Threat Research

Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure

CISA
Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure
Iranian-affiliated APT actors have been exploiting internet-facing programmable logic controllers (PLCs), particularly Rockwell Automation/Allen-Bradley devices, to extract project files and manipulate data on HMI and SCADA displays, causing operational disruption and financial loss across multiple U.S. critical infrastructure sectors. U.S. organizations are urged to review the TTPs and IOCs, remove PLCs from direct internet exposure, implement mitigations (including placing controllers in run mode), and query logs for the provided indicators. #CyberAv3ngers #RockwellAutomation

Keypoints

  • Iran-affiliated APT actors exploited internet-accessible PLCs—notably Rockwell Automation/Allen-Bradley CompactLogix and Micro850 controllers—since at least March 2026, causing disruptions across Government Services, Water and Wastewater Systems, and Energy sectors.
  • Actors used leased overseas infrastructure and Rockwell programming software (e.g., Studio 5000 Logix Designer) to create accepted connections to target PLCs and extract project files.
  • Malicious activity included extraction of PLC project files (.ACD) and manipulation of HMI/SCADA display data, resulting in operational impacts and financial loss for some victims.
  • Inbound traffic and command channels targeted common OT ports (44818, 2222, 102, 22, 502); actors also deployed Dropbear SSH on victim endpoints to enable remote access via port 22.
  • The advisory lists specific IP addresses used by the actors (e.g., 135.136.1.133; 185.82.73.162–171) and urges organizations to query logs for historical or current activity before blocking.
  • Mitigations include removing direct internet exposure (use secure gateways/jump hosts), enabling programming protection and physical run-mode switches, implementing MFA and VPNs/gateways, patching devices, and monitoring for unusual OT traffic and logins.

MITRE Techniques

  • [T0883 ] Internet Accessible Device – Actors used Rockwell programming software to access and interact with publicly exposed PLCs. (‘The actors used Rockwell Automation’s programming software (such as Studio 5000 Logix Designer) to access and interact with publicly exposed, internet-accessible PLCs installed and deployed without sufficient network and/or hardening security controls.’)
  • [T0885 ] Commonly Used Port – Actors communicated with PLCs over commonly used OT ports to reach and control devices. (‘The actors used commonly used OT ports to communicate with PLCs.’)
  • [T1219 ] Remote Access Tools – Actors deployed Dropbear SSH on victim endpoints to enable remote access through port 22. (‘The actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22.’)
  • [T1565 ] Stored Data Manipulation – Actors extracted and maliciously interacted with PLC project files and altered HMI/SCADA display data. (‘The actors maliciously interacted with project files and altered data displayed on HMI and SCADA displays.’)

Indicators of Compromise

  • [IP address ] IPs observed communicating with targeted PLCs in specified time frames – 135.136.1.133, 185.82.73.162, and 6 more IPs (185.82.73.164–185.82.73.171).
  • [Port ] Targeted/inbound ports associated with OT device access and C2 – 44818, 22, and other ports including 2222, 102, and 502.
  • [File name ] Extracted PLC project file type used by Rockwell devices – .ACD (project file containing ladder logic and configuration settings).
  • [Tool ] Remote access software deployed on victim endpoints – Dropbear SSH (enables remote access via port 22).
  • [Device model ] Targeted PLC models observed in incidents – CompactLogix, Micro850 (Rockwell Automation/Allen-Bradley controllers).

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a