Iranian APTs Target 5,219 Exposed Rockwell PLCs in U.S. Critical Infrastructure

Severity: High (Score: 78.0)

Sources: Securityaffairs.Co, Gbhackers

Summary

Censys researchers identified 5,219 Rockwell Automation PLCs exposed to the internet, primarily located in the U.S. These devices are being targeted by Iranian-affiliated advanced persistent threat (APT) actors, as warned by U.S. agencies including the FBI, CISA, and NSA on April 7, 2026. The threat actors are exploiting vulnerabilities in internet-connected operational technology (OT) systems across various critical infrastructure sectors. This follows a previous campaign in November 2023 that compromised at least 75 Unitronics PLCs in U.S. water and wastewater facilities. Security experts are urging immediate action to secure or disconnect these vulnerable devices to mitigate potential attacks. The ongoing threat highlights the increasing risk to critical infrastructure from state-sponsored cyber operations. Key Points: • 5,219 Rockwell PLCs are exposed online and vulnerable to Iranian APT attacks. • U.S. agencies issued a warning on April 7, 2026, regarding the exploitation of these devices. • Previous attacks linked to the same APT actors targeted U.S. water facilities in late 2023.

Key Entities

• Unitronics (company)
• Rockwell Automation PLCs (platform)