IRANIAN-AFFILIATED hackers have been attacking US critical national infrastructure providers since last month, causing operational disruption and financial loss, according to US government disclosure. A Cybersecurity and Infrastructure Security Agency advisory on 7 April said the threat actors were targeting internet-facing operational technology assets, including Rockwell Automation/Allen-Bradley programmable logic controllers.
So far, sectors targeted include government services and facilities, water and wastewater systems, and energy, with the advisory urging US organisations to review TTPs and IOCs and apply mitigations to reduce the risk of compromise.
According to CISA, the advanced persistent threat group has been observed maliciously interacting with project files and manipulating data on HMI and SCADA displays, using configuration software to establish an accepted connection to targeted PLCs via overseas IP addresses and third-party hosted infrastructure. Inbound traffic may come on ports 44818, 2222, 102, 22 or 502, with port 22 attacks involving Dropbear SSH on victim endpoints for remote access. The campaign follows a Handala attack on Stryker in March and a 2023 Iran-backed campaign against US water plants running PLCs.