Full Report
From: CISA Date: April 7, 2026 Alert Code: AA26-097A Executive Summary: Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project... Source
Analysis Summary
# Threat Actor: Iran-Affiliated APT
## Attribution & Identity
- **Actor Identification:** Advanced Persistent Threat (APT) actors affiliated with the Iranian government.
- **Aliases:** Not specifically named in the provided article, though the activity is linked to Iranian state interests.
- **Known Associations:** Affiliated with the Iranian state; specialized in targeting Operational Technology (OT).
## Activity Summary
- **Current Campaign:** April 2026 exploitation of internet-facing Programmable Logic Controllers (PLCs).
- **Operations:** Malicious interaction with PLC project files and manipulation of HMI/SCADA displays to cause operational disruptions and financial loss.
## Tactics, Techniques & Procedures
- **Exploitation of Internet-Facing Assets:** Targeting OT devices exposed directly to the public internet.
- **Manipulation of Control Logic:** Direct interaction with and modification of project files on PLCs.
- **HMI/SCADA Tampering:** Manipulating data on Human Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) displays to deceive operators.
- **Protocol Targeting:** Communication over specific industrial ports including `44818`, `2222`, `102`, and `502`.
- **Infrastructure Use:** Utilizing overseas hosting providers to mask the origin of malicious traffic.
## Targeting
- **Sectors:** Multiple U.S. Critical Infrastructure sectors.
- **Geography:** United States.
- **Victims:** Organizations utilizing Rockwell Automation/Allen-Bradley PLCs and potentially other branded PLC systems.
## Tools & Infrastructure
- **Affected Products:** Rockwell Automation/Allen-Bradley PLCs.
- **Network Ports:**
- Port `44818` (EtherNet/IP)
- Port `2222` (EtherNet/IP)
- Port `102` (ISO-TSAP/S7comm)
- Port `502` (Modbus TCP)
- **Infrastructure:** Overseas hosting providers (unspecified IPs - refer to STIX files for specific defanged indicators).
## Implications
- **Strategic Impact:** This activity represents a direct threat to the physical safety and operational integrity of U.S. critical infrastructure.
- **Financial Assessment:** Successful exploitation results in direct financial loss through operational downtime and potential equipment damage.
- **Operational Risk:** By manipulating HMI/SCADA displays, the actor can provide false information to human operators, potentially masking more severe physical sabotage.
## Mitigations
- **Network Architecture:** Immediately remove PLCs from direct internet exposure; ensure they are behind secure gateways and firewalls.
- **Log Analysis:** Query available logs for traffic originating from overseas hosting providers targeting OT ports.
- **Hardware Security:** For Rockwell Automation devices, physically set the controller mode switch to the "RUN" position to prevent unauthorized remote changes to the project file.
- **Monitoring:** Implement alerting for any unauthorized interactions with PLC project files or unusual traffic on industrial protocols.
- **CISA Resources:** Review CISA Alert AA26-097A and associated STIX XML/JSON files for specific Indicators of Compromise (IOCs).