Exploitation of PLCs by Iran-Linked Actors in U.S. Critical Infrastructure
- Security Team
- 4 days ago
- 3 min read
ICS Labs’ CTI identified that U.S. federal agencies (FBI, CISA, NSA, EPA, DOE, and CNMF) issued an urgent alert regarding an active campaign conducted by Iran-affiliated APT actors targeting Operational Technology (OT) devices, particularly Internet-exposed Programmable Logic Controllers (PLCs).The attacks have already caused operational disruptions and financial losses across multiple critical infrastructure sectors, including government services, water, wastewater, and energy.
Scope and Targets
The attacks primarily target PLCs widely used in industrial automation, with a particular focus on Rockwell Automation equipment (Allen-Bradley line), though there are indications of expansion to other manufacturers. These devices are integrated into industrial environments using HMI and SCADA systems, significantly increasing the potential impact.
Attack Vector and TTPs
The actors mainly exploit PLCs that are directly exposed to the Internet, establishing remote connections through legitimate industrial engineering software. This approach enables initial access without classic vulnerability exploitation, relying instead on misconfiguration and improper exposure.Once inside the environment, the attackers leverage common industrial protocol ports and deploy remote access mechanisms such as SSH to maintain persistence. There are also indications of attempts to access devices from other manufacturers, suggesting a broader and more opportunistic campaign.
Observed Impact
Operational disruptions in industrial processes
Manipulation of critical data (potential physical risk)
Financial losses associated with downtime
Compromise of OT system integrity
Context and Attribution
The activity is attributed to an Iran-affiliated APT group, possibly linked to the group known as CyberAv3ngers (Shahid Kaveh Group), which has previously been associated with the IRGC (Islamic Revolutionary Guard Corps). There are indications of a recent escalation of these campaigns, driven by ongoing geopolitical tensions.
IOCs
The agencies identified IP addresses used by the actors to communicate with compromised devices. These indicators should be used for log correlation and investigation, not necessarily for automatic blocking without proper contextual validation.
Key Observed IPs:
135.136.1[.]133 — activity in March 2026
185.82.73[.]162 — activity from Jan/2025 to Mar/2026
185.82.73[.]164 — activity from Jan/2025 to Mar/2026
185.82.73[.]165 — activity from Jan/2025 to Mar/2026
185.82.73[.]167 — activity from Jan/2025 to Mar/2026
185.82.73[.]168 — activity from Jan/2025 to Mar/2026
185.82.73[.]170 — activity from Jan/2025 to Mar/2026
185.82.73[.]171 — activity from Jan/2025 to Mar/2026
These addresses were associated with the use of third-party infrastructure to remotely access exposed PLCs.
INDICATOR | TYPE |
135.136.1[.]133 | IP |
185.82.73[.]162 | IP |
185.82.73[.]164 | IP |
185.82.73[.]165 | IP |
185.82.73[.]167 | IP |
185.82.73[.]168 | IP |
185.82.73[.]170 | IP |
185.82.73[.]171 | IP |
Security Team Recommendations
Security teams must act urgently to reduce the attack surface and detect potential compromises. It is critical to ensure that no PLC is directly exposed to the Internet by fully removing port exposure and implementing remote access exclusively through secure gateways such as VPNs and tightly controlled firewalls. Multi-factor authentication (MFA) should be enforced whenever possible, especially for external access to OT networks.
It is also essential to strengthen the protection of field devices such as cellular modems by ensuring strong authentication and enabling logging for monitoring. PLC devices should preferably operate in “run” mode to avoid unauthorized remote changes, and any unnecessary functionality (such as Telnet, FTP, RDP, or VNC) should be disabled.
Organizations must maintain secure, offline backups of PLC configurations and logic to enable rapid recovery in the event of an incident. In addition, continuous monitoring of network traffic and events should be implemented, with particular focus on detecting unusual access, configuration changes, and misuse of industrial protocols.
Finally, it is highly recommended to continuously validate security controls against frameworks such as MITRE ATT&CK, testing the effectiveness of defenses against real-world adversary techniques. Security maturity in OT environments should evolve toward a more proactive model, emphasizing segmentation, visibility, and rapid incident response.
Sources:
Comments