Full Report
Iranian-affiliated threat actors are actively targeting internet-exposed ICS (industrial control systems), with new Censys research highlighting how widely... The post Censys warns systemic exposure of Rockwell PLCs enable Iran-linked targeting of critical infrastructure OT networks appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Iranian-affiliated Threat Actors
## Attribution & Identity
- **Actor Identification:** Groups affiliated with the Iranian government/military.
- **Aliases:** Not explicitly named in the text, but identified by Censys and U.S. agencies (CISA, FBI, NSA) as "Iranian-affiliated cyber actors."
- **Known Associations:** Linked to broad campaigns targeting critical infrastructure and Industrial Control Systems (ICS).
## Activity Summary
- **Current Campaign:** Systematic probing and exploitation of internet-exposed Rockwell Automation Allen-Bradley PLCs.
- **Key Findings:** Censys identified 5,219 exposed hosts globally (port 44818), with actors actively interacting with these devices to manipulate industrial processes.
- **Strategy:** Moving away from custom malware toward "Living off the Land" (LotL) in OT environments using legitimate engineering software.
## Tactics, Techniques & Procedures
- **Living off the Land (LotL):** Using legitimate vendor software to blend with routine engineering workflows.
- **Protocol Probing:** Conducting reconnaissance on specific industrial ports:
- EtherNet/IP (Port 44818)
- Modbus (Port 502)
- Siemens S7 (Port 102)
- **Unauthorized Access:** Directly interacting with PLC project files via Rockwell Studio 5000 Logix Designer.
- **Data Manipulation:** Altering HMI (Human Machine Interface) and SCADA display data.
- **Logic Alteration:** Native functionality used to extract or modify control logic.
## Targeting
- **Sectors:** Critical Infrastructure, Industrial Automation, Manufacturing, Water/Wastewater, Energy.
- **Geography:**
- **United States:** Primary target (74.6% of global exposure).
- **Other Regions:** Spain, Taiwan, Italy, and Iceland.
- **Victims:** Specific entities not named, but users of **Rockwell Automation Allen-Bradley** families (CompactLogix and Micro850).
## Tools & Infrastructure
- **Legitimate Software:** Rockwell Studio 5000 Logix Designer.
- **Hardware Targets:** Rockwell Automation/Allen-Bradley PLCs (CompactLogix, Micro850).
- **Communication Ports:** 44818 (EtherNet/IP), 502 (Modbus), 102 (Siemens S7).
- **Infrastructure:** Public internet-exposed OT assets used as entry points.
## Implications
- **Reduced Barrier to Entry:** By using legitimate tools instead of zero-day exploits or custom malware, the threshold for successful disruption is lowered.
- **Detection Challenges:** Malicious actions are difficult to distinguish from legitimate maintenance or engineering updates.
- **Systemic Risk:** The high concentration of exposed devices in the U.S. creates a wide attack surface for geopolitical adversaries to trigger operational downtime or physical disruption.
## Mitigations
- **Network Segmentation:** Disconnect PLCs and OT devices from the public-facing internet.
- **Access Control:** Implement robust authentication for all engineering software and remote access portals.
- **Defense-in-Depth:** Use firewalls to block unauthorized traffic on ports 44818, 502, and 102.
- **Hardening:** Follow "Secure-by-Design" principles and vendor-specific hardening guides for Allen-Bradley devices.
- **Monitoring:** Implement OT-specific monitoring to detect unauthorized use of legitimate engineering tools or logic changes.