Campaigns
US Critical Sectors Disrupted by Iranian-Backed Cyberattacks on PLCs

US Critical Sectors Disrupted by Iranian-Backed Cyberattacks on PLCs

Iranian APTIRGCICS/OTRockwell AutomationAllen-BradleyCompactLogixMicro850PLC ExploitationHMI ManipulationSCADA TamperingStudio 5000EtherNet/IPCritical InfrastructureWater & WastewaterEnergy SectorT0883Cyber SabotageAA26-097A
Iranian-affiliated APT actors have been exploiting internet-exposed Rockwell Automation/Allen-Bradley PLCs across U.S. critical infrastructure since March 2026, causing operational disruptions and financial losses across water, energy, and government sectors. Attackers leveraged legitimate vendor software to extract project files and manipulate HMI/SCADA displays, while also probing Modbus and Siemens S7 protocols, indicating broader multi-vendor targeting intent.

Indicators of Compromise

No domains found for this campaign

APT Groups1

Cyber Av3ngersIR

Summary of Actor:CyberAv3ngers is a sophisticated and well-funded threat actor group known for its targeted cyber-espionage activities. They have been active since at least 2015 and are believed to be state-sponsored. Their primary objectives include data exfiltration, surveillance, and disruption. General Features:CyberAv3ngers employ advanced persistent threats (APTs), leveraging zero-day vulnerabilities and custom malware. They are known for their stealth, sophisticated social engineering techniques, and long-term persistence in targeted networks. Related Other Groups: APT28,Sandworm Team,Fancy Bear Indicators of Attack (IoA): Use of specific C2 servers Phishing emails with high social engineering tactics Advanced obfuscation and encryption techniques Custom malware signatures Recent Activities and Trends: Latest Campaigns : The most recent campaign by CyberAv3ngers targeted healthcare organizations, using spear-phishing emails to deliver a new variant of their custom malware. This campaign has been linked to a significant increase in data exfiltration incidents. Emerging Trends : CyberAv3ngers have been observed to shift towards targeting cloud infrastructure with sophisticated credential stuffing attacks. Additionally, there is an uptick in their use of AI and machine learning algorithms to enhance their phishing and social engineering tactics.

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTIONS REF

Remote Access Software  T1663


ID

Name

Analytic ID

Analytic Description

DET0624

Detection of Remote Access Software

AN1689

Remote access software typically requires many privileged permissions, such as accessibility services or device administrator.

AN1690

Remote access software typically requires many privileged permissions, such as accessibility services or device administrator.

Data Manipulation T1641


ID

Name

Analytic ID

Analytic Description

DET0660

Detection of Data Manipulation

AN1750

Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.

Observed Countries1

US (459)