Iranian Hackers Target US Critical Infrastructure via Exposed PLCs

Severity: High (Score: 75.5)

Sources: Cybernews, Industrialcyber.Co

Summary

Iranian-affiliated threat actors are exploiting internet-exposed programmable logic controllers (PLCs) to target US critical infrastructure, including government facilities and essential services like energy and water systems. Censys research reveals over 5,200 Rockwell Automation PLCs are accessible online, with a significant concentration in the US. The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about ongoing exploitation activities, leading to operational disruptions and financial losses. Attackers are using legitimate vendor software, such as Rockwell Studio 5000 Logix Designer, to manipulate control systems without needing zero-day exploits. The campaign also involves probing other industrial protocols, indicating a broader targeting strategy. U.S. cybersecurity agencies have urged organizations to disconnect these devices from public networks to mitigate risks. The ongoing situation is exacerbated by geopolitical tensions following military actions involving the US and Iran. Key Points: • Over 5,200 Rockwell PLCs are exposed to the internet, primarily in the US. • Iranian hackers are exploiting these devices to disrupt critical infrastructure. • CISA warns of significant operational disruptions and financial losses from these attacks.

Key Entities

• Malware (attack_type)
• Iceland (country)
• Italy (country)
• Spain (country)
• Taiwan (country)
• United States (country)
• Energy (industry)
• Government (industry)
• Allen-Bradley PLCs (platform)
• CompactLogix (platform)
• EtherNet/IP (platform)
• MicroLogix 1400 (platform)
• MicroLogix 1400 Series (platform)
• SSH (tool)
• Telnet (tool)
• Rockwell Studio 5000 Logix Designer (tool)
• VNC (tool)