OTPulse
/briefings
Case StudyApril 14, 20268 min read

No Malware, No Exploit, No Signatures to Catch: The Iranian PLC Campaign Targeting US Infrastructure

Jerrid BrownJerrid Brown·OTPulse

Six agencies confirmed it. Iranian-affiliated CyberAv3ngers used legitimate Rockwell engineering software to disrupt US water, energy, and government facilities. Here is what happened and what to do about it.

Six agencies signed this one. CISA, FBI, NSA, EPA, DOE, and Cyber Command don't put out joint advisories unless something is actively on fire. And it is.

CyberAv3ngers, the IRGC-linked group that hit Aliquippa's water authority in 2023, are back. This time they're going after Rockwell PLCs at US water utilities, energy facilities, and government sites. Not probing. Not scanning. Connecting to them with Studio 5000 and changing the control logic. CISA confirmed operational disruptions at multiple organizations. This isn't a warning about what could happen. It's a disclosure about what's happening right now.

2020
CyberAv3ngers established

IRGC Cyber Electronic Command group begins targeting critical infrastructure.

November 2023
Aliquippa, PA - Unitronics campaign

75 US water facilities compromised via default credentials on Israeli-made PLCs. Single-agency CISA advisory AA23-335A.

February 28, 2026
Operation Epic Fury begins

U.S.-Israel strikes on Iran trigger retaliatory cyber operations. Playbook proliferates to 60+ affiliated groups.

March 2026
Rockwell PLC campaign escalates

CyberAv3ngers shift targeting from Israeli to US-manufactured controllers. CompactLogix, Micro850, MicroLogix 1400.

April 7, 2026
AA26-097A published

Six-agency joint advisory confirms active disruptions in water, energy, and government facilities.

From Aliquippa to Everywhere

You might remember Aliquippa. November 2023, Municipal Water Authority in Pennsylvania. CyberAv3ngers popped 75 water facilities through Unitronics PLCs that still had default credentials. That was targeted at Israeli-made devices after October 7. CISA published an advisory, everyone changed their passwords, news cycle moved on.

That was a sideshow compared to this.

After the U.S. and Israel hit Iran on February 28, the retaliation started almost immediately. CyberAv3ngers and something like 60 affiliated groups launched coordinated operations across IT and OT environments. The playbook leaked or got handed around - point is, the people doing this aren't one team anymore.

And they switched targets. In 2023 it was Israeli-made Unitronics. Now it's CompactLogix, Micro850, MicroLogix 1400 - Rockwell's bread and butter. If you run water treatment, pump stations, or substation SCADA in the US, there's a real chance these are in your environment.

3,891 PLCs on the Open Internet

Censys scanned port 44818 and found 5,219 Rockwell/Allen-Bradley PLCs just sitting on the internet. Three quarters are in the US. And here's the part that should bother you: about half are on Verizon Business cellular ASNs. That's a modem in a junction box. Someone set it up for remote access, probably years ago, and it's been there ever since with no firewall between it and the rest of the world. Another 771 of those hosts are also running VNC. Some have Telnet open.

Exposure metricValue
Globally exposed Rockwell PLCs (port 44818)5,219
Located in the United States3,891 (74.6%)
On Verizon Business cellular ASNs49.1%
Same hosts also exposing VNC771
Same hosts also exposing Modbus (port 502)292
CVE-2021-22681 (auth bypass, CVSS 9.8)No patch available

If you've ever inherited a site and found a cellular modem you didn't know about - this is what the other end of that looks like to an attacker.

Legitimate Software as the Weapon

Here's the part that keeps me up at night. There's no malware in this campaign. No exploit code. No zero-day. They're using Studio 5000 - Rockwell's own engineering software, the same one your guys use every day to program Logix controllers - to connect directly to exposed PLCs over port 44818.

1
Scan internetport 44818
2
Connect via Studio 5000legitimate tool
3
Download projectno alert
4
Modify logicno signature
5
Reupload to PLCno alert
6
Manipulate HMIfalse readings

Think about what that means for detection. A Studio 5000 session from an attacker looks identical to one from your engineering workstation down the hall. Your AV won't flag it because there's nothing to flag. Your SIEM won't alert because the protocol is legitimate. There's no IOC to hunt for - the tool IS the weapon.

Once they're connected, they pull down your project file, modify the logic, and push it back. They drop a Dropbear SSH backdoor on port 22 for persistence. And then - this is the part that matters operationally - they mess with the HMI data. Your operator is looking at normal readings on the SCADA screen while the actual process has already changed underneath them.

The root cause is CVE-2021-22681 - authentication bypass, CVSS 9.8. CISA added it to KEV in March. There's no patch. Let that sit for a second. The only fix is making sure these devices can't be reached from the internet.

What to Do This Week

If you run Rockwell Logix controllers, check port 44818 today. If any of your PLCs are directly reachable from the internet, that changes now. This is not a theoretical risk - six agencies confirmed active disruptions at US facilities running these exact devices.

Network-level actions:

  • Verify no PLCs are directly reachable on port 44818 from the internet. If they are, firewall them immediately.
  • Limit Studio 5000 connections to authorized engineering workstation IPs only.
  • If remote access is operationally required, route through a jump host or VPN, not a direct cellular modem.
  • Monitor EtherNet/IP (port 44818), SSH (port 22), and Modbus (port 502) traffic for unexpected connections.

Physical-side actions:

  • Set the mode switch to RUN on CompactLogix and MicroLogix devices. This prevents remote project downloads even if Studio 5000 connects.
  • Check for unexpected SSH (Dropbear) processes on connected hosts.
  • Audit Studio 5000 connection logs for sessions from unrecognized source IPs.

Compliance: If your organization falls under EPA's AWIA, NERC CIP-005/CIP-007, CIRCIA, or FISMA, the advisory calls out all four by name. Document what you find and what you do about it.

The full advisory is on CISA's site.

Industry Intel

Reports & Research

Censys: 5,219 Internet-Exposed Rockwell PLCs, 74.6% in the US

Censys scanned EtherNet/IP port 44818 and published the full exposure breakdown alongside the AA26-097A advisory. The cellular modem detail is particularly important: 49.1% of global exposures sit on Verizon Business cellular ASNs, meaning these are field-deployed devices brought online with a modem and likely forgotten. Co-exposed services on the same hosts include 771 VNC instances and 292 Modbus instances.

Read more

74.6% of the 5,219 internet-exposed Rockwell/Allen-Bradley PLCs found globally are in the United States. - Censys, April 2026

Forescout Vedere Labs: ICS Vulnerability Landscape 2026

Forescout's annual analysis from Vedere Labs covers how ICS vulnerability disclosure has shifted and where the highest-density risk sits across sectors. If you are building a threat briefing for leadership, this is the data to anchor it to.

Read more
Comparitech: Internet-Exposed ICS Devices Running Insecure Modbus

Comparitech published research documenting the scale of internet-exposed ICS devices running Modbus with no authentication and no encryption. The timing alongside the Censys Rockwell data reinforces that the internet exposure problem is not limited to one vendor or one protocol.

Read more
SANS 2026: Skills Crisis Putting OT Sectors at Measurable Breach Risk

About 60% of organizations say their teams lack the skills needed to defend against current threats, per the SANS 2026 report. Regulatory pressure on OT-specific hiring surged from 40% to 95% of respondents in a single year. If you are trying to make a headcount case, this is cited data.

Read more

Incidents

Living-Off-the-Land Attacks Are Reshaping ICS Incident Response

Industrial Cyber covers how the CyberAv3ngers technique - using Studio 5000 to manipulate PLCs without dropping malware - represents a fundamental detection gap for traditional security tooling. The emerging response framework is engineering-led: physical mode switches, workstation allowlisting, connection log auditing. Worth reading if you are figuring out what to update in your IR playbook.

Read more

Regulatory & Standards

CIRCIA Reporting Obligations Apply to This Campaign

AA26-097A explicitly calls out CIRCIA reporting requirements for covered entities in water, energy, and government facilities. If your organization falls under CIRCIA and you identify indicators of compromise from this campaign, you have a reporting obligation. The CISA CIRCIA page has current guidance on timelines and scope.

Read more

Events & Conferences

ICS Cybersecurity Conference 2026 - Nashville, October 6-8

SecurityWeek's annual ICS security practitioner conference returns to Nashville. This is the largest dedicated ICS/OT security practitioner conference in the US, focused on the people actually doing the work rather than vendor briefings.

Read more

Community

Tenable: CyberAv3ngers Group Profile and FAQ

Tenable published a detailed breakdown of the group's history from 2020 through the current campaign - covering the Unitronics phase, the IOCONTROL malware deployed in mid-2024, and the current Rockwell targeting. If you need a single reference document to share with colleagues or include in a briefing, this is the one.

Read more
Picus Security: AA26-097A Attack Simulation and MITRE ATT&CK Mapping

Picus published a technical breakdown of the AA26-097A advisory with attack simulation context and MITRE ATT&CK technique mapping. Useful for anyone building detection rules or updating threat models based on this campaign.

Read more

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

← Browse all briefings

Built for the people who protect operational technology. hello@otpulse.io