Iranian APT Exploits Rockwell Automation PLCs: Securing Critical Infrastructure OT Devices

Overview: Iranian APT Targets US Critical Infrastructure PLCs

Iranian-affiliated APT actors are actively exploiting internet-facing Operational Technology (OT) devices, specifically Programmable Logic Controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This ongoing campaign has already led to operational disruptions and financial losses across multiple U.S. critical infrastructure sectors, including Government Services, Water and Wastewater Systems (WWS), and Energy, as detailed in a recent CISA Advisory AA26-097A. Runtime Rebel urges security professionals responsible for OT environments to immediately assess their exposure and implement the recommended mitigations to prevent further compromise.

This threat highlights the increasing risk to critical infrastructure from nation-state-backed groups who leverage common misconfigurations for disruptive effects. The activity involves malicious interactions with PLC project files and the manipulation of data displayed on Human Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) systems, underscoring the severe consequences of exposed industrial control systems.

Threat Actor Analysis and TTPs

The authoring agencies, including the FBI, CISA, NSA, EPA, DOE, and US Cyber Command – Cyber National Mission Force (CNMF), attribute this activity to a group of Iranian-affiliated APT actors. This group’s motivation is assessed to be causing disruptive effects within the United States, likely in response to broader geopolitical tensions. The advisory notes historical similarities to campaigns by CyberAv3ngers (aka Shahid Kaveh Group), a cyber threat actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC), which previously targeted Unitronics PLC devices in WWS facilities.

Initial Access

Threat actors gain initial access by targeting internet-accessible Rockwell Automation/Allen-Bradley-manufactured PLCs, including CompactLogix and Micro850 devices. They utilize overseas-based IP addresses and configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer, to establish connections to victim PLCs. This aligns with the MITRE ATT&CK for Industrial Control Systems (ICS) technique T0883, “Internet Accessible Device,” highlighting the critical vulnerability posed by directly exposed OT assets.

Command and Control

Upon gaining access, the actors establish C2 communication. Malicious inbound traffic has been observed on several ports commonly associated with OT protocols, including 44818, 2222, 102, 22, and 502. The targeting of these ports (MITRE ATT&CK T0885, “Commonly Used Port”) suggests that these actors may also be targeting other branded OT devices beyond Rockwell Automation, such as Siemens S7 PLCs. Furthermore, the actors deployed Dropbear SSH software on victim endpoints, enabling remote access through port 22 (MITRE ATT&CK T1219, “Remote Access Tools”), thereby securing persistent remote access.

Impact

The primary impact observed includes the extraction of the device’s project file and the manipulation of data displayed on HMI and SCADA interfaces (MITRE ATT&CK T1565, “Stored Data Manipulation”). This manipulation directly leads to operational disruption, which can have severe real-world consequences, especially within critical infrastructure sectors. The IoCs provided in the advisory, including specific IP addresses, are crucial for identifying historical or ongoing activity. These IP addresses, used between January 2025 and March 2026, were hosted on third-party infrastructure.

Actionable Recommendations: Securing Critical Infrastructure PLCs

To safeguard against this and similar threats, organizations, particularly those in critical infrastructure sectors, must prioritize the security of their OT environments. The following recommendations align with CISA and NIST’s Cross-Sector Cybersecurity Performance Goals 2.0 (CPGs 2.0).

Immediate Steps for Mitigating Rockwell Automation PLC Threats

Organizations with Rockwell Automation/Allen-Bradley PLCs, including CompactLogix and Micro850, should review Rockwell Automation’s guidance, particularly “SD1771 | Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats.”

• Disconnect PLCs from the Public-Facing Internet: This is the most critical immediate action. OT systems should never be directly exposed to the internet. Implement a secure gateway or jump host that mediates, monitors, and controls all external access. Ensure any cellular modems used for remote connectivity are strongly authenticated and updated, with logging enabled to detect intrusion.
• Physical Mode Switch to Run Position: For controllers with a physical mode switch, place it into the run position to prevent remote modification. It should only be in program or remote mode during updates, then immediately returned to run.
• Enable Programming Protection: For devices allowing software key switching, enable programming protection in PLC configuration software (e.g., Siemens S7 TIA Portal) to limit remote modifications.
• Create and Test Strong Backups: Regularly create and test backups of PLC logic and configurations. Store these offline and secure the physical media for rapid recovery.

Strengthening Long-Term Security Posture

Beyond immediate actions, organizations must implement a robust security posture to defend against sophisticated APT threats targeting industrial control systems. This includes how to secure internet-exposed OT devices more broadly.

• Implement Multifactor Authentication (MFA): Enforce MFA for all access to the OT network from external networks. VPN or gateway devices can enable MFA even if the PLC does not natively support it.
• Network Segmentation and Access Control: Implement network proxies, gateways, firewalls, and/or VPNs in front of PLCs to control network access. Apply security rules to prevent brute-force attacks and implement device control lists for workstations communicating with OT components, monitoring for unexpected access.
• Patch Management: Keep PLC devices updated with the latest software patches. Prioritize patches for Known Exploited Vulnerabilities even if outside typical downtime windows.
• Firewall Configuration: Configure external and internal firewalls to block unnecessary ports and protocols on network segments.
• Disable Unused Features: Disable any unused authentication methods, logic, or features, including default keys and unnecessary services such as Telnet, FTP, RDP, and VNC.
• Monitoring: Monitor asset management systems for device configuration changes and network traffic for unusual logins or unexpected ICS management protocol functions that alter operating modes or programs.

The Role of Device Manufacturers

Manufacturers of OT devices bear a significant responsibility in building products that are “secure by design and default.” They should adhere to principles such as preventing administrative interfaces from being exposed to the internet by default, not charging extra for basic security features, and supporting MFA, including phishing-resistant methods. This approach minimizes the burden on customers to secure devices “out of the box.”

Validate Security Controls

Organizations should continuously exercise, test, and validate their security programs against the MITRE ATT&CK techniques described in this advisory. This iterative process involves selecting a technique, aligning security technologies, testing performance, analyzing results, and tuning the security program accordingly. This continuous validation is essential for ensuring optimal defense against evolving threats like those posed by Iranian-affiliated APT actors, especially when mitigating Rockwell CompactLogix and Micro850 threats.