Key Takeaway
Iranian-linked hackers are targeting internet-exposed Rockwell/Allen-Bradley PLCs in U.S. critical infrastructure sectors, focusing on energy and water management. The campaign exploits critical vulnerabilities to manipulate control systems.
What Happened
A threat actor group, with links to Iran, has been targeting internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) within U.S. critical infrastructure sectors. The campaign was initially detected in September 2023 and has primarily focused on organizations operating in the energy and water management sectors. These attackers are exploiting security vulnerabilities to gain access to these vital control systems. The focus on PLCs suggests an objective to manipulate operational technology, potentially disrupting industrial processes.
The attacks have been carried out by a group believed to be associated with the Iranian government, leveraging a mix of known vulnerabilities and custom exploits. The activity has sparked significant concern among national security and cybersecurity experts due to the potential implications for public safety and infrastructure resilience.
Technical Details
The attackers have exploited vulnerabilities in several widely-used Rockwell PLC models, including the ControlLogix and CompactLogix series. They have targeted CVE-2021-22681, which has a CVSS score of 9.8, marking it as critical. This vulnerability allows remote code execution if the address of the PLC is known. Additionally, CVE-2023-5641 and CVE-2023-5642, both with a CVSS score of 8.5, have been used to gain unauthorized access and execute arbitrary commands on the impacted systems.
Indicators of compromise (IOCs) include unusual remote access activity, unauthorized port scanning, and specific command sequences sent to control systems. Network traffic analysis revealed the use of unrecognized IP addresses and anomalous data flows directed at PLC interfaces. Rockwell Automation has issued patches for these vulnerabilities, but many affected systems remain unpatched due to challenges in updating critical operational technology setups without causing downtime.
Impact
The campaign has affected multiple organizations within critical infrastructure sectors, predominantly focusing on the energy and water management sectors, potentially impacting dozens of facilities. The ability to manipulate PLCs could enable attackers to disrupt operations, leading to possible physical damage or loss of service, posing significant risks to public safety and economic stability.
These incidents underscore the broader threat posed by state-linked APTs targeting operational technology, highlighting vulnerabilities in integrated control networks that regulate essential services. Immediate attention to security best practices and timely updates for legacy systems are crucial to mitigate the impact of these attacks.
What To Do
- Apply Patches: Immediately apply updates provided by Rockwell Automation for known vulnerabilities, especially CVE-2021-22681.
- Network Segmentation: Isolate PLCs from internet access and implement robust network segmentation to limit exposure.
- Monitor Network Activity: Use intrusion detection systems (IDS) to monitor for unusual traffic patterns associated with the IOCs.
- Access Controls: Strengthen authentication and access controls on devices and limit user permissions to essential personnel only.
- Incident Response: Develop and regularly update incident response plans targeting operational technology security.
Addressing these vulnerabilities requires a concerted effort between IT and operational technology teams. Critical infrastructure organizations must prioritize security patching and network segmentation to safeguard against these threats. Continuous monitoring and strengthening access controls are essential to maintaining the integrity of these systems against advanced persistent threats.
Related:
Original Source
BleepingComputer →Related Articles
FrostArmada APT28 Campaign Disrupted: Details on Hijacked Network Traffic
An international operation has disrupted FrostArmada, an APT28 campaign hijacking traffic from MikroTik and TP-Link routers to steal Microsoft account credentials. Key vulnerabilities were exploited, affecting networks globally. Organizations must update firmware, change default credentials, and enable MFA.
APT28 Leveraging Router Vulnerabilities for Espionage
APT28, linked to Russia, has been exploiting MikroTik and TP-Link routers for cyber espionage since May 2025. The campaign focuses on turning these routers into malicious infrastructure by modifying settings. Organizations must update firmware, enforce strong passwords, and monitor for unusual network activity.
Russian APT28 Exploits Router Vulnerabilities for Massive Token Harvesting
The Forest Blizzard APT group exploits vulnerabilities in outdated routers to intercept Microsoft Office user tokens. Over 18,000 networks are affected due to DNS hijacking without deploying traditional malware. Swift security updates and DNS configurations are necessary to mitigate risks.
APT Campaign Exploits GitHub Misconfiguration with AI-Driven Attacks
North Korean threat actors have launched the PRT-scan APT campaign, exploiting GitHub misconfigurations through AI-driven attacks. Targeting tech and financial sectors, this campaign poses severe data breaches risks. The use of AI in attack vectors suggests escalating sophistication in cyber threats.