IranianAffiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppDue to the lapse in federal funding this website will not be actively managed Read Moreppnocost Cyber ServicesSecure by design Secure Your BusinessShields UpReport A Cyber Issue ppSearchppppDue to the lapse in federal funding this website will not be actively managed Read Moreppnocost Cyber ServicesSecure by design Secure Your BusinessShields UpReport A Cyber Issue ppIranaffiliated advanced persistent threat APT actors are conducting exploitation activity targeting internetfacing operational technology OT devices including programmable logic controllers PLCs manufactured by Rockwell AutomationAllenBradley This activity has led to PLC disruptions across several US critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface HMI and supervisory control and data acquisition SCADA displays resulting in operational disruption and financial loss ppUS organizations should urgently review the tactics techniques and procedures TTPs and indicators of compromise IOCs in this advisory for indications of current or historical activity on their networks and apply the recommendations listed in the Mitigations section of this advisory to reduce the risk of compromiseppFor a downloadable copy of IOCs seeppOrganizations Critical InfrastructureppSectors Government Services and Facilities Water and Wastewater Systems WWS and Energy ppRoles Defensive cybersecurity analysts OT cybersecurity engineers cybersecurity architects secure systems developerppThe Federal Bureau of Investigation FBI Cybersecurity and Infrastructure Security Agency CISA National Security Agency NSA Environmental Protection Agency EPA Department of Energy DOE and United States Cyber Command Cyber National Mission Force CNMF hereafter referred to as the authoring agencies are urgently warning US organizations of ongoing cyber exploitation of internetconnected operational technology OT devices including Rockwell AutomationAllenBradleymanufactured programmable logic controllers PLCs across multiple US critical infrastructure sectors As a result of this activity organizations from multiple US critical infrastructure sectors experienced disruptions through malicious interactions with the project files1 and the manipulation of data displayed on human machine interface HMI and supervisory control and data acquisition SCADA displays In a few cases this activity has resulted in operational disruption and financial loss ppDue to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure the authoring agencies recommend US organizations urgently review the tactics techniques and procedures TTPs and indicators of compromise IOCs in this advisory for indications of current or historical activity on their networks and apply the recommendations listed in the Mitigations section to reduce the risk of compromiseppThe authoring agencies assess a group of Iranianaffiliated advanced persistent threat APT actors is conducting this activity to cause disruptive effects within the United States The group has targeted devices spanning multiple US critical infrastructure sectors including Government Services and Facilities to include local municipalities Water and Wastewater Systems WWS and Energy Sectors The authoring agencies previously reported on similar activity targeting PLCs by CyberAv3ngers aka Shahid Kaveh Groupa cyber threat actor affiliated with Irans Islamic Revolutionary Guard Corps IRGC Cyber Electronic Command CEC ppIf owners and operators discover an affected internetaccessible device in their environment additional technical measures may be necessary to evaluate the risk of compromise Please contact the authoring agencies and applicable vendors through existing support channels available to customers and integrators see Contact Information to receive support mitigation and investigation assistance and engage your cyber incident response plansppIn addition to contacting the authoring agencies organizations with Rockwell AutomationAllenBradleymanufactured PLCs should review the manufacturers previously issued guidance to strengthen the security of their operational technology deployments PN1550 CVE202122681 Authentication Bypass Vulnerability Found in Logix Controllers published in 2021 and SD1771 Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats published in 2026 Contact the Rockwell Automation Product Security Incident Response Team PSIRT at PSIRTrockwellautomationcom for questions regarding this guidance or to report cyber incidents related to Rockwell Automation productsppFor more information on Iranian malicious cyber activity see CISAs Iran Threat Overview and Advisories webpage and the FBIs Iran Threat webpageppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppDuring a similar campaign beginning in November 2023 the IRGC CECaffiliated cyber threat actors known as CyberAv3ngers targeted USbased PLCs and HMIs causing disruptive effects Private industry and open sources also refer to this group as Hydro Kitten Storm0784 APT Iran Bauxite Mr Soul Soldiers of Solomon UNC5691 and the Shahid Kaveh Group These attacks compromised at least 75 devices targeting USbased Unitronics PLC devices with an HMI used across multiple critical infrastructure sectors including WWS For more information on this groups activity see the authoring agencies Joint Cybersecurity Advisory IRGCAffiliated Cyber Actors Exploit PLCs in Multiple Sectors Including US Water and Wastewater Systems FacilitiesppThe FBI assesses a group of Iranianaffiliated APT actors are targeting internetexposed PLCs with the intent to cause disruptionsincluding maliciously interacting with project files and manipulating data displayed on HMI and SCADA displaysto US critical infrastructure organizations Iranianaffiliated APT targeting campaigns against US organizations have recently escalated likely in response to hostilities between Iran and the United States and Israel ppSince at least March 2026 the authoring agencies identified through engagements with victim organizations an Iranianaffiliated APTgroup that disrupted the function of PLCs These PLCs were deployed across multiple US critical infrastructure sectors including Government Services and Facilities WWS and Energy sectors within a wide variety of industrial automation processes Some of the victims experienced operational disruption and financial lossppNote This advisory uses the MITRE ATTCK Matrix for Enterprise framework version 18 See the MITRE ATTCK Tactics and Techniques section of this advisory for tables of the threat actors activity mapped to MITRE ATTCK tactics and techniquesppThe authoring agencies observed Iranianaffiliated APT actors using several overseasbased IP addresses to access internetfacing Rockwell AutomationAllenBradleymanufactured PLCs T0883 The actors used leased thirdparty hosted infrastructure with configuration software such as Rockwell Automations Studio 5000 Logix Designer software to create an accepted connection to the victims PLC Targeted devices include CompactLogix and Micro850 PLC devices ppInbound malicious traffic may be directed to devices on any of following ports 44818 2222 102 22 or 502 The targeting of ports T0885 associated with other OT vendors protocols suggests these actors may also be targeting devices manufactured by companies other than Rockwell AutomationAllenBradley including the Siemens S7 PLC Additionally the actors deployed Dropbear Secure Shell SSH software on victim endpoints to enable them to gain remote access through port 22 T1219ppThe FBI identified that this activity resulted in the extraction of the devices project file and data manipulation on HMI and SCADA displays T1565ppSee Table 1 for recent IP addresses used by the Iranianaffiliated APT actors to communicate with Rockwell AutomationAllenBradleymanufactured devices and potentially other branded OT devices in the United StatesppDisclaimer The FBI observed that the threat actors used the IP addresses listed below in the specified time frames This data is being provided for customers to query against logs for indications of historical targeting by the Iranianaffiliated APT actors The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action such as blockingppSee Table 2 to Table 4 for all referenced threat actor tactics and techniques in this advisory The authoring agencies recommend organizations review historical TTPs for similar Iranianaffiliated cyber actor activity in IRGCAffiliated Cyber Actors Exploit PLCs in Multiple Sectors Including US Water and Wastewater Systems Facilities For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppThe authoring agencies recommend organizations implement the mitigations below to improve your organizations cybersecurity posture on the basis of the threat actors activity These mitigations align with the CrossSector Cybersecurity Performance Goals 20 CPGs 20 developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CPG 20 webpage for more information on the CPGs including additional recommended baseline protectionsppThe cyber threat actors accessed Rockwell AutomationAllenBradleymanufactured PLCs to cause disruptions to victim systems To safeguard against this threat and threats to other types of PLCs the authoring agencies urge organizations to consider the following mitigationsppIn addition organizations with these PLCs should view Rockwell Automations guidance Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber ThreatsppImmediate steps to prevent the attackppFollowup steps to strengthen security postureppIn addition the authoring agencies recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques as well as reduce the impact and risk of compromise by cyber threat actorsppNote The following guidance is general in nature and not specific to any OT vendor Some of the features settings and practices may already be offered by certain vendors The inclusion of this guidance should not be interpreted as an assertion that vendors referenced in this product do not offer such security featuresppAlthough critical infrastructure organizations using PLC devices can take steps to mitigate the risks it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default The authoring agencies urge device manufacturers to take ownership of their customers security outcomes by following the principles in the joint guide Secure by Demand Priority Considerations for OT Owners and Operators when Selecting Digital Products primarilyppBy using secure by design tactics software manufacturers can make product lines secure out of the box without requiring customers to spend additional resources making configuration changes purchasing tiered security software and logs monitoring and making routine updatesppFor more information on common misconfigurations and guidance on reducing their prevalence see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations For more information on secure by design see CISAs Secure by Design webpage and joint guideppIn addition to applying mitigations the authoring agencies recommend exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppThe authoring agencies recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppUS organizations are encouraged to report suspicious or criminal activity related to information in this advisory to CISA FBI andor NSAppThe information in this report is being provided as is for informational purposes only The authoring agencies do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by the authoring agenciesppApril 7 2026 Initial versionpp1Project file refers to the software file that contains ladder logic and configuration settings On Rockwell Automation devices it is referred to as an ACD filepp2 See CompactLogix 5370 Controllers Chapter 5 Select the Operating Mode of the Controller for more information on functions available for the switchppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey we welcome your feedbackp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppDue to the lapse in federal funding this website will not be actively managed Read Moreppnocost Cyber ServicesSecure by design Secure Your BusinessShields UpReport A Cyber Issue ppSearchppppDue to the lapse in federal funding this website will not be actively managed Read Moreppnocost Cyber ServicesSecure by design Secure Your BusinessShields UpReport A Cyber Issue ppIranaffiliated advanced persistent threat APT actors are conducting exploitation activity targeting internetfacing operational technology OT devices including programmable logic controllers PLCs manufactured by Rockwell AutomationAllenBradley This activity has led to PLC disruptions across several US critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface HMI and supervisory control and data acquisition SCADA displays resulting in operational disruption and financial loss ppUS organizations should urgently review the tactics techniques and procedures TTPs and indicators of compromise IOCs in this advisory for indications of current or historical activity on their networks and apply the recommendations listed in the Mitigations section of this advisory to reduce the risk of compromiseppFor a downloadable copy of IOCs seeppOrganizations Critical InfrastructureppSectors Government Services and Facilities Water and Wastewater Systems WWS and Energy ppRoles Defensive cybersecurity analysts OT cybersecurity engineers cybersecurity architects secure systems developerppThe Federal Bureau of Investigation FBI Cybersecurity and Infrastructure Security Agency CISA National Security Agency NSA Environmental Protection Agency EPA Department of Energy DOE and United States Cyber Command Cyber National Mission Force CNMF hereafter referred to as the authoring agencies are urgently warning US organizations of ongoing cyber exploitation of internetconnected operational technology OT devices including Rockwell AutomationAllenBradleymanufactured programmable logic controllers PLCs across multiple US critical infrastructure sectors As a result of this activity organizations from multiple US critical infrastructure sectors experienced disruptions through malicious interactions with the project files1 and the manipulation of data displayed on human machine interface HMI and supervisory control and data acquisition SCADA displays In a few cases this activity has resulted in operational disruption and financial loss ppDue to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure the authoring agencies recommend US organizations urgently review the tactics techniques and procedures TTPs and indicators of compromise IOCs in this advisory for indications of current or historical activity on their networks and apply the recommendations listed in the Mitigations section to reduce the risk of compromiseppThe authoring agencies assess a group of Iranianaffiliated advanced persistent threat APT actors is conducting this activity to cause disruptive effects within the United States The group has targeted devices spanning multiple US critical infrastructure sectors including Government Services and Facilities to include local municipalities Water and Wastewater Systems WWS and Energy Sectors The authoring agencies previously reported on similar activity targeting PLCs by CyberAv3ngers aka Shahid Kaveh Groupa cyber threat actor affiliated with Irans Islamic Revolutionary Guard Corps IRGC Cyber Electronic Command CEC ppIf owners and operators discover an affected internetaccessible device in their environment additional technical measures may be necessary to evaluate the risk of compromise Please contact the authoring agencies and applicable vendors through existing support channels available to customers and integrators see Contact Information to receive support mitigation and investigation assistance and engage your cyber incident response plansppIn addition to contacting the authoring agencies organizations with Rockwell AutomationAllenBradleymanufactured PLCs should review the manufacturers previously issued guidance to strengthen the security of their operational technology deployments PN1550 CVE202122681 Authentication Bypass Vulnerability Found in Logix Controllers published in 2021 and SD1771 Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats published in 2026 Contact the Rockwell Automation Product Security Incident Response Team PSIRT at PSIRTrockwellautomationcom for questions regarding this guidance or to report cyber incidents related to Rockwell Automation productsppFor more information on Iranian malicious cyber activity see CISAs Iran Threat Overview and Advisories webpage and the FBIs Iran Threat webpageppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppDuring a similar campaign beginning in November 2023 the IRGC CECaffiliated cyber threat actors known as CyberAv3ngers targeted USbased PLCs and HMIs causing disruptive effects Private industry and open sources also refer to this group as Hydro Kitten Storm0784 APT Iran Bauxite Mr Soul Soldiers of Solomon UNC5691 and the Shahid Kaveh Group These attacks compromised at least 75 devices targeting USbased Unitronics PLC devices with an HMI used across multiple critical infrastructure sectors including WWS For more information on this groups activity see the authoring agencies Joint Cybersecurity Advisory IRGCAffiliated Cyber Actors Exploit PLCs in Multiple Sectors Including US Water and Wastewater Systems FacilitiesppThe FBI assesses a group of Iranianaffiliated APT actors are targeting internetexposed PLCs with the intent to cause disruptionsincluding maliciously interacting with project files and manipulating data displayed on HMI and SCADA displaysto US critical infrastructure organizations Iranianaffiliated APT targeting campaigns against US organizations have recently escalated likely in response to hostilities between Iran and the United States and Israel ppSince at least March 2026 the authoring agencies identified through engagements with victim organizations an Iranianaffiliated APTgroup that disrupted the function of PLCs These PLCs were deployed across multiple US critical infrastructure sectors including Government Services and Facilities WWS and Energy sectors within a wide variety of industrial automation processes Some of the victims experienced operational disruption and financial lossppNote This advisory uses the MITRE ATTCK Matrix for Enterprise framework version 18 See the MITRE ATTCK Tactics and Techniques section of this advisory for tables of the threat actors activity mapped to MITRE ATTCK tactics and techniquesppThe authoring agencies observed Iranianaffiliated APT actors using several overseasbased IP addresses to access internetfacing Rockwell AutomationAllenBradleymanufactured PLCs T0883 The actors used leased thirdparty hosted infrastructure with configuration software such as Rockwell Automations Studio 5000 Logix Designer software to create an accepted connection to the victims PLC Targeted devices include CompactLogix and Micro850 PLC devices ppInbound malicious traffic may be directed to devices on any of following ports 44818 2222 102 22 or 502 The targeting of ports T0885 associated with other OT vendors protocols suggests these actors may also be targeting devices manufactured by companies other than Rockwell AutomationAllenBradley including the Siemens S7 PLC Additionally the actors deployed Dropbear Secure Shell SSH software on victim endpoints to enable them to gain remote access through port 22 T1219ppThe FBI identified that this activity resulted in the extraction of the devices project file and data manipulation on HMI and SCADA displays T1565ppSee Table 1 for recent IP addresses used by the Iranianaffiliated APT actors to communicate with Rockwell AutomationAllenBradleymanufactured devices and potentially other branded OT devices in the United StatesppDisclaimer The FBI observed that the threat actors used the IP addresses listed below in the specified time frames This data is being provided for customers to query against logs for indications of historical targeting by the Iranianaffiliated APT actors The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action such as blockingppSee Table 2 to Table 4 for all referenced threat actor tactics and techniques in this advisory The authoring agencies recommend organizations review historical TTPs for similar Iranianaffiliated cyber actor activity in IRGCAffiliated Cyber Actors Exploit PLCs in Multiple Sectors Including US Water and Wastewater Systems Facilities For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppThe authoring agencies recommend organizations implement the mitigations below to improve your organizations cybersecurity posture on the basis of the threat actors activity These mitigations align with the CrossSector Cybersecurity Performance Goals 20 CPGs 20 developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CPG 20 webpage for more information on the CPGs including additional recommended baseline protectionsppThe cyber threat actors accessed Rockwell AutomationAllenBradleymanufactured PLCs to cause disruptions to victim systems To safeguard against this threat and threats to other types of PLCs the authoring agencies urge organizations to consider the following mitigationsppIn addition organizations with these PLCs should view Rockwell Automations guidance Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber ThreatsppImmediate steps to prevent the attackppFollowup steps to strengthen security postureppIn addition the authoring agencies recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques as well as reduce the impact and risk of compromise by cyber threat actorsppNote The following guidance is general in nature and not specific to any OT vendor Some of the features settings and practices may already be offered by certain vendors The inclusion of this guidance should not be interpreted as an assertion that vendors referenced in this product do not offer such security featuresppAlthough critical infrastructure organizations using PLC devices can take steps to mitigate the risks it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default The authoring agencies urge device manufacturers to take ownership of their customers security outcomes by following the principles in the joint guide Secure by Demand Priority Considerations for OT Owners and Operators when Selecting Digital Products primarilyppBy using secure by design tactics software manufacturers can make product lines secure out of the box without requiring customers to spend additional resources making configuration changes purchasing tiered security software and logs monitoring and making routine updatesppFor more information on common misconfigurations and guidance on reducing their prevalence see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations For more information on secure by design see CISAs Secure by Design webpage and joint guideppIn addition to applying mitigations the authoring agencies recommend exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppThe authoring agencies recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppUS organizations are encouraged to report suspicious or criminal activity related to information in this advisory to CISA FBI andor NSAppThe information in this report is being provided as is for informational purposes only The authoring agencies do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by the authoring agenciesppApril 7 2026 Initial versionpp1Project file refers to the software file that contains ladder logic and configuration settings On Rockwell Automation devices it is referred to as an ACD filepp2 See CompactLogix 5370 Controllers Chapter 5 Select the Operating Mode of the Controller for more information on functions available for the switchppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey we welcome your feedbackp
