US cybersecurity and intelligence agencies said Tuesday that Iran-affiliated hackers have been targeting internet-facing operational technology devices across critical infrastructure, including programmable logic controllers, and have caused diminished functionality, display manipulation and, in some cases, operational disruption.
KEY FACTS
- Targeting Rockwell Automation and Allen-Bradley PLCs were singled out in government, water and wastewater, and energy environments.
- Access method The actors used leased third-party infrastructure and configuration software to create an accepted connection to victim devices.
- Effects The activity led to project file extraction, HMI and SCADA display manipulation, and operational disruption in some cases.
- Mitigations Agencies urged organizations to avoid internet exposure, require MFA, restrict remote modification and monitor for unusual traffic.
The official advisory said the activity involved malicious interactions with project files and with human-machine interface and supervisory control and data acquisition displays. Targeted devices included CompactLogix and Micro850 PLCs.
Investigators said the attackers deployed Dropbear SSH software on victim endpoints to maintain remote access through port 22 and to help extract device data. The advisory said the campaign affected several US critical infrastructure sectors.
The FBI said the attacks have also caused financial loss in some cases. The broader campaign comes amid a recent rise in Iranian cyber activity against US organizations and follows earlier incidents involving PLC exploitation in the United States.
Separately, other research described related activity tied to Iranian influence operations and malware distribution through Telegram channels and public-facing domains. One report said several personas formed a coordinated ecosystem aligned with Iran’s Ministry of Intelligence and Security.
Another analysis linked MuddyWater to CastleRAT operations and said a PowerShell loader delivered ChainShell, which then used an Ethereum smart contract to retrieve a command-and-control address. It also said the same loader had delivered Tsundere malware.
WHY IT MATTERS
The findings show that widely deployed industrial systems can be disrupted through internet exposure and remote-access abuse, which raises operational risk for utilities, energy operators and government facilities. The advisory also points to practical controls that can reduce exposure before a device is reached.