CISA has released this alert on Tuesday, April 7. End users should be aware that Iranian-backed threat actors are now actively targeting PLCs in US critical infrastructure and manufacturing. You can read the full alert here. The following is directly from the alert:
Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several US critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss.
US organizations should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks and apply the recommendations listed in the Mitigations section of this advisory to reduce the risk of compromise.
Affected Products
- Rockwell Automation/Allen-Bradley-manufactured PLCs
- Potentially other branded PLCs
Key Actions
- Remove PLCs from direct internet exposure via a secure gateway and firewall.
- Query available logs for the provided IOCs in the corresponding time frames.
- For Rockwell Automation devices, place the physical mode switch on the controller into run position. Contact the authoring agencies and Rockwell Automation for guidance if you believe your organization was targeted.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and United States Cyber Command – Cyber National Mission Force (CNMF), hereafter referred to as the “authoring agencies,” are urgently warning US organizations of ongoing cyber exploitation of internet-connected operational technology (OT) devices, including Rockwell Automation/Allen-Bradley-manufactured programmable logic controllers (PLCs), across multiple US critical infrastructure sectors. As a result of this activity, organizations from multiple US critical infrastructure sectors experienced disruptions through malicious interactions with the project files¹ and the manipulation of data displayed on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays. In a few cases, this activity has resulted in operational disruption and financial loss.
Check available logs for suspicious traffic on the ports associated with OT devices, including 44818, 2222, 102, and 502, especially traffic originating from overseas hosting providers.
Due to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure, the authoring agencies recommend US organizations urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks and apply the recommendations listed in the Mitigations section to reduce the risk of compromise.
The authoring agencies assess that a group of Iranian-affiliated advanced persistent threat (APT) actors is conducting this activity to cause disruptive effects within the United States. The group has targeted devices spanning multiple US critical infrastructure sectors, including Government Services and Facilities (to include local municipalities), Water and Wastewater Systems (WWS), and Energy Sectors. The authoring agencies previously reported on similar activity targeting PLCs by CyberAv3ngers (aka Shahid Kaveh Group)—a cyber threat actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC).
If owners and operators discover an affected internet-accessible device in their environment, additional technical measures may be necessary to evaluate the risk of compromise. Please contact the authoring agencies and applicable vendors through existing support channels available to customers and integrators (see Contact Information) to receive support, mitigation, and investigation assistance, and engage your cyber incident response plans.
Research & Analysis
AI Is Reshaping Supply Chain Execution. Here’s What Comes Next.
A practical framework for A2A coordination, MCP, and graph-enhanced reasoning in modern supply chain systems.
AI is moving beyond isolated copilots and into coordinated, operational decision systems. This ARC Advisory Group white paper explains how A2A, MCP, retrieval architectures, and graph-enhanced reasoning are beginning to reshape supply chain execution, visibility, and resilience.
Free download • 10-minute read
Independent ARC research for supply chain leaders and technology decision-makers.