In a joint advisory issued on April 7, 2026, U.S. intelligence and cybersecurity agencies revealed that Iranian-affiliated advanced persistent threat (APT) actors are actively exploiting internet-facing Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs). These industrial control system components are critical for essential services like water treatment and energy distribution, making their compromise a significant national security concern. The advisory, designated AA26-097A, highlights an ongoing threat to operational technology (OT) environments across the United States and potentially globally.
The threat actors are linked to the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) and have been identified by various monikers, including CyberAv3ngers, Shahid Kaveh Group, Storm-0784, Bauxite, and UNC5691. This marks a notable escalation from a previous campaign observed in November 2023, where the same group targeted at least 75 Unitronics PLCs in U.S. water and wastewater facilities, as detailed in CISA advisory AA23-335A. The current operation, active since at least March 2026, specifically targets Rockwell devices, expanding the potential impact.
Iranian APT Activity Targets Internet-Exposed Rockwell PLCs
Research conducted by Censys identified a substantial attack surface, with 5,219 internet-exposed hosts globally responding to EtherNet/IP (EIP) on port 44818 and identifying themselves as Rockwell Automation/Allen-Bradley devices. The United States accounts for the majority of this exposure, with 3,891 hosts at risk. Significant exposure was also noted in Spain (110 hosts), Taiwan (78 hosts), and Italy (73 hosts).
A concerning aspect of this campaign is the actors’ reliance on legitimate Rockwell engineering software, Studio 5000 Logix Designer, rather than exploiting zero-day vulnerabilities. This method allows them to directly access and manipulate internet-facing PLCs, enabling them to read and alter project files and compromise Human-Machine Interface (HMI)/Supervisory Control and Data Acquisition (SCADA) display screens, which can obscure detection.
Confirmed targeted device families include CompactLogix and Micro850. Furthermore, the threat actors are actively probing other OT protocols such as Modbus (port 502) and S7 (port 102), suggesting a potential expansion of their targeting to multiple vendor platforms.
A significant portion, nearly 49.1% of the globally exposed devices, are connected via Verizon Business cellular modems, with AT&T Mobility accounting for another 13.3%. These PLCs are often deployed in remote locations such as pump stations and electrical substations, and their internet connectivity relies on cellular modems instead of more secure network links. The prevalence of consumer and mobile carrier networks over industrial Autonomous System Numbers (ASNs) indicates a widespread and often overlooked deployment risk.
Expanded Attack Surface: Co-Exposed Services and IOC Analysis
Beyond the primary EIP exposure, Censys protocol enumeration on the 5,219 hosts revealed a broader attack surface due to co-exposed services. VNC services were present on 771 instances, potentially offering attackers direct remote desktop access to HMI workstations. Additionally, Telnet was found on 280 hosts and Modbus on 292, providing further unprotected entry points consistent with the attack behaviors detailed in the advisory.
Analysis of previously published Indicators of Compromise (IOCs) by Censys indicated that the IP addresses identified by CISA within the 185.82.73.x range actually represent a single multi-homed Windows engineering workstation equipped with the complete Rockwell toolchain. Four additional operator IPs on this same host were not included in the advisory. A separate staging server located at 135.136.1.133 was provisioned in February 2026 and operated for a four-day period in mid-March before being abandoned.
Organizations operating Rockwell/Allen-Bradley PLCs are strongly advised to immediately remove these devices from direct internet exposure. For CompactLogix and MicroLogix devices, setting the physical mode switch to the RUN position offers a significant control that cannot be remotely overridden. Administrators should disable VNC, Telnet, and FTP services on any host co-located with a PLC. Implementing multi-factor authentication for all remote OT access and auditing MicroLogix 1400 deployments running end-of-sale firmware versions C/21.02 and C/21.07 are also critical steps. Immediate review of all inbound traffic on TCP ports 44818, 2222, 102, 502, and 22 from known operator IP addresses, including the newly identified addresses 185.82.73.160, .161, .163, and .166, is recommended.