ACCORDING to CISA, Iran-affiliated advanced persistent threat actors are conducting exploitation activity targeting internet-facing operational technology devices, including Rockwell Automation/Allen-Bradley programmable logic controllers. This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with project files and manipulation of data on human machine interface displays and SCADA systems, resulting in operational disruption and financial loss.
U.S. organisations should urgently review the tactics, techniques, and procedures and indicators of compromise in the advisory for signs of current or historical activity on their networks, and apply the mitigations to reduce the risk of compromise. Affected products include Rockwell Automation/Allen-Bradley manufactured PLCs, with potential applicability to other branded PLCs.
Key actions include removing PLCs from direct internet exposure, querying logs for the provided IOCs, and checking for suspicious OT traffic on ports such as 44818, 2222, 102, and 502, especially from overseas hosting providers. IOCs are available as AA26-097A STIX XML and STIX JSON, and organisations can access the full advisory for guidance.