Iranian-Affiliated Cyber Actors Exploit Rockwell Automation Programmable Logic Controllers Across U.S. Critical Infrastructure — CISA AA26-097A
On April 7, 2026, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and U.S. Cyber Command's Cyber National Mission Force (CNMF) jointly released advisory AA26-097A, warning of active exploitation of internet-exposed Rockwell Automation programmable logic controllers (PLCs) by Iranian-affiliated cyber actors. The threat actors, linked to Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) and operating under the persona CyberAv3ngers — also tracked as Shahid Kaveh Group, Hydro Kitten, Storm-0784, and UNC5691 — have targeted PLCs deployed in U.S. government facilities, water and wastewater systems, and energy sector infrastructure. The advisory represents a significant escalation in Iranian offensive cyber capability against operational technology, consistent with anticipated retaliatory activity following the launch of Operation Epic Fury on February 28, 2026.
The observed attack pattern begins with the identification of internet-exposed Rockwell Automation CompactLogix and Micro850 PLCs using overseas-based IP addresses and leased third-party hosting infrastructure. Threat actors leverage legitimate Rockwell Automation software — specifically Studio 5000 Logix Designer — to connect directly to victim PLCs without requiring exploitation of a traditional software vulnerability. Instead, the actors exploit the absence of authentication controls or weak default credentials on devices inadvertently exposed to the public internet. Following initial access, actors deploy Dropbear SSH software on port 22 to establish a persistent command and control channel, then extract, modify, and re-deploy PLC project files. Attackers also manipulate SCADA HMI display data, causing operators to view false process readings while adversarial modifications to control logic execute undetected in the background. The actors communicate with targeted devices via EtherNet/IP (ports 44818 and 2222), Modbus TCP (port 502), and SSH (port 22).
This advisory arrives in the context of a broader, anticipated Iranian cyber counteroffensive. Multiple intelligence assessments indicate that Iranian threat actor groups — including CyberAv3ngers, Pioneer Kitten, MuddyWater, Agrius, Banished Kitten, APT34, APT35, APT42, and Cotton Sandstorm — are actively conducting or preparing retaliatory cyber operations against U.S., Israeli, and allied nation targets. The CyberAv3ngers campaign described in AA26-097A is the OT-focused component of a multi-vector offensive that simultaneously targets enterprise IT environments through VPN appliance exploitation, spear-phishing, and wiper malware deployment. Organizations operating Rockwell Automation PLCs in internet-accessible configurations face the greatest immediate risk, though threat actors have also demonstrated interest in broadening targeting to Siemens S7 platforms.
Threats and Vulnerabilities
Iranian-affiliated cyber actors operating as CyberAv3ngers — an IRGC-CEC linked group also tracked as Shahid Kaveh Group, Hydro Kitten, Storm-0784, Bauxite, and UNC5691 — have been confirmed targeting Rockwell Automation CompactLogix and Micro850 PLCs directly exposed to the internet or accessible via internet-facing network segments without adequate authentication controls. The actors exploit the absence of network-level access restrictions and weak or default credentials rather than any single patchable software vulnerability, using Rockwell Automation's own Studio 5000 Logix Designer software as their access tool. This technique mirrors the group's November 2023 campaign against Unitronics Vision PLC devices in U.S. water and wastewater facilities and represents a deliberate evolution toward targeting more widely deployed industrial automation platforms. Upon access, actors deploy Dropbear SSH to maintain persistent remote control and manipulate both PLC project files and HMI display data to mask operational disruption from facility operators.
The threat is compounded by broader Iranian APT activity against enterprise IT infrastructure. Pioneer Kitten (Fox Kitten, Parisite, RUBIDIUM) continues to exploit known vulnerabilities in Pulse Secure VPN appliances — CVE-2019-11510, with a CVSS score of 10.0 — Fortinet FortiOS SSL-VPN — CVE-2018-13379, with a CVSS score of 9.8 — and Citrix ADC/Gateway — CVE-2019-19781, with a CVSS score of 9.8 — to gain perimeter access that could facilitate IT-to-OT pivot operations into industrial control system environments. MuddyWater (Mango Sandstorm, Mercury) deploys legitimate remote monitoring and management software including ScreenConnect and RemoteUtilities as persistence mechanisms following initial access. Agrius and Banished Kitten continue to develop and deploy custom wiper malware disguised as ransomware, targeting industries in the United States, Israel, and allied nations for destructive effect consistent with IRGC strategic objectives. APT42 conducts highly targeted spear-phishing operations impersonating journalists and academics to harvest credentials from individuals with privileged access to government, defense, and critical infrastructure systems.
Client Impact
Organizations operating Rockwell Automation CompactLogix or Micro850 PLCs in internet-accessible configurations face immediate risk of unauthorized modification of PLC logic and project files, manipulation of SCADA and HMI display data that obscures actual process conditions from operators, and forced device restarts or shutdowns that disrupt physical processes in water treatment, energy distribution, and government facilities. The deployment of Dropbear SSH by threat actors provides a persistent foothold that may survive PLC reboots and firmware updates if the underlying project file has been modified. Operators relying on HMI screens displaying manipulated data risk making incorrect process control decisions — a consequence that extends beyond digital disruption into physical safety risk for facilities managing water treatment chemistry, electrical distribution, or fuel handling. The IT-side component of this campaign, involving Pioneer Kitten VPN exploitation, raises the additional risk of lateral movement from enterprise networks into OT environments through IT/OT convergence points such as historian servers, engineering workstations, and jump hosts.
Industrial operators in the water and wastewater sector are subject to EPA cybersecurity requirements under America's Water Infrastructure Act (AWIA) and must maintain documented cybersecurity risk assessments and emergency response plans. The targeting described in AA26-097A directly challenges compliance with these requirements and may trigger mandatory reporting obligations to EPA and CISA under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Energy sector operators are subject to NERC CIP standards requiring physical and logical access controls for bulk electric system cyber assets; internet-exposed PLCs controlling generation or transmission assets would represent a reportable violation of CIP-005 (Electronic Security Perimeters) and CIP-007 (Systems Security Management) requirements. Government facility operators must assess whether the described threat triggers reporting obligations under OMB Memorandum M-22-09 and the Federal Information Security Modernization Act (FISMA).
Mitigations
1898 & Co. recommends the following mitigations be evaluated against existing controls and implemented according to risk priority.
1. Immediately remove Rockwell Automation CompactLogix and Micro850 PLCs from direct internet exposure. Place all PLCs behind firewalls or network proxies that restrict access to authorized engineering workstation IP addresses only.
2. Disable all unused communication services on PLC devices, including Telnet, FTP, RDP, VNC, and web services. Confirm that Dropbear SSH or any unrecognized SSH service is not present on OT endpoints.
3. Implement network-level authentication for all EtherNet/IP and CIP connections. Enforce allowlisting of authorized Studio 5000 Logix Designer workstations in firewall access control lists.
4. Change all default credentials on PLC devices and engineering workstations. Implement multi-factor authentication for all remote access sessions to OT-accessible infrastructure.
5. Deploy or verify integrity monitoring on PLC project files. Maintain cryptographically verified backups of known-good project files and ladder logic programs and compare against current device configurations on a defined schedule.
6. Monitor network traffic for unexpected EtherNet/IP (ports 44818 and 2222), Modbus TCP (port 502), and SSH (port 22) connections originating from IP addresses outside the authorized engineering workstation list.
7. Review and apply the latest firmware updates for all Rockwell Automation CompactLogix and Micro850 PLCs and ensure that authentication key features are enabled and default authentication keys replaced.
8. Patch internet-facing VPN appliances, firewalls, and remote access gateways against known vulnerabilities including CVE-2019-11510, CVE-2018-13379, and CVE-2019-19781 to eliminate Pioneer Kitten initial access vectors.
9. Implement and test an OT-specific incident response plan that includes procedures for detecting unauthorized PLC project file modifications and restoring from verified backups.
10. Review CISA's ICS security resources and implement the mitigations and detection guidance published in advisory AA26-097A and associated STIX indicator files available on the CISA website.
1898 & Co. recommends organizations prioritize mitigations one through four as immediate actions, as these address the direct attack vector described in the advisory and require no new technology investment — only configuration hardening of existing infrastructure.
1898 & Co. Response
1898 & Co. has deep expertise in operational technology and industrial control system security, with a dedicated team of OT security practitioners who have supported critical infrastructure clients across the energy, water, and government sectors for more than two decades. Our engineers maintain hands-on familiarity with Rockwell Automation, Siemens, Schneider Electric, and other major PLC and DCS platforms, enabling rapid assessment of exposure to threats such as those described in CISA advisory AA26-097A. We regularly conduct ICS network architecture reviews, OT penetration testing, and PLC configuration audits to identify the type of internet-exposed device conditions that Iranian threat actors are currently exploiting.
Our threat intelligence and monitoring capabilities are specifically designed to detect the indicators described in this advisory. The 1898 & Co. managed detection and response offering includes continuous monitoring of OT network traffic for unauthorized EtherNet/IP, Modbus, and DNP3 communications, with alerting thresholds calibrated against client engineering workstation baselines. Our SIEM and SOAR integrations consume CISA STIX/TAXII threat feeds, ensuring that IOCs published alongside advisories such as AA26-097A are operationalized into detection logic within hours of publication. For clients running CrowdStrike Falcon on engineering workstations, we have developed and maintain a library of custom detection content targeting Iranian APT tradecraft, including RMM tool abuse, VSS deletion, and Dropbear SSH deployment.
1898 & Co. has supported incident response engagements following Iranian-affiliated attacks on critical infrastructure and maintains relationships with CISA, the FBI, and sector-specific ISACs that provide early warning of emerging threats. We encourage clients who observe any indicators consistent with this advisory — including unexpected PLC project file modifications, Dropbear SSH processes on OT endpoints, or Studio 5000 connections from unauthorized IP addresses — to contact our 24/7 incident response hotline immediately. Our teams stand ready to support rapid assessment, containment, and recovery for any organization that believes it may be targeted by the threat actors described in AA26-097A.
Sources
2. EPA Joint Cybersecurity Advisory — Water System Regarding Iranian Affiliated Cyber Actors
3. CISA Advisory AA23-335A — Exploitation of Unitronics PLCs Used in Water and Wastewater Systems