Key Findings

• Iran-affiliated cyber actors are actively targeting internet-exposed programmable logic controllers (PLCs) across U.S. critical infrastructure sectors including government, water systems, and energy

• Attacks have caused diminished PLC functionality, manipulated display data, operational disruption, and financial losses

• Threat actors are exploiting Rockwell Automation and Allen-Bradley PLCs, specifically CompactLogix and Micro850 devices

• Initial access is gained through leased third-party infrastructure and configuration software like Studio 5000 Logix Designer

• Command-and-control is established using Dropbear SSH software deployed on victim endpoints for remote access and project file extraction

• Campaign represents escalation in response to ongoing hostilities between Iran and the U.S./Israel

• This follows previous campaigns by groups like CyberAv3ngers that compromised at least 75 devices in 2023

Background

Iranian-affiliated threat actors have been conducting cyber operations against U.S. organizations with increasing frequency over the past several months. These campaigns appear coordinated with Iran's strategic interests and represent a broader shift in targeting priorities toward operational technology infrastructure. The current activity builds on established patterns from late 2023 when the same groups successfully disrupted water systems and other critical services.

Attack Methods and Tactics

The threat actors employ a methodical approach to gain and maintain access. They begin by identifying internet-facing PLCs and establishing connections through leased infrastructure configured with legitimate Rockwell Automation software. Once inside, they extract project files that contain device logic and configuration information.

The actors use multiple communication channels to maintain control, leveraging SSH tools deployed on compromised endpoints. They interact directly with project files and manipulate the data displayed on human-machine interface and SCADA systems, allowing them to disrupt operations while potentially remaining undetected for extended periods.

Targeted Assets and Sectors

The primary focus has been Rockwell Automation and Allen-Bradley manufactured devices, with CompactLogix and Micro850 PLCs representing the main targets. These controllers are widely deployed across government services, water and wastewater systems, and energy infrastructure throughout the United States.

Indicators suggest threat actors may also be probing other vendors like Siemens, indicating a broad operational scope and willingness to develop capabilities against multiple platforms.

Broader Coordination and State Direction

Recent analysis reveals the operation is part of a larger coordinated cyber ecosystem aligned with Iran's Ministry of Intelligence and Security. Multiple personas previously tracked as separate hacktivist groups—including Homeland Justice, Karma, and Handala Hack—function as interconnected operational entities sharing infrastructure and tradecraft rather than distinct organizations.

This structure enables message segmentation and distributed attribution while maintaining unified command and control. The use of Telegram channels for both dissemination and command-and-control operations allows malware to communicate with actor-controlled bots while blending into normal platform traffic.

Recommended Mitigations

Organizations should immediately assess whether PLCs are internet-exposed and disconnect them where operationally feasible. Where internet connectivity is necessary, implement firewall or network proxy protections to control access and monitor for unusual traffic on operational technology ports including 44818, 2222, 102, 22, and 502.

Additional steps include enabling multi-factor authentication, updating firmware to current versions, disabling unused authentication features and default credentials, and implementing physical or software switches to prevent remote modification. Continuous monitoring of network activity and log analysis for indicators of compromise is essential for detecting successful intrusions early.

Sources

• https://thehackernews.com/2026/04/iran-linked-hackers-disrupt-us-critical.html

• https://securityaffairs.com/190485/apt/u-s-agencies-alert-iran-linked-actors-target-critical-infrastructure-plcs.html

• https://www.bleepingcomputer.com/news/security/us-warns-of-iranian-hackers-targeting-critical-infrastructure/

• https://www.securityweek.com/iran-linked-hackers-disrupt-us-critical-infrastructure-via-plc-attacks/

• https://www.cnet.com/news/iranian-hackers-said-to-escalate-attacks-on-us-critical-infrastructure/