Iranian Threat Group CL-STA-1128 Targets Rockwell Automation OT/ICS Equipment, CISA Issues Advisory
Unit 42 has identified Iranian threat group CL-STA-1128 (Cyber Av3ngers) actively targeting Rockwell Automation OT/ICS systems, with over 5,600 exposed IPs globally and a new CISA advisory issued.
Unit 42 researchers have uncovered a new cluster of threat activity, tracked as CL-STA-1128 (also known as Cyber Av3ngers and Storm-0784), targeting operational technology and industrial control systems (OT/ICS) manufactured by Rockwell Automation. This marks a significant shift from the group's historical focus on internet-connected Unitronics programmable logic controllers (PLCs). The findings, detailed in a threat brief updated on April 17, 2026, reveal that the attackers have installed Rockwell Automation's FactoryTalk software on virtual private server (VPS) infrastructure to facilitate their exploitation efforts.
The technical mechanism: The attackers leveraged FactoryTalk, a suite of industrial automation tools, by installing it on VPS infrastructure. Unit 42's assessment is based on analysis of unique port combinations observed across hosts, correlating to static mappings for FactoryTalk software. Since April 1, Cortex Xpanse scanning has identified over 5,600 IP addresses globally hosting exposed Rockwell Automation or Allen-Bradley SCADA devices, including FactoryTalk services and various PLCs. impact: The targeting of Rockwell Automation equipment, widely used in critical infrastructure sectors, including energy, manufacturing, and water systems, poses a significant risk. The exposure of over 5,600 IPs globally indicates a broad attack surface. The group's shift to targeting these systems suggests an escalation in capability and intent, potentially enabling disruptive or destructive attacks against industrial processes. response: On April 7, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory mirroring Unit 42's findings, specifically noting that Cyber Av3ngers was exploiting Allen-Bradley PLCs. The advisory provides mitigations and detection guidance for affected organizations. Palo Alto Networks customers are protected through Next-Generation Firewalls with Advanced Threat Prevention, Advanced URL Filtering, and Cortex XDR/XSIAM products. broader context: This activity occurs against the backdrop of heightened geopolitical tensions following Operation Epic Fury and Operation Roaring Lion in late February 2026. Iran experienced a 47-day near-complete internet outage, with limited restoration beginning to restore limited access on April 17. The targeting of OT/ICS systems represents a strategic shift for Iranian threat actors, who have historically focused on espionage and disruption. The use of VPS infrastructure to host industrial control software indicates a sophisticated approach to operational security and targeting. The discovery underscores the evolving threat landscape for industrial control systems, where nation-state actors are increasingly willing to invest in specialized tools and infrastructure to compromise critical infrastructure. Organizations operating Rockwell Automation and Allen-Bradley equipment should immediately review CISA's advisory, implement network segmentation, and ensure that FactoryTalk services are not exposed to the internet.