Full Report
Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across critical infrastructures in the U.S., including programmable logic controllers (PLCs), cybersecurity and intelligence agencies warned Tuesday. "These attacks have led to diminished PLC functionality, manipulation of display data and, in some cases, operational disruption and financial
Analysis Summary
# Incident Report: Iranian Targeting of U.S. Critical Infrastructure PLCs
## Executive Summary
Iran-affiliated cyber actors have targeted internet-facing Programmable Logic Controllers (PLCs) across U.S. critical infrastructure, specifically within the water, energy, and government sectors. Using specialized configuration software and third-party hosting, attackers compromised industrial OT devices to manipulate HMI/SCADA displays and disrupt operations. The campaign has resulted in diminished functionality of industrial processes and financial losses for affected entities.
## Incident Details
- **Discovery Date:** April 07, 2026 (Public Warning Issued)
- **Incident Date:** Continuous/Ongoing escalation (referenced surges in late 2025 through early 2026)
- **Affected Organization:** Multiple (Water Wastewater Systems, Energy, Govt Services)
- **Sector:** Critical Infrastructure / Operational Technology (OT)
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Late 2025 – April 2026
- **Vector:** Internet-exposed OT devices / Port 22 (SSH)
- **Details:** Attackers targeted internet-facing Rockwell Automation/Allen-Bradley PLCs (CompactLogix and Micro850) that lacked perimeter protection or multi-factor authentication.
### Lateral Movement
- **Details:** Actors utilized leased, third-party hosted infrastructure equipped with Rockwell Automation's Studio 5000 Logix Designer software to establish "accepted" connections directly to the victim’s PLC from the internet.
### Data Exfiltration/Impact
- **Details:** Extraction of PLC project files; unauthorized modification of HMI (Human-Machine Interface) and SCADA displays to show false information or disrupt operator visibility.
### Detection & Response
- **How it was discovered:** Collaborative intelligence by FBI, CISA, and investigative agencies; observed patterns matched previous "Cyber Av3ngers" and "Hydro Kitten" activity.
- **Response actions taken:** CISA/FBI issued joint advisory (AA26-097A); organizations advised to disconnect PLCs from the public internet immediately.
## Attack Methodology
- **Initial Access:** Exploitation of internet-exposed PLCs (Direct connection).
- **Persistence:** Deployment of **Dropbear SSH** software on victim endpoints.
- **Privilege Escalation:** Not explicitly detailed; likely via default or weak credentials on device administrative interfaces.
- **Defense Evasion:** Use of legitimate "Studio 5000 Logix Designer" software to make malicious connections appear as authorized project adjustments.
- **Credential Access:** Targeting devices with weak or no authentication.
- **Discovery:** Scanning for internet-facing industrial IPs and identifying PLC models via project file data.
- **Lateral Movement:** Remote access through Port 22 to connected OT components.
- **Collection:** Exfiltration of PLC project files and operational data.
- **Exfiltration:** Standard SSH (Port 22) protocols.
- **Impact:** Disruption of physical processes, manipulation of display data, and financial loss.
## Impact Assessment
- **Financial:** Reported losses due to operational downtime and remediation; specific figures undisclosed.
- **Data Breach:** Compromise of proprietary OT project files and configuration logic.
- **Operational:** "Diminished functionality" of PLCs and disruption of water/energy services.
- **Reputational:** Public concern regarding the security of essential municipal utilities.
## Indicators of Compromise
- **Network indicators:**
- Traffic via Port 22 [SSH] to PLC IP addresses.
- Connections from leased third-party VPS infrastructure.
- **File indicators:**
- Presence of `Dropbear` SSH binaries on non-standard OT hardware.
- **Behavioral indicators:**
- Unauthorized use of Studio 5000 Logix Designer from external IP ranges.
- Unexplained changes to HMI/SCADA display values.
## Response Actions
- **Containment:** Disconnecting OT devices from the public internet.
- **Eradication:** Removal of Dropbear SSH unauthorized software; resetting PLC configurations to known-good states.
- **Recovery:** Implementation of firewalls and network proxies to isolate the OT environment.
## Lessons Learned
- **Key takeaways:** OT security remains a "low-hanging fruit" for state-sponsored actors when devices are exposed to the internet with default settings.
- **Failure Points:** Failure to implement MFA on remote access points and the hazardous practice of exposing PLCs directly to the WAN without a VPN or gateway.
## Recommendations
- **Network Hardening:** Ensure PLCs are **not** reachable via the public internet.
- **Access Control:** Implement Multi-Factor Authentication (MFA) for all remote access to the OT network.
- **Physical Security:** Utilize the physical Write-Protect switch on PLCs to prevent unauthorized remote programming changes.
- **Segmentation:** Deploy firewalls or proxies in front of PLCs to restrict traffic to authorized engineering workstations only.
- **Monitoring:** Enable logging for all configuration changes and monitor Port 22 traffic within the OT VLAN.