
US Critical Sectors Disrupted by Iranian-Backed Cyberattacks on PLCs
Iranian-affiliated APT actors have been exploiting internet-exposed Rockwell Automation/Allen-Bradley PLCs across U.S. critical infrastructure since March 2026, causing operational disruptions and financial losses across water, energy, and government sectors. Attackers leveraged legitimate vendor software to extract project files and manipulate HMI/SCADA displays, while also probing Modbus and Siemens S7 protocols, indicating broader multi-vendor targeting intent.
Indicators of Compromise
IPv4 (8)
185.82.73.167185.82.73.162135.136.1.133185.82.73.168185.82.73.171185.82.73.164185.82.73.170185.82.73.165APT Groups
Cyber Av3ngers
IR
Notes
<span id="docs-internal-guid-e994d639-7fff-8e7d-3694-9566184c0d18"><h2 style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CONCLUSION</span></h2><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Iranian-affiliated APT actors have demonstrated a calculated escalation in offensive OT capabilities, shifting from opportunistic reconnaissance to hands-on-keyboard manipulation of industrial control systems across U.S. critical infrastructure — a tactical evolution that signals these threats will grow in both frequency and destructive intent. The deliberate targeting of internet-exposed Rockwell Automation PLCs using legitimate vendor tooling reflects a mature, low-noise intrusion methodology designed to evade traditional IT security controls while achieving maximum operational impact. Water, energy, and government sectors face the highest immediate risk, as thousands of unpatched, internet-facing devices remain active targets with direct links to physical processes. The multi-protocol probing of Modbus and Siemens S7 further suggests this campaign is a precursor to broader, multi-vendor ICS targeting that extends well beyond U.S. borders.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Use SOCRadar Free Edition to monitor your attack surface and identify exposed OT assets through Attack Surface Management, track Iranian APT indicators in real time via Threat Intelligence, and investigate campaign-related IOCs instantly through IOC Radar. Dark Web Monitoring can surface any leaked credentials or access being sold related to your ICS environments, while Brand Protection helps detect phishing infrastructure mimicking industrial vendor portals like Rockwell or Siemens. Start protecting your critical infrastructure today — for free — at socradar.io.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div></span>
Mitigation
<span id="docs-internal-guid-d62562f6-7fff-62af-816f-6b251a5e02a5"><h2 style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITIGATION </span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(26, 102, 204); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/">REF</a></span></h2><h2 style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Remote Access Software T1663</span></h2><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dee2e6 1.2500025000000001pt;border-top:solid #dfdfdf 0.416667pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dee2e6 1.2500025000000001pt;border-top:solid #dfdfdf 0.416667pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation</span></p></td><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dee2e6 1.2500025000000001pt;border-top:solid #dfdfdf 0.416667pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Description</span></p></td></tr><tr style="height:70pt;"><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dfdfdf 0.416667pt;border-top:solid #dee2e6 1.2500025000000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1012"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1012</span></a></p></td><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dfdfdf 0.416667pt;border-top:solid #dee2e6 1.2500025000000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1012"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enterprise Policy</span></a></p></td><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dfdfdf 0.416667pt;border-top:solid #dee2e6 1.2500025000000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">When devices are enrolled in an EMM/MDM using device owner (iOS) or fully managed (Android) mode, the EMM/MDM can collect a list of installed applications on the device. An administrator can then act on, for example blocking, specific remote access applications from being installed on managed devices.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dfdfdf 0.416667pt;border-top:solid #dfdfdf 0.416667pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1011"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1011</span></a></p></td><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dfdfdf 0.416667pt;border-top:solid #dfdfdf 0.416667pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1011"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Guidance</span></a></p></td><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dfdfdf 0.416667pt;border-top:solid #dfdfdf 0.416667pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility.</span></p></td></tr></tbody></table></div><br><h2 style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Data Manipulation T1641</span></h2><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dee2e6 1.2500025000000001pt;border-top:solid #dfdfdf 0.416667pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.38;text-align: center;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">ID</span></h2></td><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dee2e6 1.2500025000000001pt;border-top:solid #dfdfdf 0.416667pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.38;text-align: center;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation</span></h2></td><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dee2e6 1.2500025000000001pt;border-top:solid #dfdfdf 0.416667pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.38;text-align: center;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Description</span></h2></td></tr><tr style="height:56.5pt;"><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dfdfdf 0.416667pt;border-top:solid #dee2e6 1.2500025000000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><a href="https://attack.mitre.org/mitigations/M1006"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1006</span></a></h2></td><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dfdfdf 0.416667pt;border-top:solid #dee2e6 1.2500025000000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><a href="https://attack.mitre.org/mitigations/M1006"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Use Recent OS Version</span></a></h2></td><td style="border-left:solid #dfdfdf 0.416667pt;border-right:solid #dfdfdf 0.416667pt;border-bottom:solid #dfdfdf 0.416667pt;border-top:solid #dee2e6 1.2500025000000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Recent OS versions have limited access to certain APIs unless certain conditions are met, making </span><a href="https://attack.mitre.org/techniques/T1641"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Data Manipulation</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> more difficult</span></h2></td></tr></tbody></table></div></span>