HACKERS working on behalf of Iran’s Islamic Revolutionary Guard Corps are implicated in disrupting operations at multiple US critical infrastructure sites, according to the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, Department of Energy, and US Cyber Command.
The advisory notes that the Iranian-affiliated APT group targeted programmable logic controllers across several sectors, including Government Services and Facilities, Waste Water Systems, and Energy, with some victims experiencing operational disruption and financial loss.
Security firm Censys said an Internet scan found 5,219 Rockwell Automation/Allen-Bradley PLCs exposed to the Internet, about 75 percent of which were in the US, with a single Windows workstation running the Rockwell tool chain used to access them. The campaign reportedly uses legitimate vendor software, Rockwell Studio 5000 Logix Designer, to interact with project files and manipulate HMI/SCADA data without zero-day exploits, targeting devices such as CompactLogix and Micro850.
The workstation connects to PLCs via Remote Desktop Protocol on port 43589, using a self-signed certificate for DESKTOP-BOE5MUC, and exposes a full Windows protocol stack. The advisories also indicate probing of Modbus S7/10 and other OT protocols, suggesting broader targeting beyond Rockwell devices.