Iranian-linked hackers are targeting internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) on U.S. critical infrastructure networks, causing financial losses and operational disruptions since March 2026. A joint advisory from the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command warns that attackers have extracted PLC project files and manipulated HMI/SCADA displays and recommends disconnecting PLCs from the Internet and implementing robust OT protections. #CyberAv3ngers #Handala
Keypoints
- Iranian-affiliated APT actors are exploiting internet-exposed Rockwell/Allen-Bradley PLCs across multiple U.S. critical infrastructure sectors.
- The joint advisory reports extraction of PLC project files and manipulation of data shown on HMI and SCADA systems.
- Previous campaigns include CyberAv3ngers targeting Unitronics PLCs and Handala wiping devices at Stryker.
- Recommended mitigations include disconnecting PLCs from the Internet or firewalling them, applying firmware updates, and disabling unused services and default authentication keys.
- Defenders should implement multifactor authentication for OT access, scan logs for indicators of compromise, and monitor OT ports for suspicious overseas traffic.