Iranian-linked state-backed hackers have targeted thousands of Internet-exposed Rockwell Automation/Allen-Bradley PLCs since March 2026, causing operational disruptions and financial losses in U.S. critical infrastructure networks. Federal agencies reported attackers extracted PLC project files and manipulated HMI/SCADA displays, and they advise disconnecting PLCs from the Internet, enforcing MFA, patching devices, and monitoring OT ports for suspicious overseas traffic. #RockwellAutomation #CyberAv3ngers
Keypoints
- Iranian state-backed groups have been exploiting Internet-exposed Rockwell/Allen-Bradley PLCs since March 2026.
- Attackers extracted device project files and manipulated HMI and SCADA displays, disrupting operations.
- Censys found 5,219 EIP-responding hosts globally, with 74.6% located in the United States.
- Mitigations include disconnecting PLCs from the Internet or placing them behind firewalls, enforcing MFA, and patching devices.
- The campaign follows prior Iranian-linked operations such as CyberAv3ngers and Handala targeting OT and enterprise systems.