IRAN-AFFILIATED threat actors are disrupting US critical infrastructure by targeting Internet-facing OT devices, with the campaign focused on programmable logic controllers (PLCs) from Rockwell Automation/Allen-Bradley used in energy, water and wastewater, and government facilities, according to the advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies.
The attackers have manipulated PLC project files and tampered with HMI and SCADA displays, causing operational disruption and financial losses in some cases, the advisory notes. Though the agencies did not name the actors behind the activity, the events are described as reminiscent of attacks on PLCs by CyberAv3ngers (aka Shahid Kaveh Group), a threat actor affiliated with Iran's IRGC Cyber Electronic Command.
The guidance urges organisations to remove PLCs from direct Internet exposure, use secure gateways and firewalls, and monitor logs for suspicious OT traffic on ports 44818, 2222, 102, 22, 502, and the noted port T0885, while noting that Dropbear SSH was deployed on victim endpoints to enable remote access via port 22.
The FBI, NSA, EPA, DOE, and CNMF have joined CISA in the alert, which also highlights targeted devices including CompactLogix and Micro850 PLCs and the use of leased third-party infrastructure to establish connections to victims’ PLCs. Elizabeth Montalbano, Contributing Writer, April 8, 2026.