Overview
- Federal agencies, in a Tuesday advisory, said Iran‑affiliated hackers are breaking into internet‑exposed operational technology, focusing on Rockwell/Allen‑Bradley programmable logic controllers that run equipment in plants.
- The alert said the group extracted PLC project files and altered data shown on HMI and SCADA screens, which are the interfaces operators use to monitor and control pumps, valves, and other machinery.
- Targets spanned government services, water and wastewater utilities, and the energy sector, and some victims reported operational disruption and financial loss while agencies withheld company names and the overall scope.
- Investigators reported the use of overseas IP addresses, leased third‑party infrastructure, and legitimate engineering tools such as Rockwell’s Studio 5000 to connect to exposed devices and pull configuration files.
- Defenders were told to remove PLCs from the open internet or place them behind secure gateways, set physical mode switches to run, review logs and OT ports for suspicious traffic, apply MFA and firmware updates, and keep offline backups, with officials noting activity has escalated since late‑February hostilities and resembles earlier CyberAv3ngers campaigns.