Iranian-Linked Actors Exploit Internet-Facing Rockwell PLCs in US Critical Infrastructure
A joint U.S. government advisory said Iranian-affiliated cyber actors are actively exploiting internet-facing operational technology devices across multiple U.S. critical infrastructure sectors, with a particular focus on Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs). The activity has affected organizations in Government Services and Facilities, Water and Wastewater Systems, and Energy, where attackers maliciously interacted with project files and manipulated data displayed on HMI and SCADA systems, causing operational disruption and financial losses for some victims.
The campaign has been observed since at least March 2026 and shows similarities to prior CyberAv3ngers activity linked to the IRGC Cyber Electronic Command. According to the advisory, the actors used overseas IP infrastructure, Rockwell Studio 5000 Logix Designer, OT-related ports including 44818, 2222, 102, 22, and 502, and Dropbear SSH for remote access. U.S. authorities urged operators to remove PLCs from direct internet exposure, harden remote access, enable logging, place controllers in run mode where appropriate, and review published indicators of compromise and ATT&CK-mapped TTPs alongside Rockwell Automation security guidance.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
US government issues joint advisory on Iranian PLC exploitation campaign
On April 7, 2026, CISA and partner agencies warned that Iranian-affiliated actors were actively exploiting internet-facing PLCs, disrupting operations by manipulating project files and altering data shown on HMI and SCADA displays. The advisory also shared technical details, observed ports and tooling, indicators of compromise, and mitigation guidance for defenders.
Rockwell Automation publishes security advisory SD1771
Rockwell Automation published security advisory SD1771 addressing the PLC-focused threat activity referenced in later government reporting. The advisory was released on March 20, 2026.
Iranian-affiliated actors begin exploiting internet-facing PLCs in the US
Since at least March 2026, Iranian-affiliated cyber actors have targeted internet-exposed operational technology devices across multiple U.S. critical infrastructure sectors, especially Rockwell Automation/Allen-Bradley PLCs. The activity affected sectors including Government Services and Facilities, Water and Wastewater Systems, and Energy.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
31 references tracked. Mallory keeps watching after this page renders.
Iran-Linked PLC Exploitation Expands Across US Critical Infrastructure
blog.polyswarm.io
Open sourceIran-Linked CyberAv3ngers Sets Sights on Water Utilities and Industrial Controllers - Cyber Security News
cybersecuritynews.com
Open sourceCensys finds 5,219 devices exposed to attacks by Iranian APTs, majority in U.S.,
securityaffairs.com
Open sourceReport: US accounts for most PLCs subjected to Iranian targeting | brief | SC Media
scworld.com
Open sourceSD1771 | Security Advisory | Rockwell Automation | US
rockwellautomation.com
Open sourceIranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure - Infosec.Pub
infosec.pub
Open sourceIc3 Alerts
ic3.gov
Open sourceCisa
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Iranian CyberAv3ngers Target Unitronics PLCs in Critical Infrastructure
**Iran-linked CyberAv3ngers** activity targeting **Unitronics Vision PLCs** in internet-exposed operational technology environments is the clearest common security event in the provided material. The reporting describes campaigns against critical infrastructure, especially **water and wastewater systems**, with attackers exploiting **default credentials**, weak segmentation, and exposed OT assets to gain access and potentially disrupt operations or manipulate industrial processes. The activity is framed as part of broader Iranian state-linked cyber operations aligned with regional geopolitical tensions, with emphasis on U.S. and allied infrastructure at risk of operational and possible physical consequences. One reference provides technical and threat-context detail on the **CyberAv3ngers/IRGC-linked** targeting of Unitronics devices, while another discusses the wider cyber dimension of conflict involving Iranian groups pre-positioning in U.S. networks and threatening sectors such as water, hospitals, finance, and power. That second piece is relevant as contextual support for the same Iran-linked critical infrastructure threat environment, though it is broader and less specific to the **Unitronics PLC** intrusion pattern. The remaining references cover unrelated topics including malicious npm packages, GitHub repository compromise, Ivanti EPMM exploitation, a Ukraine-focused backdoor campaign, AI security commentary, and vendor detection updates, and do not describe the same incident or disclosure.
Mar 21, 2026
Cyber Av3ngers Exploited Unitronics PLCs at Water Utilities in the U.S. and Ireland
A cyberattack on the Municipal Water Authority of Aliquippa in Pennsylvania exposed a broader campaign targeting **Unitronics Vision Series PLCs** used in water and wastewater operations. Attackers linked to the pro-Iran **Cyber Av3ngers** group reportedly defaced facility screens and disrupted a remote water pressure station, prompting operators to take affected equipment offline and switch to manual or backup processes; officials said drinking water quality and core service were not affected because the compromised system was isolated from the main treatment plant. Reporting also cited a separate incident at a North Texas utility, underscoring concern that internet-exposed industrial control systems are being actively targeted across the sector. U.S. and Irish authorities later tied similar activity to exploitation of weakly secured or internet-accessible Unitronics controllers, including default or poor password practices and the vulnerability tracked as `CVE-2023-6448`, which was added to CISA's Known Exploited Vulnerabilities catalog. In Ireland, attackers disrupted water service to about 160 households in County Mayo after compromising a PLC at a private group water scheme. CISA warned water operators to remove PLCs from direct internet exposure, change default credentials, enforce multifactor authentication where possible, and back up device configurations as officials and experts warned that undersecured operational technology poses an ongoing risk to critical infrastructure.
May 27, 2026
Rockwell Automation ICS Products Hit by Authentication, Authorization, DoS, and RCE Flaws
CISA republished multiple Rockwell Automation advisories covering vulnerabilities across **FactoryTalk Analytics PavilionX**, **RSLinx Classic**, **CompactLogix 5370**, **Logix 5370/5570 controllers**, and **FLEX I/O EtherNet/IP Adapters** used in critical manufacturing environments worldwide. The issues include an authorization bypass in PavilionX (`CVE-2025-14272`) that could let an unauthenticated attacker perform privileged administrative actions, and a third-party flaw in RSLinx Classic (`CVE-2020-13573`) tied to out-of-bounds read and stack-based buffer overflow conditions that could cause denial of service or enable remote arbitrary code execution. Additional advisories detail multiple **CIP-related denial-of-service weaknesses** in CompactLogix and Logix controllers, including `CVE-2026-11317`, where crafted CIP messages can trigger major nonrecoverable faults requiring a program download, as well as sequence-number, source-IP, and connection-ID issues that can induce controller faults. CISA also warned that FLEX I/O EtherNet/IP Adapters version `2.012` are affected by `CVE-2026-0646`, which can fault devices through malformed CIP requests, and `CVE-2026-0647`, a critical authentication bypass in the embedded web server that allows password changes through a crafted HTTP GET request, potentially leading to account takeover and loss of availability; CISA said no known public exploitation had been reported and urged operators to isolate control networks, reduce internet exposure, and secure remote access with firewalls and updated VPNs.
Jun 19, 2026