Iran-affiliated cyber actors are reportedly targeting internet-facing operational technology (OT) devices within critical infrastructure sectors in the United States, particularly focusing on programmable logic controllers (PLCs). This activity has been confirmed by U.S. cybersecurity and intelligence agencies, including the FBI, which noted that these attacks have resulted in diminished functionality of PLCs, manipulation of display data, and in some instances, operational disruptions and financial losses.
Nature of the Attacks
The ongoing campaign appears to be part of a broader escalation in cyber attacks attributed to Iranian hacking groups, which is believed to be a response to geopolitical tensions involving Iran, the U.S., and Israel. The attacks have specifically targeted PLCs from Rockwell Automation and Allen-Bradley, which are utilized in various sectors, including government services, water and wastewater systems, and energy.
Methodology and Techniques
According to the advisory, the attackers utilized leased third-party infrastructure along with configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer, to establish connections with the victim’s PLCs. The targeted devices include CompactLogix and Micro850 PLCs. Following initial access, the threat actors deployed Dropbear, a Secure Shell (SSH) software, on the compromised endpoints to facilitate remote access and manipulate data on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.
Recommended Mitigations
In light of these developments, organizations are advised to take several precautionary measures. These include avoiding exposing PLCs to the internet, preventing remote modifications through physical or software switches, implementing multi-factor authentication (MFA), and installing firewalls or network proxies to control access. Keeping PLC devices updated, disabling unused authentication features, and monitoring for unusual traffic are also recommended practices.
Context of Ongoing Threats
This is not the first instance of Iranian threat actors targeting OT networks. In late 2023, a group known as Cyber Av3ngers was linked to the exploitation of Unitronics PLCs, affecting the Municipal Water Authority of Aliquippa in Pennsylvania. Experts suggest that the current attacks reflect a known pattern of escalation by Iranian actors, who are increasingly targeting both IT and OT infrastructures.
As these cyber threats evolve, the integration of state-directed operations with commercial tools complicates attribution and defense efforts, underscoring the need for heightened vigilance among organizations in critical sectors.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
