U .S. agencies warn that Iran-linked actors are targeting internet-exposed PLCs used in critical infrastructure, focusing on Rockwell Automation/Allen-Bradley devices across multiple sectors. According to the FBI and CISA joint advisory, Iran-affiliated APT actors are exploiting internet-facing OT devices, manipulating project files and data displayed on HMI and SCADA screens to cause operational disruption and financial losses.
The activity reportedly began with campaigns in November 2023, and has involved compromising at least 75 devices including Unitronics PLCs, with CyberAv3ngers (also linked to Iran’s IRGC) among the groups observed. Attackers have used ports such as 44818, 2222, 102, 22 and 502, and deployed Dropbear for remote access, with indicators suggesting possible targeting of Siemens PLCs as well.
Authorities urge organisations to review indicators of compromise, disconnect PLCs from the internet where feasible, reinforce OT port monitoring, enable multifactor authentication and keep firmware updated, coordinating with authorities for incident response and mitigation.