The attack surface targeted by Iran-linked hackers in cyberattacks against US critical infrastructure networks includes thousands of Internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation.
According to a joint advisory issued by several US government agencies on Tuesday, hacking groups supported by the Iranian regime have been targeting Rockwell Automation/Allen-Bradley PLC devices since March 2026, causing operational disruptions and financial losses.
“The Iranian-backed APT’s campaigns against US organizations have recently intensified, possibly because of the hostility between Iran, the United States and Israel,” the watchdog warned.
“The FBI identified that this activity resulted in the release of the device’s project file and the manipulation of data on HMI and SCADA displays.”
As the cybersecurity firm Censys reported one day later, three-quarters of the more than 5,200 such industrial control programs found exposed on the Internet worldwide came from the United States.
“Censys data identifies 5,219 Internet-exposed hosts worldwide that respond to EtherNet/IP (EIP) and identify themselves as Rockwell Automation/Allen-Bradley devices,” Censys said.
“The United States accounts for 74.6% of global exposure (3,891 hosts), with a disproportionate share of mobile carrier ASNs showing devices deployed in the field on cellular modems.”
To protect against this ongoing attack, network defenders are advised to protect PLCs using a firewall or disconnect them from the Internet, scan logs for signs of malicious activity, and check for suspicious traffic on OT ports (especially if it comes from hosting providers abroad).
Administrators should also implement multifactor authentication (MFA) to access OT networks, keep all PLC devices up-to-date, and disable unused services and authentication methods.
This ongoing operation follows a similar attack that took place almost three years ago, in which a threat group linked to the Islamic Revolutionary Guard Corps (IRGC) of the Iranian Government was also tracked as CyberAv3ngers targeted vulnerabilities in Unitronics operational technology (OT) systems based in the US.
CyberAv3ngers have compromised at least 75 Unitronics PLC machines in multiple waves of cyber attacks between November 2023 and January 2024, with half of those in the critical infrastructure network of Water and Wastewater Systems across the United States.
Recently, the Handala hacktivist group (linked to Iran’s Ministry of Intelligence and Security) wiped nearly 80,000 devices from the network of US medical giant Stryker, including employees’ mobile devices and personal computers owned by the company.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
