Recently, a joint alert was released by several agencies including FBI, CISA, and NSA, among others, concerning a number of cyber-attacks on control networks associated with Iran. The alert describes how these threat actors associated with the IRGC have attacked PLCs that were connected to the internet. In particular, they targeted Rockwell/Allen-Bradley and Unitronics PLCs.
According to the alert, these threat actors managed to access at least 75 PLCs in the U.S. since late 2023 through the use of configuration software provided by the manufacturer of these systems and overseas leased IP addresses. Two major results were realized from these attacks: stealing PLC projects and faking HMI/SCADA screens.
Iranian-Linked PLC Campaign Uncovered
This group is described as “IRGC CEC-affiliated” and operating under aliases like CyberAv3ngers, Hydro Kitten, or Storm-0784. From late 2023 through early 2026, this group was found to have attacked PLCs and HMIs based in the United States and affected at least 75 devices.
Targeted Systems
The campaign involved attacks on industrial control systems, such as Rockwell/Allen Bradley CompactLogix and Micro850 controllers, as well as Unitronics PLCs often deployed in water treatment plants.
Initial Access Vector
By taking advantage of internet-facing PLCs using engineering software tools, the actors obtained authorized access to targeted systems using leased infrastructure from other countries, with the help of Rockwell’s Studio 5000 application.
In this regard, the threat appears to have originated not from vulnerabilities in software applications but from operational weaknesses.
Network Exposure & Attack Surface
Malicious traffic targeted multiple industrial communication ports, including:
- EtherNet/IP (44818)
- OT configuration port (2222)
- Siemens S7 (102)
- SSH (22)
- Modbus (502)
This broad targeting suggests a vendor-agnostic approach aimed at identifying any reachable industrial device.
Persistence Mechanism
Following the compromise, the attackers deployed a lightweight SSH server (Dropbear SSH) that could be installed on any compromised devices. It helped in keeping the remote access open, thereby allowing a backdoor connection to remain active even after a reboot of the device.
This attack did not involve any sophisticated exploitation techniques; instead, it involved exploiting the vulnerability and poor perimeter security of the targeted network.
Sophisticated Access and Manipulation Techniques
Once the hackers had gained access, their main targets included intelligence gathering and disruption of operations.
According to the advisory, project files (.ACD) of the PLC were stolen. These files include all the logical configurations of the controller and serve as a detailed blueprint for any industrial process.
On the other hand, by tampering with the information presented on the HMI screens and SCADAs, the hackers were able to trick operators into believing that everything was fine, even though changes were being made.
This combination of intelligence gathering and manipulation of information is an example of an espionage-sabotage hybrid attack.
Operational Insight
Notably, the attackers relied on legitimate tools and standard protocols rather than custom malware. This reinforces that the success of the campaign stemmed from weak security controls, not technical sophistication.
Rather than exploiting zero-day vulnerabilities, the threat actors capitalized on exposed infrastructure and poor cyber hygiene.
This highlights a recurring issue in OT environments: critical systems remain accessible and insufficiently segmented, allowing attackers to operate using legitimate tools with minimal resistance.
Operational Impacts
The most evident consequence of the campaign is significant. Access to PLC project files provides visibility into the operation of industrial processes. Thus, cybercriminals receive operational “blueprints” of the critical systems, which can be used against them in any way.
Moreover, tampering with data received from SCADA and HMI provides a deceptive factor. It means that false readings could be provided to operators, leading to the inability to identify real problems or making wrong decisions based on these readings.
Real-World Risk
There are numerous examples of Iranian campaigns demonstrating the risks involved in providing attackers with critical data about systems’ functioning. For instance, one should remember the recent campaigns associated with Agrius, which showed the trend towards initial data exfiltration and follow-up attacks using ransomware.
Thus, the risk scenario of today could be the basis of a far worse one in the near future.
Scale and Sector Exposure
The scale of the campaign under discussion is rather significant since it led to the compromising of at least 75 devices. At that, the primary sector targeted was WWS facilities, which indicates the importance of the attacked systems.
Furthermore, the advisory mentions that multiple critical infrastructure sectors suffered from this campaign.
Indicators and MITRE ATT&CK Techniques
Conclusion: When Internet-Facing PLCs Become National Security Exposure
This campaign proves that critical infrastructure attacks do not always begin with zero-days or custom malware. In this case, Iranian-affiliated operators reached at least 75 U.S. PLCs by abusing internet-facing industrial systems, legitimate engineering tools, and weak perimeter security. Once inside, they stole PLC project files and manipulated HMI and SCADA visibility, turning operational access into both espionage and disruption risk.
Why This Threat Matters
The real lesson is not technical sophistication. It is operational exposure.
- Internet-facing PLCs created direct access paths into control environments
- Legitimate protocols and standard tools reduced the need for malware
- Stolen project files gave attackers detailed blueprints of industrial processes
- False HMI and SCADA readings increased the risk of delayed or incorrect operator response
- Water and wastewater facilities were among the primary targets, but multiple critical sectors were affected
Why Many OT Environments Stay Exposed
This campaign succeeded because critical systems remained reachable and insufficiently segmented.
- Poor cyber hygiene left industrial ports exposed to the public internet
- OT environments often inherit weak remote access practices
- Legacy operational priorities delay hardening and segmentation
- Visibility gaps make unauthorized engineering access harder to catch early
Where Xcitium Changes the Outcome
For organizations using Xcitium Vulnerability Assessment, this attack should have been visible before it became operational access.
- Exposed industrial services can be identified and prioritized for remediation
- Risky external reachability can be surfaced before attackers find it
- Weak segmentation and insecure access paths become actionable findings, not hidden exposure
If you have Xcitium in place, this attack does not succeed the same way, because the reachable entry points are identified and closed before attackers can turn access into sabotage.
Secure OT Before Access Becomes Manipulation
Critical infrastructure does not fail only when systems go offline. It fails when operators can no longer trust what they see. Reduce exposed attack surface, harden remote access, and treat industrial visibility as a security control, not just an operations tool.
