Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz

Multiple Linux Products Vulnerabilities

April 7, 2026
How-AI-SecOps-Strengthens-Security-Operations-for-Modern-Enterprise

How AI SecOps Strengthens Security Operations for Modern Enterprises

April 8, 2026

Iran-Linked Hackers Exploit PLCs in US Critical Infrastructure – Active IOCs

Severity

High

Analysis Summary

U.S. federal agencies, including the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command, have issued an urgent warning regarding the ongoing cyber exploitation of internet-connected operational technology (OT) devices, particularly Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs), across multiple U.S. critical infrastructure sectors. These attacks have involved malicious manipulation of project files and data displayed on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems, leading to operational disruptions and financial losses in some cases. Given the widespread use of these devices, organizations are urged to review the tactics, techniques, procedures (TTPs).

According to the CISA, the threat actors are assessed to be Iranian-affiliated advanced persistent threat (APT) groups, likely linked to the Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command. These actors have previously targeted PLCs through campaigns such as the CyberAv3ngers operation, which compromised at least 75 devices, including Unitronics PLCs in U.S. water and wastewater systems. Since March 2026, ongoing attacks have targeted internet-accessible PLCs deployed across Government Services, Energy, and Water and Wastewater Systems, with the intent to disrupt operations by modifying HMI/SCADA data or manipulating PLC project files. These campaigns are part of a broader escalation of Iranian cyber operations against U.S. organizations in response to geopolitical hostilities.

Technical analysis shows that threat actors have leveraged overseas-based infrastructure to gain initial access to internet-facing Rockwell PLCs using Studio 5000 Logix Designer software and targeted both CompactLogix and Micro850 models. Command and control traffic has been observed on ports 44818, 2222, 102, 22, and 502, with deployment of Dropbear SSH to enable remote access. Impacts include unauthorized extraction of PLC project files and manipulation of operational data on HMI and SCADA systems. The advisory maps these activities to MITRE ATT&CK for Enterprise tactics, highlighting techniques such as T0883 (initial access to OT devices), T0885 (command and control via OT protocols), T1219 (remote access via SSH), and T1565 (data manipulation).

To mitigate risks, organizations are advised to immediately disconnect PLCs from public networks, secure remote connectivity through jump hosts, enforce physical or software-based program protection, maintain offline backups of PLC logic, and implement multifactor authentication for OT network access. Additional steps include deploying VPNs, firewalls, and network monitoring to prevent unauthorized access, updating PLC firmware, disabling unused services, and monitoring for abnormal logins or protocol activity. Device manufacturers are also urged to adopt secure-by-design principles, change default settings, and support MFA without additional cost. Organizations are encouraged to continuously validate and test their security controls against the ATT&CK techniques outlined in the advisory to ensure operational resilience against these sophisticated cyber threats.

Impact

  • Gain Access
  • Operational Disruptions
  • Financial Loss

Indicators of Compromise

IP

  • 135.136.1.133
  • 185.82.73.162
  • 185.82.73.164
  • 185.82.73.165
  • 185.82.73.167
  • 185.82.73.168
  • 185.82.73.170
  • 185.82.73.171

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Disconnect PLCs from the public-facing internet.
  • Remove inbound port exposure and route remote access through a secure gateway or jump host.
  • Secure cellular modems with strong authentication and enable logging to detect intrusions.
  • Place physical mode switches on PLCs in run position to prevent remote modifications.
  • Enable programming protection in PLC configuration software to restrict remote modifications.
  • Create and maintain strong offline backups of PLC logic and configuration files.
  • Implement multifactor authentication (MFA) for external OT network access.
  • Use network proxies, VPNs, firewalls, or gateways to control remote access to PLCs.
  • Configure security rules to block repeated login attempts and restrict device access.
  • Keep PLC devices updated with the latest manufacturer software patches.
  • Block unnecessary network ports and protocols via internal and external firewalls.
  • Disable unused authentication methods, services, and features (e.g., Telnet, FTP, RDP, VNC, web services).
  • Monitor asset management systems for unauthorized configuration changes.
  • Monitor network traffic for unusual logins or unexpected protocol activity.
  • Regularly test and validate security controls against MITRE ATT&CK techniques.
  • Tune security policies, processes, and technologies based on test results.
  • Engage in continuous cybersecurity exercises and incident response drills.
  • Consider using CISA’s Cyber Hygiene Services for scanning and vulnerability assessment.
  • Implement secure-by-design principles in products.
  • Change default settings to prevent exposing administrative interfaces.
  • Provide basic security features without extra costs.
  • Support MFA, including phishing-resistant methods, by default.