Iran affiliated cyber actors are actively targeting operational technology environments across critical infrastructure sectors in the United States by exploiting internet facing devices such as programmable logic controllers. According to warnings issued by Federal Bureau of Investigation and other cybersecurity and intelligence agencies, these attacks have already led to reduced PLC functionality, manipulation of display data, and in certain cases operational disruption and financial loss. The campaign is described as part of an escalation in cyber activity linked to Iranian groups amid ongoing geopolitical tensions involving the United States and Israel.
The activity has specifically focused on industrial control environments where PLC systems play a central role in managing processes. The agencies indicated that attackers have carried out malicious interactions with project files and manipulated data on human machine interface and supervisory control and data acquisition displays. These actions have resulted in disruptions across multiple sectors, including government services, water and wastewater systems, and energy infrastructure. Devices from Rockwell Automation, particularly Allen Bradley PLCs such as CompactLogix and Micro850 models, have been identified among the primary targets in this campaign.
Investigators found that the threat actors leveraged leased third party hosted infrastructure and configuration tools, including Rockwell Automation Studio 5000 Logix Designer software, to establish trusted connections with targeted PLC systems. After gaining initial access, the attackers deployed Dropbear, an SSH based tool, to maintain remote control over compromised devices through port 22. This access enabled them to extract project files and manipulate operational data displayed on HMI and SCADA systems. The methods used highlight a growing trend where attackers blend legitimate tools with malicious techniques to bypass detection and maintain persistence within industrial networks.
Security agencies have urged organizations to take preventive measures to mitigate the risks associated with such attacks. Recommendations include avoiding direct internet exposure of PLC devices, implementing controls to prevent remote modifications, and deploying multi factor authentication to secure access points. Additional steps such as placing firewalls or network proxies in front of PLC systems, keeping devices updated, disabling unused authentication features, and monitoring network traffic for anomalies are also emphasized. These measures are aimed at reducing the attack surface and improving resilience against intrusions targeting operational technology environments.
The latest campaign reflects a continuation of previous incidents involving Iranian threat groups targeting industrial systems. In 2023, a group identified as Cyber Av3ngers was linked to exploitation of Unitronics PLCs affecting municipal water infrastructure in Pennsylvania, where multiple devices were compromised. Recent intelligence also points to a broader ecosystem of cyber activity associated with entities aligned with Iran Ministry of Intelligence and Security, including coordinated influence operations and hack and leak campaigns. Research from DomainTools Investigations suggests that groups such as Homeland Justice, Karma, and Handala Hack operate as interconnected fronts rather than independent entities, using shared infrastructure and communication channels including public domains and Telegram for both messaging and command operations.
Further analysis from cybersecurity firms including Check Point and JUMPSEC has highlighted connections between state linked actors such as MuddyWater and broader cybercrime ecosystems. These operations have involved tools like CastleRAT and malware frameworks that deploy components such as ChainShell and Tsundere, sometimes using blockchain based mechanisms to retrieve command and control instructions. The use of commercially available or criminal malware services alongside state directed objectives indicates an evolving threat landscape where attribution becomes more complex and defensive strategies must adapt to hybrid attack models targeting both IT and OT environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
