Scope of Iranian OT Targeting Laid Bare in Censys Research
A threat intelligence brief published Wednesday by cybersecurity firm Censys reveals that the potential exposure from Iran's state-sponsored targeting of U.S. critical infrastructure is far broader than initially understood. Researchers identified more than 5,200 internet-connected devices that could be within reach of Iranian government attackers — and the overwhelming majority of those devices are on American soil.
Of the programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley that Censys flagged as potentially exposed, nearly 3,900 — roughly 3 out of every 4 — are based in the United States. The firm's findings were grounded in details shared through a joint federal alert issued Tuesday, and Censys supplemented those findings by publishing additional indicators of compromise, including operator IP addresses and threat hunting queries.
Federal Agencies Sound the Alarm
The joint alert that prompted Censys's research was issued by a coalition of U.S. federal agencies, including the FBI, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), the Department of Energy, and U.S. Cyber Command. Authorities warned that Iranian government-linked attackers have been actively exploiting devices that control industrial automation processes, disrupting multiple sectors over the past month. Officials also noted that some victims suffered financial losses as a direct result of the attacks.
The targeted operational technology (OT) devices are deployed across several critical sectors, including the energy sector, water and wastewater systems, and U.S. government services and facilities.
Cellular Connectivity Creates Heightened Risk
Censys scans detected 5,219 internet-exposed Rockwell Automation/Allen-Bradley PLC hosts shortly after the joint alert was released. One particularly concerning finding was how these devices are connected to the internet: researchers determined that most of the exposed PLCs rely on cellular systems as their primary network link, posing a significant risk to remote field deployments.
Nearly half of the devices identified globally are connected through Verizon's wireless network, while 13% use AT&T's infrastructure.
"These devices are almost certainly field-deployed in physical infrastructure (pump stations, substations, municipal facilities) with cellular modems as their sole internet path," Censys researchers wrote in the report.
This reliance on cellular connectivity means that traditional network-perimeter defenses may offer little to no protection, leaving these assets uniquely exposed to remote exploitation.
Expanded Attack Surface and End-of-Life Software
The risk is compounded further by additional services exposed on other ports of these same devices. Censys warned that these open ports could provide attackers with direct pathways into operations beyond simple PLC exploitation — effectively broadening the attack surface beyond what the primary threat campaign targets.
Researchers also fingerprinted specific MicroLogix and CompactLogix models exposed to the current threat campaign and published a list of the 15 most-exposed products. A troubling pattern emerged: many of the most prominent devices are running end-of-life software. This creates an additional compounding risk, as attackers who scan for vulnerable systems can easily prioritize unpatched devices that manufacturers no longer support with security updates.
Timeline and Broader Iranian Cyber Activity
The attacks are believed to date back to at least March, a period that coincides with escalating hostilities following the U.S. and Israel's military campaign against Iran. The OT-focused intrusions were also carried out concurrently with separate operations by other Iranian government-backed threat actors, who claimed additional victims during the same period — including Stryker and multiple local governments.
The breadth of these operations, spanning industrial control systems, healthcare, and municipal government, underscores the scale and ambition of Iran's cyber offensive posture against U.S. targets. Security teams responsible for OT environments are urged to review the indicators of compromise published by Censys and cross-reference the federal joint alert to assess their exposure.
Source: CyberScoop