Iran-Backed Hackers Target US Critical Infrastructure via OT

A recent advisory from US cybersecurity authorities reveals that Iranian-linked threat actors have been actively targeting American critical infrastructure since last month. These attacks have resulted in both operational disruptions and financial losses, focusing on sectors vital to national stability. The campaign specifically exploits internet-facing operational technology assets, including widely used programmable logic controllers from manufacturers like Rockwell Automation.

According to the joint advisory from CISA, the FBI, and other agencies, the affected sectors include government facilities, water and wastewater systems, and energy. The advanced persistent threat group has been manipulating human-machine interface and SCADA displays by maliciously interacting with industrial control system project files. This activity allows them to interfere with the physical processes managed by these devices.

The attackers are leveraging configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer, to establish connections to targeted PLCs. They often route this traffic through overseas IP addresses and third-party infrastructure to obscure their origins. Malicious inbound communications have been observed on several ports commonly associated with OT devices, including ports 44818, 2222, and 502. In some cases, the group has deployed Dropbear SSH software on victim endpoints to establish persistent remote access.

Authorities are urging all US critical infrastructure organizations to review the detailed tactics, techniques, and procedures outlined in the advisory. They recommend immediately checking network logs for the provided indicators of compromise and applying recommended mitigations. Key defensive actions include implementing secure gateways and firewalls to prevent direct internet exposure of PLCs, monitoring for suspicious traffic on OT-related ports, and ensuring physical controller switches are in the correct run position.

This campaign is part of a concerning trend. Earlier this year, a separate Iran-linked cyberattack impacted medical devices at a US firm, and a 2023 operation by the Islamic Revolutionary Guard Corps targeted water facilities using Israeli-made PLCs. Security experts note that these incidents are not isolated. Years of high-profile attacks have exposed persistent vulnerabilities in operational technology environments, particularly internet-accessible interfaces that were never intended for permanent remote access.

The consequences of even limited disruptions can be severe, straining emergency response, causing financial harm, and damaging reputations. Each successful campaign lowers the barrier for future attacks, encouraging actors to escalate from simple defacement to causing real operational interference. For infrastructure operators, the current climate demands heightened vigilance. Organizations should assume that threat actors are conducting increased reconnaissance and credential harvesting, looking for opportunistic exploits.

A major persistent weakness is the visibility gap between traditional IT networks and operational technology systems. To defend against these threats, teams must prioritize passive network monitoring for control protocols and enforce strict network segmentation between enterprise and industrial control zones. Validating all remote access pathways and tightly controlling engineering workstations are also critical steps. Crucially, incident response plans need to account for scenarios involving the loss of control system integrity, not just the theft of data. While these measures are essential for long-term resilience, some experts warn that for many organizations, implementing them now may be too late to prevent short-term impacts from ongoing campaigns.