U.S. critical infrastructure is facing an escalating threat from Iranian-affiliated Advanced Persistent Threat (APT) actors, according to a growing number of security agencies and industry experts. Since March 2023, these groups have been actively targeting Programmable Logic Controllers (PLCs), causing operational disruptions and financial losses. The attacks, which have intensified recently amid heightened tensions between Iran, the U.S., and Israel, are part of a state-directed ecosystem involving hacktivist groups.
The primary focus of these attacks is on Rockwell Automation Allen-Bradley PLCs, frequently found in the energy, water, and government sectors. Specifically, CompactLogix and Micro850 PLCs are being targeted. Attackers are exploiting internet-facing Operational Technology (OT) devices, utilizing techniques such as manipulating HMI/SCADA data, malicious interaction with project files, and deploying Dropbear SSH for Command and Control (C2) via port 22. The FBI assesses that Iranian-affiliated actors are actively targeting these PLCs to cause disruptions.
Security researchers have observed sophisticated tactics, including access to Rockwell Studio 5000 Logix Designer software to gain control of PLCs. Attackers are also manipulating HMI/SCADA displays to mislead operators and create confusion. These actions are not random; they are part of a calculated strategy linked to the IRGC Cyber Electronic Command, according to U.S. agencies including the FBI, CISA, and NSA. A water system in Pennsylvania experienced attacks in late 2023, illustrating the real-world impact of these cyber operations.
The ongoing activity is being attributed to groups such as Hydro Kitten and UNC5691, alongside known entities like MuddyWater and Shahid Kaveh Group. These actors are believed to be leveraging tools like CastleRAT and ChainShell. The recent escalation is particularly concerning given the current geopolitical climate. Experts warn that this represents a significant shift in Iranian cyber capabilities, moving beyond traditional reconnaissance and denial-of-service attacks to more disruptive and impactful operations targeting essential services.
Security professionals are urged to review their PLC security posture, particularly focusing on segmenting OT networks, implementing robust access controls, and regularly patching vulnerable systems. The convergence of geopolitical tensions and increasingly sophisticated cyberattacks underscores the critical need for enhanced collaboration between government agencies and the private sector to defend against these evolving threats.
U.S. Cyber Command, DOE, EPA, and other agencies are actively working to mitigate the risks posed by these attacks and provide guidance to critical infrastructure operators. The situation remains fluid, and further disruptions are possible as tensions continue to rise. Thehackernews.com reports that Iranian-linked hackers have disrupted U.S. critical infrastructure, highlighting the severity of the situation.
Sources: