Full Report
U.S. cybersecurity agencies on Tuesday warned of ongoing cyber exploitation of internet-connected OT (operational technology) devices, including programmable... The post Ongoing cyberattacks targeting internet-connected PLCs disrupt US critical infrastructure, agencies warn appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Ongoing Iranian-Affiliated APT Targeting of U.S. PLCs
## Executive Summary
Multiple U.S. cybersecurity agencies have issued a joint warning regarding ongoing exploitation of internet-connected Operational Technology (OT) devices by Iranian-affiliated APT actors. The attackers are targeting programmable logic controllers (PLCs), primarily Rockwell Automation and Allen-Bradley systems, through internet-exposed interfaces. These attacks have caused operational disruptions and financial losses across critical infrastructure sectors including water, energy, and government facilities.
## Incident Details
- **Discovery Date:** March 2026
- **Incident Date:** Ongoing since at least March 2024 (Article date 2026)
- **Affected Organization:** Multiple U.S. Critical Infrastructure entities
- **Sector:** Water and Wastewater Systems (WWS), Energy, Government Facilities/Municipalities
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing as early as March
- **Vector:** Internet-exposed OT devices and weak configurations
- **Details:** Attackers identify and target PLCs (notably Rockwell Automation/Allen-Bradley) that are directly accessible via the public internet.
### Lateral Movement
- **Details:** After gaining access to the PLC, actors leverage leased, third-party hosted infrastructure and specialized configuration software (e.g., Rockwell Automation’s Studio 5000 Logix Designer) to interact with the OT environment.
### Data Exfiltration/Impact
- **Details:** The actors maliciously interact with project files and manipulate data displayed on Human Machine Interface (HMI) and SCADA systems. This results in the disruption of industrial automation processes.
### Detection & Response
- **Discovery:** Identified through federal engagements with victim organizations and monitoring of overseas-based IP addresses.
- **Response Actions:** Joint advisory issued by FBI, CISA, NSA, EPA, DOE, and CNMF; victim notification and remediation guidance provided for Rockwell Automation systems.
## Attack Methodology
- **Initial Access:** Exploitation of internet-facing PLCs and devices with default or weak credentials/configurations.
- **Persistence:** Use of leased third-party infrastructure and exploitation of persistent remote access points.
- **Privilege Escalation:** Not explicitly detailed, but involves obtaining authorized access to project files.
- **Defense Evasion:** Use of overseas-based IP addresses and third-party hosted infrastructure to mask origin.
- **Credential Access:** Leveraging weak or default security settings on exposed OT devices.
- **Discovery:** Scanning for internet-connected industrial hardware (PLCs).
- **Lateral Movement:** Movement from initial PLC access to broader SCADA/HMI manipulation.
- **Collection:** Gathering of industrial project files and system configuration data.
- **Exfiltration:** Not the primary focus; focus is on disruption.
- **Impact:** Manipulation of HMI/SCADA displays and disruption of physical processes/automation.
## Impact Assessment
- **Financial:** Reported financial losses for several victims due to downtime and remediation.
- **Data Breach:** Compromise of proprietary industrial project files and system configurations.
- **Operational:** Significant disruption to critical automation processes in water and energy sectors.
- **Reputational:** Public concern regarding the security of municipal water and local government services.
## Indicators of Compromise
- **Network indicators:** Multiple overseas-based IP addresses [defanged: e.g., XX.XX.XX.XX] used to connect to PLC ports.
- **File indicators:** Unauthorized modifications to PLC project files; presence of Studio 5000 Logix Designer activity from unrecognized sources.
- **Behavioral indicators:** Unexpected changes in SCADA/HMI data visualizations and unauthorized PLC stop/start commands.
## Response Actions
- **Containment measures:** Disconnecting affected PLCs from the public internet.
- **Eradication steps:** Clearing malicious project files and changing all credentials.
- **Recovery actions:** Restoring systems from known-good offline backups and updating firmware.
## Lessons Learned
- **Key takeaways:** Geopolitical tensions (US/Israel/Iran) are directly manifesting as cyberattacks on domestic civilian infrastructure.
- **What could have been done better:** Critical OT assets should never be directly accessible via the public internet without robust authentication and VPNs.
## Recommendations
- **Disconnect:** Remove all PLCs and OT devices from the public internet immediately.
- **Hardening:** Implement multi-factor authentication (MFA) for all remote access and change all default passwords.
- **Software Updates:** Ensure all industrial software and PLC firmware are patched against known vulnerabilities.
- **Security-by-Design:** Follow CISA and vendor-specific hardening guides for Rockwell Automation and other ICS hardware.