Iran-Linked Hackers Disrupt U.S. Critical Infrastructure via PLC Attacks

Iran-Linked Hackers Target U.S. Critical Infrastructure via Internet-Exposed PLCs

Iran-affiliated cyber actors have been actively targeting internet-facing operational technology (OT) devices across multiple U.S. critical infrastructure sectors, including government facilities, water and wastewater systems, and the energy sector. The campaign, warned by the FBI and cybersecurity agencies, has caused diminished PLC functionality, manipulation of display data, operational disruptions, and financial losses.

Targeted Systems and Methods

The attacks have focused on Rockwell Automation and Allen-Bradley PLCs, specifically CompactLogix and Micro850 devices, which control industrial processes. Threat actors exploited internet-exposed PLCs by using leased, third-party infrastructure and configuration software such as Studio 5000 Logix Designer to establish legitimate-looking connections to the devices.

Once access was gained, the attackers deployed Dropbear SSH software on victim endpoints to maintain remote control. This allowed them to extract project files and manipulate HMI and SCADA displays, potentially disrupting operations.

Recommended Mitigations

Organizations are urged to:

• Avoid exposing PLCs directly to the internet
• Use physical or software switches to prevent remote modification
• Implement multi-factor authentication (MFA)
• Deploy firewalls or network proxies in front of PLCs
• Keep PLC software updated and disable unused authentication features
• Monitor network traffic for unusual activity

Historical Context and Escalation

This campaign follows prior Iranian OT targeting, including Cyber Av3ngers (Hydro Kitten / Shahid Kaveh Group / UNC5691) exploiting Unitronics PLCs against a Pennsylvania municipal water authority in 2023, compromising at least 75 devices. Experts warn that Iranian actors are now moving faster and broader, targeting both IT and OT infrastructure, mirroring attacks observed in Israel earlier this year.

State-Sponsored Influence and Cybercrime Ecosystem

Researchers have linked multiple groups, including Homeland Justice, Karma/KarmaBelow80, and Handala Hack, to a coordinated cyber influence ecosystem connected to Iran’s Ministry of Intelligence and Security (MOIS). These groups operate under multiple aliases to maintain operational continuity while conducting technical operations integrated with narrative manipulation and media amplification.

Messaging platforms like Telegram play a key role in C2 operations, allowing malware to communicate with threat-controlled bots and blend into normal network activity.

Advanced Malware Tools

The Iranian state-sponsored threat actor MuddyWater has been linked to the use of CastleRAT remote access trojans, ChainShell JavaScript malware, and the Tsundere/Dindoor botnet, deployed via a PowerShell loader (“reset.ps1”). Some malware components leverage smart contracts on the Ethereum blockchain to retrieve C2 addresses for executing further stages of attacks.

Experts note that the adoption of commercial off-the-shelf (COTS) Russian MaaS tools by Iranian actors complicates attribution and increases the sophistication of attacks, particularly against defense, aerospace, energy, and government sectors.