Iranian Threat Actors Disrupt US Critical Infrastructure Via Exposed PLCs

ICS/OT SECURITY IOT VULNERABILITIES & THREATS CYBER RISK NEWS Iranian Threat Actors Disrupt US Critical Infrastructure Via Exposed PLCs Attackers compromised Internet-facing OT devices and caused file and display manipulation, operational disruption, and financial losses across sectors. Elizabeth Montalbano,Contributing Writer April 8, 2026 4 Min Read SOURCE: HAKAN GIDER VIA ALAMY STOCK PHOTO Iran-affiliated threat actors are disrupting US critical infrastructure through attacks on Internet-exposed operational technology (OT) devices across numerous sectors, the US government is warning.  The revelation came Tuesday, just before the US and Iran reached a tentative two-week ceasefire agreement in the ongoing war. The campaign by Iranian advanced persistent threat (APT) actors, which began last month, soon after the US and Israel jointly attacked Iran, targets programmable logic controllers (PLCs) — particularly Rockwell Automation/Allen-Bradley devices — used in energy, water and wastewater, and government facilities, according to a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies. Attackers already have successfully caused disruption to various systems across these industries, specifically manipulation of PLC project files and tampering with HMI and SCADA displays, according to CISA. "In a few cases, this activity has resulted in operational disruption and financial loss," the advisory stated. Related:Vehicle Tire Pressure Sensors Enable Silent Tracking Though the agencies did not specifically identify the actors behind the recent activity, they said it is reminiscent of similar attacks on PLCs by CyberAv3ngers (aka Shahid Kaveh Group), a threat actor affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC). In November 2023, the threat group compromised at least 75 US-based Unitronics PLC devices with an HMI used across multiple critical infrastructure sectors, including wastewater systems. Internet-Facing Devices Accessed The FBI, National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and United States Cyber Command–Cyber National Mission Force (CNMF) joined CISA in the advisory, which outlined how Iranian-affiliated APT actors using several overseas-based IP addresses accessed Internet-facing Rockwell Automation/Allen-Bradley-manufactured PLCs. "The actors used leased third-party-hosted infrastructure with configuration software, such as Rockwell Automation's Studio 5000 Logix Designer software, to create an accepted connection to the victim's PLC," the agencies said. Devices specifically targeted included CompactLogix and Micro850 PLC devices, they said.  Loading... Attackers directed malicious traffic to devices via ports 44818, 2222, 102, 22, and 502, as well as port T0885, which signals devices such as the Siemens S7 PLC and others manufactured by companies besides Rockwell Automation/Allen-Bradley also may have been targeted. Related:Quantum-Resistant Data Diode Secures Sensitive Data on Edge Devices, Critical Systems "Additionally, the actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22 [T1219]," according to the advisory. Apply Mitigations Now Given the history of Iranian attackers targeting US critical infrastructure and the ongoing hostilities between the US and Iran — in which the US has already destroyed some Iranian infrastructure on the ground as part of the war effort — the US is urging critical infrastructure facilities to take immediate action to mitigate attacks. Prior to the ceasefire, President Donald Trump threatened to target Iranian critical infrastructure such as power plants on a grand scale, which also could further Iran's retaliatory cyber attacks on US targets. The problem extends beyond the current conflict, however, as the exposure of PLCs and other OT devices to the public Internet has been an ongoing concern for the critical infrastructure sector for years, notes Gabrielle Hempel, security operations strategist at Exabeam. "If an OT environment is reachable from the Internet, that is an inherent design flaw and not a nation-state problem," she tells Dark Reading. That said, CISA urged critical infrastructure organizations to remove PLCs from direct Internet exposure and implement secure gateways and firewalls. Additionally, security teams should check available logs for suspicious traffic on the ports associated with OT devices, including 44818, 2222, 102, and 502, and especially for traffic originating from overseas hosting providers. Related:'Richter Scale' Model Measures Magnitude of OT Cyber Incidents CISA also included a series of indicators of compromise (IoCs) in the advisory and recommended that potentially affected organizations search available logs for these IOCs in the corresponding time frames. Organizations with Rockwell Automation/Allen-Bradley devices should also place the physical mode switch on the controller into the "run" position. Organizations that suspect their devices may have been targeted should contact the authoring agencies and Rockwell Automation for guidance, the agency noted. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need More Webinars You May Also Like ICS/OT SECURITY AI in OT Sparks Cascade of Complex Challenges by Arielle Waldman DEC 11, 2025 ICS/OT SECURITY Critical Railway Braking Systems Open to Tampering by Nate Nelson, Contributing Writer NOV 19, 2025 ICS/OT SECURITY CISO Conversations: How IT and OT Security Worlds Are Converging by Kelly Jackson Higgins JUL 22, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 CYBERATTACKS & DATA BREACHES Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate byNate Nelson APR 2, 2026 3 MIN READ ENDPOINT SECURITY CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry byJeffrey Schwartz APR 3, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE