflict between the US and Iran. The campaign, which began following recent military engagements involving the US, Israel, and Iran, focuses primarily on programmable logic controllers (PLCs). According to a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, NSA, EPA and the Cyber National Mission Force (CNMF), Rockwell Automation and Allen-Bradley PLCs are the primary devices impacted.
The federal agencies report that these unauthorized actions have resulted in operational disruptions and financial losses for some affected organizations. The threat actors successfully manipulated PLC project files and altered supervisory control and data acquisition (SCADA) and human-machine interface (HMI) displays.
While the agencies did not explicitly name the specific group responsible for the current activity, they noted that the methodology aligns with previous campaigns by CyberAv3ngers (also known as the Shahid Kaveh Group), a threat actor affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command. In November 2023, this group gained unauthorized access to at least 75 US-based Unitronics PLC devices equipped with HMIs across various critical infrastructure sectors.
Internet-facing devices accessed
The joint advisory provides specific technical details on how the threat actors connect to internet-facing Rockwell Automation and Allen-Bradley PLCs. The actors utilize leased, third-party-hosted infrastructure located overseas and leverage configuration tools, such as Rockwell Automation's Studio 5000 Logix Designer software, to establish accepted connections to the target PLCs. The documented activity specifically involved CompactLogix and Micro850 PLC devices.
Network traffic was directed to these devices via ports 44818, 2222, 102, 22, and 502, as well as port T0885. The inclusion of port T0885 indicates that the threat actors may also be scanning for or targeting other hardware, such as the Siemens S7 PLC.
Additionally, the advisory notes that the actors deployed Dropbear Secure Shell (SSH) software on affected endpoints to maintain remote access through port 22.
Apply mitigations now
Given the history of targeted activity against US critical infrastructure and the current geopolitical climate, federal agencies strongly recommend that facilities implement immediate defensive measures. Gabrielle Hempel, a security operations strategist at Exabeam, emphasizes that the core issue is structural rather than strictly threat-based.
"If an OT environment is reachable from the Internet, that is an inherent design flaw and not a nation-state problem," Hempel states.
To help critical infrastructure organizations secure their networks, CISA and the partner agencies recommend the following immediate actions:
Remove internet exposure: Isolate PLCs from the public internet and place them behind secure gateways and firewalls.
Monitor network traffic: Review available logs for suspicious traffic on ports associated with OT devices—specifically 44818, 2222, 102, and 502—with particular attention to traffic originating from overseas hosting providers.
Review indicators of compromise: Search network logs for the specific IOCs provided in the CISA advisory matching the corresponding time frames.
Secure physical controllers: For Rockwell Automation and Allen-Bradley devices, place the physical mode switch on the controller into the "run" position to prevent unauthorized programmatic changes.
Organizations that suspect their devices may have been impacted should contact the authoring agencies and Rockwell Automation for guidance and support.
(Based on original reporting by Elizabeth Montalbano).