Iranian Threat Actors Disrupt US Critical Infrastructure Via Exposed PLCs
Summary
US cyber agencies have issued a joint advisory warning that Iran-affiliated advanced persistent threat (APT) actors have been exploiting Internet-exposed operational technology (OT) devices — notably Rockwell Automation/Allen-Bradley PLCs — to disrupt critical infrastructure. The campaign, observed in the weeks following US–Iran kinetic strikes, targeted energy, water/wastewater and government facilities. Attackers used leased third-party infrastructure and legitimate configuration tools (eg, Studio 5000 Logix Designer) to create accepted connections to CompactLogix and Micro850 controllers, manipulated PLC project files, and tampered with HMI/SCADA displays. In some instances the activity caused operational disruption and financial loss.
The advisory, co‑authored by CISA, FBI, NSA, EPA, DOE and USCYBERCOM, notes the use of ports commonly associated with OT protocols (44818, 2222, 102, 502 and others, plus T0885) and deployment of Dropbear SSH on victim endpoints to maintain remote access. Behaviour resembles prior PLC attacks attributed to pro‑Iran groups such as CyberAv3ngers.
Key Points
- Iran-affiliated APT actors have targeted Internet-facing PLCs across energy, water/wastewater and government sectors.
- Primary targets included Rockwell/Allen‑Bradley CompactLogix and Micro850 controllers; attackers used Studio 5000 Logix Designer to establish connections.
- Observed tactics: manipulation of PLC project files and tampering with HMI/SCADA displays — causing operational disruption and financial loss in some cases.
- Malicious traffic was observed on OT-related ports (44818, 2222, 102, 22, 502 and T0885); Dropbear SSH was deployed to gain remote access.
- Activity mirrors past PLC intrusions (eg, CyberAv3ngers) and comes amid heightened US–Iran hostilities.
- CISA recommends removing PLCs from direct Internet exposure, deploying secure gateways/firewalls, checking logs for IoCs and suspicious overseas hosting traffic, and setting physical controller switches to the correct mode.
Content summary
The article summarises a joint US government advisory about a campaign in which Iranian‑aligned actors accessed Internet‑exposed PLCs to manipulate files and displays and disrupt operations. Agencies observed malicious use of legitimate vendor tools and leased hosting to make accepted connections to controllers. The advisory lists affected device types, the network ports used, and indicators of compromise (IoCs). It urges immediate mitigations — removing direct Internet connectivity, monitoring logs for specific ports and overseas IPs, and contacting agencies and Rockwell Automation if compromise is suspected.
Experts quoted stress that Internet‑reachable OT is an inherent design flaw: exposure invites abuse whether by nation‑states or opportunistic actors. The alert includes practical guidance (eg, place Rockwell controllers’ physical mode switches in ‘run’) and IoCs for incident hunts.
Context and relevance
This advisory is important because it underscores two persistent trends: nation‑state actors are increasingly willing to target OT to cause real‑world disruption, and many operational environments remain misconfigured with controllers directly reachable from the Internet. For infrastructure operators, system integrators and security teams, the advisory is a timely reminder to re‑examine network architecture, enforce strong segmentation, and apply the simple mitigations CISA recommends now.
For cyber defenders and decision makers, the incident ties into larger geopolitics — attacks surged with kinetic escalations — but the root problem is technical and fixable: remove public exposure, monitor the listed ports and IoCs, and coordinate with vendors and authorities if you see signs of compromise.
Why should I read this?
Short version: if you run, secure or depend on critical infrastructure — this is a direct hit to your playbook. It tells you what attackers used, which devices and ports to check, and exactly what CISA recommends you do immediately. No fluff — just the bits you need to decide whether you should be running an emergency hunt or a patch-and-segment job this afternoon.
Author style
Punchy. The piece highlights urgent, actionable intelligence from multiple US agencies — read the details if you manage OT or advise organisations that do. For general readers, it’s a concise snapshot of how nation‑state cyber operations are moving from espionage to tangible disruption.