Full Report
The attack surface targeted by Iranian-linked hackers in cyberattacks against U.S. critical infrastructure networks includes thousands of Internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation. [...]
Analysis Summary
# Incident Report: Targeted Campaigns Against US Industrial Infrastructure (PLC Exposure)
## Executive Summary
Multiple U.S. federal agencies have warned of an escalated cyber campaign by Iranian state-sponsored actors targeting Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs). The attacks exploit internet-exposed industrial control systems (ICS) to disrupt operations, manipulate data on HMI/SCADA displays, and extract sensitive project files. As of April 2026, nearly 4,000 devices in the United States remain exposed, posing a significant risk to critical infrastructure.
## Incident Details
- **Discovery Date:** March 2026 (Ongoing)
- **Incident Date:** Active since March 2026
- **Affected Organization:** Multiple U.S. Critical Infrastructure entities (including Water/Wastewater and Medical)
- **Sector:** Critical Infrastructure / Operational Technology (OT)
- **Geography:** United States (74.6% of global exposure)
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026 – Present
- **Vector:** Exploitation of internet-exposed EtherNet/IP (EIP) ports.
- **Details:** Attackers target Rockwell Automation/Allen-Bradley devices directly connected to the internet, many via cellular modems/ASNs.
### Lateral Movement
- **Details:** While the report focuses on direct PLC interaction, previous Iranian campaigns (e.g., CyberAv3ngers) have demonstrated movement within OT networks once initial device access is achieved.
### Data Exfiltration/Impact
- **Details:** Extraction of PLC project files and manipulation of technical data on Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) displays.
### Detection & Response
- **Discovery:** FBI and CISA identified a spike in malicious activity linked to Iranian APTs, likely in retaliation for geopolitical tensions with the U.S. and Israel.
- **Response Actions:** Joint advisory issued April 2026; recommendations for immediate disconnection of exposed PLCs.
## Attack Methodology
- **Initial Access:** Scanning and exploitation of internet-facing Industrial Control Systems (ICS).
- **Persistence:** Not explicitly specified; typically achieved through compromised credentials or persistent vulnerabilities.
- **Discovery:** Passive and active reconnaissance of EtherNet/IP (EIP) protocols via services like Censys/Shodan.
- **Collection:** Extraction of device project files containing logic and configuration.
- **Impact:** Operational disruption via HMI/SCADA display manipulation; potential for "wiping" behavior (as seen in Handala/Stryker incidents).
## Impact Assessment
- **Financial:** Reported financial losses resulting from operational downtime.
- **Data Breach:** Extraction of proprietary industrial project files and device configurations.
- **Operational:** Disruption of critical utilities (Water/Wastewater) and medical device availability.
- **Reputational:** High public concern regarding the vulnerability of national critical infrastructure to foreign state actors.
## Indicators of Compromise
- **Network Indicators:**
- Traffic on EtherNet/IP port 44818 originating from foreign hosting providers.
- Unexplained connections to foreign-based IP addresses (e.g., Iranian-originating ASNs - [defanged]).
- **Behavioral Indicators:**
- Unauthorized logins to HMI/SCADA interfaces.
- Unusual modifications to PLC logic or project file transfers.
- Display of political messaging or manipulated sensor data on HMIs.
## Response Actions
- **Containment:** Agencies recommend isolating PLCs behind firewalls or completely disconnecting them from the public internet.
- **Eradication:** Changing all default credentials and updating PLC firmware to the latest versions.
- **Recovery:** Restoration of device project files from offline backups to ensure logic integrity.
## Lessons Learned
- **Persistent Exposure:** A massive volume (nearly 4,000) of critical devices remain directly accessible on the public internet despite years of warnings regarding OT security.
- **Geopolitical Correlation:** Cyberattacks on infrastructure continue to serve as a primary tool for Iranian retaliation in physical conflicts.
- **Cellular Risk:** A significant portion of exposed devices are connected via cellular modems, which often bypass traditional enterprise security perimeter controls.
## Recommendations
- **Network Hardening:** Ensure all PLCs are located behind a VPN or hardware firewall; disable Port Forwarding for EIP.
- **Authentication:** Implement Multi-Factor Authentication (MFA) for all remote access to the OT environment.
- **Monitoring:** Scan logs for unauthorized PLC project file reads/writes and monitor OT ports for traffic from unexpected geographic regions.
- **Credential Management:** Audit all OT systems for default usernames/passwords and enforce complex password policies.