Iranian Threat Actors Launch PLC-Focused Campaign Against US Infrastructure
Iranian-linked hackers launched a sophisticated campaign on April 7, 2026, specifically targeting Internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers deployed across U.S. critical infrastructure networks. The attackers are systematically scanning for and exploiting vulnerabilities in these industrial control systems, which manage critical operations in energy, water treatment, and manufacturing facilities nationwide.
The campaign represents a significant escalation in Iranian cyber operations against American infrastructure targets. Unlike previous attacks that focused on traditional IT systems, these threat actors are deliberately targeting operational technology environments where PLCs control physical processes including power generation, water distribution, and industrial manufacturing. Security researchers have identified coordinated reconnaissance activities suggesting the attackers possess detailed knowledge of Rockwell's ControlLogix and CompactLogix PLC architectures.
According to CyberScoop's analysis, the attackers are leveraging known vulnerabilities in older PLC firmware versions to establish persistent access to SCADA networks. The threat actors appear to be conducting extensive network mapping to identify critical control systems and understand the operational dependencies within targeted facilities. This methodical approach indicates a well-resourced operation with specific intelligence objectives rather than opportunistic cybercriminal activity.
The timing of this campaign coincides with heightened geopolitical tensions and follows a pattern of Iranian state-sponsored groups targeting critical infrastructure during periods of international conflict. Intelligence agencies have observed similar tactics from Iranian Advanced Persistent Threat groups including APT33, APT34, and APT35, though attribution to specific groups remains under investigation. The attackers are employing sophisticated evasion techniques including encrypted command channels and legitimate administrative tools to blend their activities with normal network traffic.
Critical Infrastructure Sectors Face Widespread PLC Exposure Risk
The campaign primarily affects organizations operating Rockwell Automation ControlLogix 5570, 5580, and CompactLogix 5370, 5380 series PLCs with firmware versions prior to 33.011 that remain Internet-accessible. Energy sector organizations face the highest risk, particularly electric utilities running aging SCADA systems where PLCs control generation equipment, transmission switching, and distribution automation. Water treatment facilities using these controllers for chemical dosing, pump control, and filtration processes are equally vulnerable to potential disruption or contamination attacks.
Manufacturing organizations across automotive, chemical, and food processing industries represent another high-risk category, especially facilities where PLCs manage safety-critical processes including emergency shutdown systems, pressure relief controls, and hazardous material handling. The attackers are specifically targeting organizations that have migrated legacy systems to IP-based networks without implementing proper network segmentation or industrial firewall protections. Facilities with remote access capabilities enabled for maintenance purposes face elevated exposure, as these connections often bypass traditional security controls.
Geographic analysis reveals concentrated targeting in Texas, California, and Pennsylvania, states with significant energy infrastructure and industrial manufacturing bases. Smaller municipal utilities and rural water systems appear particularly vulnerable due to limited cybersecurity resources and reliance on vendor remote support connections. The campaign's scope suggests attackers have compiled comprehensive target lists based on public infrastructure databases and Shodan scanning results identifying exposed industrial control systems.
Immediate PLC Security Hardening and Network Isolation Required
Organizations must immediately audit all Rockwell Automation and Allen-Bradley PLC deployments to identify Internet-exposed systems and implement emergency network isolation measures. Critical first steps include disconnecting PLCs from direct Internet access, implementing industrial DMZ architectures with dedicated firewalls, and establishing secure remote access through VPN concentrators with multi-factor authentication. System administrators should verify that all ControlLogix and CompactLogix controllers are running firmware version 33.011 or later, available through Rockwell's Product Compatibility and Download Center.
Network monitoring teams should implement enhanced logging for all PLC communications, focusing on unusual HMI connections, unauthorized configuration changes, and abnormal data requests from engineering workstations. Deploy network segmentation between IT and OT environments using industrial firewalls configured with strict allow-lists for required protocols including EtherNet/IP, Modbus TCP, and DNP3. Organizations should also review and disable unnecessary services on PLCs including web servers, FTP, and Telnet interfaces that expand the attack surface.
For immediate threat detection, security teams should monitor for reconnaissance activities including port scans targeting TCP ports 44818 (EtherNet/IP), 502 (Modbus), and 20000 (DNP3). Implement behavioral analysis to identify unusual ladder logic uploads, firmware modifications, or configuration changes outside normal maintenance windows. The Cybersecurity and Infrastructure Security Agency recommends deploying industrial intrusion detection systems capable of parsing industrial protocols and detecting malicious PLC commands. Organizations should also establish incident response procedures specifically for OT environments, including coordination with facility operations teams and regulatory reporting requirements for critical infrastructure sectors.
