Iran‑Backed APT Targets US Critical Infrastructure via Internet‑Facing Rockwell PLCs
CISA warns that Iranian-affiliated threat actors have been actively exploiting internet-facing Rockwell Automation PLCs since March 2026, disrupting government, water, and energy sectors across the United States.
Iranian-affiliated advanced persistent threat (APT) actors have been systematically attacking US critical national infrastructure (CNI) providers since March 2026, causing operational disruption and financial loss, according to a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) on April 7. The threat actors are specifically targeting internet-facing operational technology (OT) assets, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. So far, the sectors impacted include government services and facilities (such as local municipalities), water and wastewater systems (WWS), and energy providers.
The attackers have been observed "maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays," CISA reported. The PLCs at the heart of these attacks manage a wide variety of industrial processes, making their compromise particularly dangerous. The group is using configuration software such as Rockwell Automation's Studio 5000 Logix Designer to establish "accepted connections" to targeted PLCs, routing traffic through overseas IP addresses and third-party hosted infrastructure. Inbound malicious traffic has been detected on ports 44818, 2222, 102, 22, and 502, with port 22 attacks involving the deployment of Dropbear Secure Shell (SSH) software on victim endpoints for remote access.
CISA emphasized the widespread use of these PLCs across critical infrastructure and warned of potential targeting of other branded OT devices. The agency urged organizations to urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) detailed in the advisory. "Due to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure, the authoring agencies recommend US organizations urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks," the advisory noted.
This campaign follows a similar 2023 operation by Iran's Islamic Revolutionary Guard Corps (IRGC) that struck US water plants running PLCs manufactured by Israeli firm Unitronics. It also comes on the heels of a Handala attack on US medtech firm Stryker in March, which wiped tens of thousands of devices. The pattern suggests a sustained and evolving Iranian cyber capability focused on US critical infrastructure.
Industry experts weighed in on the significance of the campaign. Ross Filipek, CISO at Corsica Technologies, argued that the new campaign did not happen in a vacuum. "Years of high-profile infrastructure incidents have shown the world two things. First, that many operational technology environments still have internet reachable interfaces and remote access paths that were never meant to be permanent," he said. "Second, that even limited disruptions can create outsized chaos, from emergency response strain to financial loss and reputational damage."
Steve Povolny, VP of AI strategy and security research at Exabeam, warned that CNI firms operating OT should assume increased reconnaissance, credential harvesting, and opportunistic exploitation attempts during the US campaign in Iran. "Visibility gaps between IT and OT telemetry remain one of the most persistent weaknesses I see across critical infrastructure operators," he said. "Teams should prioritize passive network monitoring for control protocols, enforce strict segmentation between enterprise and control zones, validate remote access pathways, and confirm that engineering workstations and vendor maintenance channels are tightly controlled and logged."
CISA has provided a set of actionable recommendations for CNI-specific actions to mitigate the threat. Organizations are urged to use secure gateways and firewalls to protect PLCs from direct internet exposure, query available logs for the IOCs provided in the advisory, check for suspicious traffic on the ports associated with OT devices (especially if originating overseas), and place the physical mode switch on Rockwell Automation controllers into the run position. The agency also advises contacting the FBI, CISA, NSA, or other authoring agencies for guidance if an organization has already been targeted.
The advisory underscores a critical vulnerability in the nation's industrial control systems: the persistent exposure of OT/IT visibility gap and the continued exposure of PLCs to the internet. As Povolny noted, "I fear it may be too late for much of this to have short-term impact." The campaign serves as a stark reminder that nation-state adversaries are actively probing and exploiting these weaknesses, and that proactive isolation and monitoring of OT assets are no longer optional but essential.