Cybersecurity authorities have issued warnings about a surge in attacks by Iran-linked threat actors targeting operational technology systems in the United States. These attacks are focused on internet-accessible industrial devices, particularly programmable logic controllers (PLCs), which are widely used in critical infrastructure environments.
According to alerts from the Federal Bureau of Investigation (FBI), these intrusions have already resulted in reduced functionality of PLC systems, unauthorized manipulation of interface data, and in certain cases, operational downtime and financial damage.
Escalation in Cyber Activity Linked to Geopolitical Tensions
Officials believe the campaign is part of a broader increase in cyber operations attributed to Iranian groups, likely driven by ongoing geopolitical tensions involving Iran, the United States, and Israel.
The attacks specifically target operational technology environments by interfering with project files and altering data displayed on human-machine interfaces and supervisory control systems.
Targeted Industrial Systems and Sectors
The campaign has impacted devices produced by Rockwell Automation, including its Allen-Bradley PLC series.
Affected sectors include:
- Government facilities
- Water and wastewater systems
- Energy infrastructure
These industries rely heavily on PLC systems for automation and operational control, making them critical targets.
Attack Method and Initial Access
Threat actors utilized third-party hosted infrastructure along with legitimate configuration software such as Studio 5000 Logix Designer to establish trusted connections with targeted PLC devices.
The primary targets included CompactLogix and Micro850 PLC systems.
Once access was gained, attackers deployed Dropbear, a lightweight Secure Shell service, to create persistent remote access via port 22. This allowed them to:
- Extract PLC project files
- Modify operational data
- Manipulate HMI and SCADA displays
These changes directly affected system operations and visibility.
Recommended Security Measures
To mitigate risks associated with these attacks, organizations are strongly advised to:
- Avoid exposing PLC devices directly to the internet
- Restrict remote access through physical or software controls
- Implement multi-factor authentication (MFA)
- Deploy firewalls or network proxies to regulate access
- Keep firmware and systems fully updated
- Disable unused authentication mechanisms
- Monitor network traffic for unusual activity
Previous Incidents and Ongoing Threats
This is not an isolated event. In late 2023, the Iran-linked group Cyber Av3ngers targeted industrial control systems, exploiting Unitronics PLC devices in a municipal water authority in Pennsylvania, affecting dozens of systems.
Security researchers emphasize that current attacks follow known patterns, indicating a continued and expanding focus on operational technology by Iranian actors.
Rise of Coordinated Cyber Influence Operations
Recent intelligence reports suggest that multiple cyber personas, including Homeland Justice, Karma, and Handala Hack, are part of a unified operational framework linked to Iran’s Ministry of Intelligence and Security.
These entities operate across public platforms such as websites and messaging applications to distribute propaganda, coordinate attacks, and manage command-and-control communications.
Messaging platforms are also being used to streamline malware communication, reduce infrastructure costs, and blend malicious activity with normal traffic.
MuddyWater and Advanced Malware Deployment
In parallel developments, the Iranian state-sponsored group MuddyWater has been linked to advanced malware campaigns targeting Israeli entities.
The group is known to deploy tools like CastleRAT, part of a broader attack framework. Their operations involve PowerShell-based loaders that install new malware strains such as ChainShell, which leverages blockchain-based communication to retrieve command-and-control instructions.
Additionally, other malware components like Tsundere have been identified as part of the same ecosystem.
Blending Cybercrime with State Operations
Security analysts highlight a growing trend where state-sponsored groups increasingly rely on commercially available cybercrime tools. This approach enhances their capabilities while making attribution more challenging for defenders.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
