U.S. agencies warn Iran-linked threat actors are targeting internet-exposed PLCs used in critical infrastructure networks.
U.S. agencies, including the FBI and CISA, warn that Iran-linked hackers are targeting internet-exposed Rockwell/Allen-Bradley PLCs used in critical infrastructure. The agencies published a joint advisory involving multiple federal organizations.
“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.” reads the joint advisory. “This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss.”
Threat actors are carrying out cyberattacks targeting internet-connected operational technology (OT) across multiple critical infrastructure sectors. Iran-linked actors are believed to be behind the activity, aiming to cause disruption in areas such as government services, water systems, and energy.
The attacks involve manipulating project files and altering data shown on HMI and SCADA systems, leading in some cases to operational disruptions and financial losses. Authorities urge organizations to review indicators of compromise and apply mitigations to reduce risks. The campaign has been linked to groups like CyberAv3ngers, associated with Iran’s IRGC.
Organizations are advised to assess exposed devices, follow security guidance from vendors, disconnect systems from the internet where possible, and coordinate with authorities for incident response and mitigation support.
“The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to U.S. critical infrastructure organizations.” conctinues the alert. “Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel.
During a campaign starting in November 2023, IRGC-linked hackers known as CyberAv3ngers targeted U.S. PLCs and HMIs, disrupting operations. Also tracked under multiple names, the group compromised at least 75 devices, including Unitronics PLCs used across sectors like water and wastewater systems.
“During a similar campaign beginning in November 2023, the IRGC CEC-affiliated cyber threat actors known as “CyberAv3ngers” targeted U.S.-based PLCs and HMIs, causing disruptive effects. Private industry and open sources also refer to this group as Hydro Kitten, Storm-0784, APT Iran, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and the Shahid Kaveh Group. These attacks compromised at least 75 devices, targeting U.S.-based Unitronics PLC devices with an HMI used across multiple critical infrastructure sectors, including WWS”
According to the joint advisory, Iran-linked actors gained initial access to internet-facing Rockwell/Allen-Bradley PLCs using overseas IPs and leased infrastructure, leveraging tools like Studio 5000 Logix Designer. They targeted devices such as CompactLogix and Micro850. For command and control, attackers used ports including 44818, 2222, 102, 22, and 502, and deployed SSH tools like Dropbear for remote access. Activity suggests possible targeting of other vendors, including Siemens PLCs. The attacks enabled the extraction of project files and manipulation of data on HMI and SCADA systems, causing disruption.
Government experts recommend disconnecting PLCs from the internet or protecting them with a firewall, monitoring OT ports for suspicious traffic, scanning logs for indicators of compromise, enabling multifactor authentication, updating firmware, disabling unused services or default keys, and continuously monitoring network activity.
In Mid-March, EU sanctioned Chinese and Iranian firms and individuals for cyberattacks targeting critical infrastructure and over 65,000 devices across member states.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Iran)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/190485/apt/u-s-agencies-alert-iran-linked-actors-target-critical-infrastructure-plcs.html