Iranian Threat Actors Disrupt US Critical Infrastructure Via Exposed PLCs

The recent CISA advisory underscores a growing trend: Iranian‑affiliated advanced persistent threat groups are weaponizing exposed operational technology to strike U.S. critical infrastructure. The campaign, which launched shortly after a joint U.S.–Israel strike on Iranian facilities, focuses on programmable logic controllers from Rockwell Automation’s Allen‑Bradley line. By exploiting devices that are directly reachable from the public Internet, the actors can manipulate process control logic, alter HMI displays, and even shut down water or power treatment plants. This tactic reflects a broader shift toward using nation‑state‑backed cyber forces to achieve strategic leverage in geopolitical conflicts.

The attackers leveraged a combination of legitimate configuration software—Rockwell’s Studio 5000 Logix Designer—and open‑source tools such as Dropbear SSH to establish persistent footholds. Traffic was directed through well‑known OT ports (44818, 2222, 102, 502, and T0885), allowing remote command execution on CompactLogix and Micro850 controllers. Such access enables tampering with PLC project files and real‑time manipulation of SCADA interfaces, resulting in immediate operational disruption and measurable financial loss. The reliance on internet‑facing PLCs highlights a chronic segmentation failure that transcends any single nation‑state adversary.

CISA’s mitigation guidance urges utilities and municipal operators to pull PLCs off the public Internet, deploy dedicated firewalls or secure gateways, and enforce strict logging of the identified ports. Organizations should also audit for Dropbear binaries, verify firmware integrity, and activate the physical run mode switch on affected controllers. Beyond technical fixes, the episode calls for a policy shift: regulators must mandate air‑gap or zero‑trust architectures for OT environments, and industry consortia should share IoC feeds in real time. Strengthening these defenses will reduce the attack surface and safeguard essential services from future state‑sponsored incursions.