Iranian APT PLC Attacks Target U.S. Critical Infrastructure

In a significant escalation of cyber warfare, Iranian-affiliated advanced persistent threat (APT) actors have intensified their targeting of U.S. critical infrastructure, specifically exploiting Programmable Logic Controllers (PLCs) to cause operational disruptions and financial losses. This campaign, active since at least March 2026, has prompted an urgent warning from the Cybersecurity and Infrastructure Security Agency (CISA) and its partners, underscoring the severe threat posed by these Iranian APT PLC attacks. The incidents highlight a disturbing trend where geopolitical tensions are increasingly manifesting in the digital realm, directly impacting essential services that underpin modern society.

The Shadowy Hand of Iranian APT Actors

The threat actors behind these attacks are a group of Iranian-affiliated APT actors known by a myriad of aliases, including Hydro Kitten, Storm-0784, APT Iran, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and the Shahid Kaveh Group. These groups operate with clear intent to cause disruptive effects within the United States, likely in response to escalating hostilities between Iran, and the United States and Israel. Their sophisticated targeting campaigns against U.S. organizations have demonstrated a concerning capability to move beyond mere reconnaissance to actively disrupt industrial processes.

Evolution of the Threat: From Unitronics to Rockwell Automation

The recent surge in Iranian APT PLC attacks marks an evolution in the adversaries’ capabilities and targets. While the current campaign, observed since March 2026, primarily targets Rockwell Automation/Allen-Bradley PLCs, specifically CompactLogix and Micro850 devices, these actors have a documented history of similar activities. A notable precursor occurred in November 2023, when an IRGC CEC-affiliated cyber threat actor known as “CyberAv3ngers” (also referred to by many of the aforementioned aliases) compromised at least 75 U.S.-based Unitronics PLC devices equipped with Human Machine Interfaces (HMIs).

The 2023 Unitronics campaign significantly impacted the Water and Wastewater Systems (WWS) sector, demonstrating the group’s intent to disrupt critical services. These earlier attacks often involved exploiting devices exposed directly to the internet, leveraging weak or default credentials, and manipulating control logic or defacing HMIs with political messages. The current campaign against Rockwell Automation products indicates an expanded scope and continued focus on widely deployed industrial control systems across critical infrastructure. Moreover, port activity suggests these actors may also be targeting devices manufactured by other companies, including Siemens S7 PLCs.

Targeting America’s Lifelines: Critical Infrastructure Sectors Under Siege

The scope of the recent Iranian APT activity extends across multiple vital U.S. critical infrastructure sectors. The most prominently affected include:

• Government Services and Facilities: Encompassing local municipalities, these entities manage essential public services and are ripe targets for disruption and potential data manipulation.
• Water and Wastewater Systems (WWS): As demonstrated in previous campaigns, attacks on WWS facilities can have direct public health and safety implications, affecting the provision of clean water and effective waste management.
• Energy Sector: Disruptions to energy infrastructure, including power generation and distribution, can have cascading effects across multiple other sectors, leading to widespread outages and economic instability.

The Vulnerability of Programmable Logic Controllers (PLCs)

Programmable Logic Controllers (PLCs) are specialized industrial computers that play a foundational role in automating and monitoring various industrial processes. They are the “brains” of operational technology (OT) environments, controlling everything from the flow of water in a treatment plant to the pressure in a pipeline and the operation of machinery in power grids. When PLCs are connected to Human Machine Interfaces (HMIs) and Supervisory Control and Data Acquisition (SCADA) systems, they provide operators with visual representations and control mechanisms for complex processes.

The inherent vulnerability exploited by the Iranian APT actors lies in the direct exposure of these PLCs to the public internet. While internet connectivity can offer convenience for remote monitoring and management, it simultaneously opens a critical attack surface to malicious actors. The lack of robust segmentation and perimeter defenses effectively turns these industrial control systems into “low-hanging fruit” for determined adversaries, as highlighted by cybersecurity experts.

Unpacking the Attack Chain: Technical TTPs in Detail

The technical sophistication of the Iranian APT actors, while not always reliant on zero-day exploits, is highly effective in leveraging existing misconfigurations and security weaknesses. Their tactics, techniques, and procedures (TTPs) demonstrate a clear understanding of industrial control systems and their operational impact.

Initial Compromise and Exploitation

Initial access to internet-facing Rockwell Automation/Allen-Bradley PLCs has been achieved by the Iranian-affiliated actors through the use of leased overseas infrastructure and legitimate Rockwell Automation configuration software, such as Studio 5000 Logix Designer. This approach allows them to establish an “accepted connection” to the victim’s PLC, bypassing certain security layers that might flag unusual access attempts. The devices specifically targeted include CompactLogix and Micro850 PLC devices.

For the 2023 Unitronics PLC attacks, threat actors utilized internet scanning tools like Shodan, Censys, and ZoomEye to locate vulnerable, internet-exposed devices. These tools identify industrial control system components with open ports, such as TCP port 20256 (default for Unitronics PLCs), often using search queries like “port:20256 Unitronics” or “Welcome to U90 Ladder”. Once identified, exploitation frequently involved bypassing authentication through default credentials or brute-forcing weak passwords, a tactic mapped to MITRE ATT&CK T1078.001 (Valid Accounts: Default Accounts) and T1110 (Brute Force).

HMI/SCADA Manipulation and Operational Disruption

Upon gaining access, the APT actors engage in malicious interactions with project files and manipulate data displayed on Human Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) displays. This manipulation can have immediate and severe consequences. In the context of PLCs, altering project files means changing the very programming logic that dictates how industrial processes operate. For example, in WWS, this could involve modifying pump cycles, disabling critical alarms, or adjusting chemical dosing processes. Such changes, whether subtle or overt, can lead to equipment malfunction, system instability, and the compromise of process integrity.

The defacement of HMIs, a common TTP in the 2023 Unitronics attacks, also serves as a form of psychological warfare and propaganda, displaying messages like “YOU HAVE BEEN HACKED. DOWN WITH ISRAEL.”. While seemingly superficial, such actions can sow panic, erode public trust, and signal the actors’ capabilities to disrupt physical processes, even if the direct physical impact is initially limited.

Persistence and Data Exfiltration

To maintain a foothold within compromised networks, the Iranian APT actors have deployed remote access software. Specifically, they have been observed installing Dropbear Secure Shell (SSH) software on victim endpoints, enabling remote access through port 22. This persistent access allows them to continue monitoring, manipulating, and potentially extracting sensitive project files and data from the compromised PLCs and associated systems. Command and control (C2) communications have been observed over various ports, including 44818, 2222, 102, 22, and 502, indicating a versatile approach to maintaining communication channels.

CISA’s Urgent Call: Mitigating the Threat

In response to these escalating threats, CISA, in collaboration with the FBI, NSA, EPA, Department of Energy, and US Cyber Command’s Cyber National Mission Force, has issued urgent advisories. These advisories provide critical tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) for U.S. organizations to review, enabling them to detect current or historical activity on their networks and implement vital mitigations.

Immediate Defensive Measures

The most critical immediate recommendation to combat these Iranian APT PLC attacks is to sever PLCs from direct internet exposure. This fundamental security measure can be achieved through:

• Utilizing secure gateways and robust firewalls to strictly control network access to OT systems.
• Implementing virtual private networks (VPNs) for any necessary remote access, potentially enabling multi-factor authentication (MFA) even if the PLC itself doesn’t support it.
• Ensuring that PLCs’ physical key switches are placed in the “run” position, which can prevent remote modification in some systems.
• Enabling programming protection within PLC configuration software to limit who can modify PLC logic remotely.
• Changing all default passwords on PLCs and HMIs to strong, unique credentials.
• Actively querying available logs for provided IOCs and monitoring for suspicious traffic on common OT ports like 44818, 2222, 102, and 502, especially from overseas hosting providers.

Long-Term Resilience Strategies

Beyond immediate responses, organizations must adopt a proactive and layered approach to enhance the cybersecurity posture of their industrial control systems. Key long-term strategies include:

1. Robust Network Segmentation: Isolate control systems from the internet and enterprise IT networks using firewalls and demilitarized zones (DMZs) to contain potential breaches.
2. Multi-Factor Authentication (MFA): Implement MFA for all remote access to the OT network, including access from IT networks and external networks.
3. Regular Updates and Patching: Keep PLCs, HMIs, and associated software updated with the latest versions and security patches from manufacturers.
4. Backup and Recovery Planning: Create and regularly test strong backups of PLC logic and configurations, storing these backups offline to ensure rapid recovery in the event of a compromise or ransomware attack.
5. OT-Specific Monitoring: Deploy OT-aware Intrusion Detection/Prevention Systems (IDS/IPS) and asset inventory tools to detect anomalous behavior and shadow OT devices.
6. Employee Training and Awareness: Educate operators and staff about the risks associated with remote access, phishing attempts, and social engineering tactics targeting industrial environments.
7. Vendor Coordination: Maintain close communication with PLC manufacturers (e.g., Rockwell Automation, Unitronics) to stay informed of security advisories and guidance.

A Call to Action: Securing the Industrial Frontier

The ongoing campaign by Iranian APT actors targeting U.S. critical infrastructure PLCs serves as a stark reminder of the persistent and evolving cyber threats facing industrialized nations. These attacks, while leveraging relatively unsophisticated initial access methods by exploiting internet-exposed devices, demonstrate a clear intent to cause tangible operational disruption and financial harm. The convergence of geopolitical tensions and cyber capabilities makes the defense of critical infrastructure paramount for national security and economic stability.

Protecting these vital systems requires a concerted and collaborative effort from government agencies, critical infrastructure owners and operators, and cybersecurity professionals. By diligently implementing the recommended mitigations, fostering a culture of cybersecurity awareness, and continuously adapting defenses to counter emerging TTPs, the U.S. can build resilience against these insidious Iranian APT PLC attacks and safeguard the foundational services upon which society depends. The time for proactive defense is now, for the cost of inaction could be catastrophic.