US Government Warns of Iranian OT Attacks on Critical Sectors
The US government has issued an urgent warning about Iran-affiliated advanced persistent threat (APT) actors disrupting American critical infrastructure through coordinated attacks on Internet-exposed operational technology (OT) devices. The disclosure came on Tuesday, just before the US and Iran reached a tentative two-week ceasefire agreement in the ongoing conflict between the two nations.
The campaign, which began last month shortly after the US and Israel jointly attacked Iran, has already resulted in tangible damage. According to a joint advisory published by the Cybersecurity and Infrastructure Security Agency (CISA) and several partner agencies, attackers have successfully manipulated PLC project files, tampered with HMI and SCADA displays, and in some instances caused full operational disruption.
"In a few cases, this activity has resulted in operational disruption and financial loss," the advisory stated.
Targeted Devices and Affected Sectors
The primary targets of the campaign are programmable logic controllers (PLCs) — particularly those manufactured by Rockwell Automation/Allen-Bradley — deployed within energy facilities, water and wastewater systems, and government infrastructure. Devices specifically identified in the advisory include CompactLogix and Micro850 PLC models.
Attackers accessed these Internet-facing devices using several overseas-based IP addresses, leveraging leased third-party-hosted infrastructure along with legitimate configuration software. The advisory noted that actors used Rockwell Automation's Studio 5000 Logix Designer software to establish accepted connections to victim PLCs.
Malicious traffic was directed to devices through the following ports:
- Port 44818
- Port 2222
- Port 102
- Port 22
- Port 502
- Port T0885
The inclusion of port T0885 — associated with the Siemens S7 PLC — suggests that devices from manufacturers beyond Rockwell Automation/Allen-Bradley may also have been targeted in this campaign.
To maintain persistent remote access, attackers deployed Dropbear Secure Shell (SSH) software on victim endpoints, enabling remote access through port 22, classified under technique T1219.
Links to CyberAv3ngers and Prior Attacks
While the agencies refrained from directly naming the specific threat actors behind this latest wave of attacks, they noted that the activity bears a strong resemblance to previous operations carried out by CyberAv3ngers, also known as the Shahid Kaveh Group. This threat actor is affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC).
In November 2023, CyberAv3ngers compromised at least 75 US-based Unitronics PLC devices that incorporated HMIs and were deployed across multiple critical infrastructure sectors, including wastewater systems. The current campaign appears to follow a similar playbook, broadening the scope of targeted hardware and sectors.
Geopolitical Context and Escalation Risks
The attacks are unfolding against a backdrop of heightened geopolitical tension. Prior to the ceasefire agreement, President Donald Trump had threatened to target Iranian critical infrastructure — including power plants — at scale as part of the war effort. Security analysts warn that such threats could further incentivize Iranian retaliatory cyberattacks against US targets.
The joint advisory was co-authored by the FBI, the National Security Agency (NSA), the Environmental Protection Agency (EPA), the Department of Energy (DOE), and United States Cyber Command–Cyber National Mission Force (CNMF), reflecting the breadth of concern across federal agencies.
A Structural Problem Beyond the Conflict
Industry experts emphasize that the vulnerability of PLCs and OT devices to this type of attack is not merely a consequence of the current US-Iran hostilities — it reflects a long-standing, systemic security problem within industrial environments.
Gabrielle Hempel, security operations strategist at Exabeam, told Dark Reading that the root issue is architectural:
"If an OT environment is reachable from the Internet, that is an inherent design flaw and not a nation-state problem."
The exposure of OT devices to the public Internet has been an ongoing concern for critical infrastructure operators for years, and the current campaign underscores the urgency of addressing that fundamental weakness regardless of geopolitical circumstances.
Recommended Mitigations
CISA and the co-authoring agencies are urging critical infrastructure organizations to act immediately. Key recommended mitigations include:
- Remove PLCs from direct Internet exposure and implement secure gateways and firewalls to shield OT environments.
- Review available logs for suspicious traffic on ports associated with OT devices — specifically ports 44818, 2222, 102, and 502 — with particular attention to traffic originating from overseas hosting providers.
- Place the physical mode switch on Rockwell Automation/Allen-Bradley controllers into the "run" position to reduce the risk of unauthorized modifications.
- Search logs for indicators of compromise (IoCs) included in the advisory, within the corresponding time frames.
- Contact CISA, the authoring agencies, and Rockwell Automation directly if there is any suspicion that devices may have been targeted or compromised.
The advisory serves as a reminder that the convergence of geopolitical conflict and under-secured industrial infrastructure creates a particularly dangerous attack surface — one that threat actors affiliated with nation-states are actively exploiting. Organizations operating PLCs and other OT devices connected to the Internet should treat this warning as an immediate call to action.
Source: Dark Reading