IRANIAN-AFFILIATED cyber actors are targeting internet-facing operational technology devices across U.S. critical infrastructures, including PLCs from Rockwell Automation and Allen-Bradley, with the FBI noting that these attacks have led to diminished PLC functionality, manipulation of display data and, in some cases, operational disruption and financial loss.
The advisory says targeted devices include CompactLogix and Micro850 PLC devices and that attackers used Rockwell Automation’s Studio 5000 Logix Designer software to establish an accepted connection to victims’ PLCs. They established command-and-control after initial access by deploying Dropbear, enabling remote access through port 22 and facilitating data extraction from the victim devices.
The campaigns have affected several sectors, including government services, Water and Wastewater Systems, and energy, and are described as part of a recent escalation by Iranian hacking groups against U.S. organisations. authorities advise organisations to avoid exposing PLCs to the internet, use MFA, and implement firewalls or network proxies, with additional guidance to keep PLCs up-to-date and monitor for unusual traffic. As background, the 2023 incident involving Cyber Av3ngers and municipal water authorities is cited, with at least 75 devices previously compromised.