Iranian-affiliated hackers have been attacking US critical national infrastructure (CNI) providers since last month, causing operational disruption and financial loss, the US government has revealed.
A Cybersecurity and Infrastructure Security Agency (CISA) advisory on April 7 said the threat actors were targeting internet-facing operational technology (OT) assets including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.
So far, the sectors targeted have been government services and facilities (including local municipalities), water and wastewater systems (WWS), and energy.
“Due to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure, the authoring agencies recommend US organizations urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the mitigations section to reduce the risk of compromise,” the advisory noted.
The advanced persistent threat (APT) group has been observed “maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays,” according to CISA. The PLCs apparently manage a wide variety of industrial processes.
They are using “configuration software” such as Rockwell Automation’s Studio 5000 Logix Designer to create an “accepted connection” to targeted PLCs, via overseas IP addresses and third-party hosted infrastructure.
Inbound malicious traffic may come on ports 44818, 2222, 102, 22, or 502, with port 22 attacks involving the deployment of Dropbear Secure Shell (SSH) software on victim endpoints for remote access.
Actions For CNI Firms to Take
The advisory urged US CNI providers to:
- Use secure gateways and firewalls to protect PLCs from direct internet exposure
- Query available logs for the IOCs provided in the advisory
- Check available logs for suspicious traffic on the ports associated with OT devices, especially if they originate overseas
- Place the physical mode switch on the controller of Rockwell Automation devices into the run position. And contact the FBI, CISA, NSA or other authoring agencies for guidance if the organization has already been targeted
The campaign follows a Handala attack on US medtech firm Stryker in March which wiped tens of thousands of devices.
It also follows a similar campaign in 2023 when Iran’s Islamic Revolutionary Guard Corps (IRGC) struck US water plants running PLCs manufactured by Israeli firm Unitronics.
Experts Weigh In
Ross Filipek, CISO at Corsica Technologies, argued that the new campaign didn’t happen in a vacuum.
“Years of high-profile infrastructure incidents have shown the world two things. First, that many operational technology environments still have internet reachable interfaces and remote access paths that were never meant to be permanent,” he continued.
“Second, that even limited disruptions can create outsized chaos, from emergency response strain to financial loss and reputational damage. Each successful or even partially successful campaign lowers the barrier for the next one, and emboldens actors to move from nuisance level defacement into real operational interference.”
Exabeam VP of AI strategy and security research, Steve Povolny, said CNI firms operating OT should assume increased reconnaissance, credential harvesting and opportunistic attempts to exploit systems during the US campaign in Iran.
“Visibility gaps between IT and OT telemetry remain one of the most persistent weaknesses I see across critical infrastructure operators. Teams should prioritize passive network monitoring for control protocols, enforce strict segmentation between enterprise and control zones, validate remote access pathways, and confirm that engineering workstations and vendor maintenance channels are tightly controlled and logged,” he added.
“Just as important, incident response plans must explicitly account for loss of control system integrity, not just loss of data confidentiality. However, I fear it may be too late for much of this to have short-term impact.”