Iranian-Affiliated Cyber Actor... Note

Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure

This advisory warns of Iranian-affiliated cyber actors targeting US critical infrastructure, specifically focusing on Rockwell Automation/Allen-Bradley PLCs. These actors exploit internet-facing OT devices, causing disruptions by manipulating project files and data on HMI/SCADA displays, resulting in operational and financial losses. The affected sectors include government, water, wastewater, and energy sectors. Organizations should review the provided indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). Key actions include removing PLCs from internet exposure, checking logs for suspicious traffic, and contacting relevant agencies. The attacks utilized overseas-based IP addresses and targeted specific ports used by OT devices. The FBI assesses these attacks are part of an ongoing campaign to cause disruptions. The advisory includes a list of IP addresses and MITRE ATT&CK techniques employed by the actors. Recommended mitigations align with CISA and NIST's Cross-Sector Cybersecurity Performance Goals 2.0. Organizations should also consult Rockwell Automation's security guidance. Similar attacks have been previously attributed to the CyberAv3ngers group.