{"id":531,"date":"2026-04-08T06:03:47","date_gmt":"2026-04-08T06:03:47","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=531"},"modified":"2026-04-08T06:03:47","modified_gmt":"2026-04-08T06:03:47","slug":"iran-linked-hackers-disrupt-u-s-critical-infrastructure-by-targeting-internet-exposed-plcs","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=531","title":{"rendered":"Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs"},"content":{"rendered":"
\n
<\/a><\/div>\n

Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across critical infrastructures in the U.S., including programmable logic controllers (PLCs), cybersecurity and intelligence\u00a0agencies warned<\/a>\u00a0Tuesday.<\/p>\n

\u00abThese attacks have led to diminished PLC functionality, manipulation of display data and, in some cases, operational disruption and financial loss,\u00bb the U.S. Federal Bureau of Investigation\u00a0(FBI) said<\/a> in a post on\u00a0X.<\/p>\n

The agencies said\u00a0the campaign is part of\u00a0a recent escalation in cyber attacks orchestrated by Iranian hacking groups against U.S. organizations in response to the ongoing conflict between Iran and the U.S. and\u00a0Israel.<\/p>\n

Specifically, the activity has led to PLC disruptions across several U.S. critical infrastructure sectors via what the authoring agencies described as malicious interactions with the project file and manipulation of data on human-machine interface (HMI) and supervisory control and data acquisition (SCADA)\u00a0displays.<\/p>\n

These attacks have singled out Rockwell Automation and Allen-Bradley PLCs deployed in government services and facilities, Water and Wastewater Systems (WWS), and energy\u00a0sectors.<\/p>\n

\u00abThe actors used leased, third-party hosted infrastructure with configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer software, to create an accepted connection to the victim’s PLC,\u00bb the advisory said. \u00abTargeted devices include CompactLogix and Micro850 PLC\u00a0devices.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Upon obtaining initial access, the threat actors established command-and-control by deploying Dropbear, a Secure Shell (SSH) software, on victim endpoints to enable remote access through port 22 and facilitate the extraction of the device’s project file and data manipulation on HMI and SCADA\u00a0displays.<\/p>\n

To combat the threat, organizations are advised to avoid exposing the PLC to the internet, take steps to prevent remote modification either via a physical or software switch, implement multi-factor authentication (MFA), and erect a firewall or network proxy in front of the PLC to control network access, keep PLC devices up-to-date, disable any unused authentication features, and monitor for unusual\u00a0traffic.<\/p>\n

This is not the first time Iranian threat actors have targeted OT networks and PLCs. In\u00a0late 2023, Cyber Av3ngers (aka Hydro Kitten, Shahid Kaveh Group, and UNC5691)\u00a0was linked to the active exploitation of Unitronics PLCs to target the Municipal Water Authority of Aliquippa in western Pennsylvania. These\u00a0attacks compromised at least 75\u00a0devices.<\/p>\n

\u00abThis advisory confirms what we’ve observed for months: Iran’s cyber escalation follows a known playbook. Iranian threat actors are now moving faster and broader and targeting both IT and OT infrastructure,\u00bb Sergey Shykevich, threat intelligence group manager at Check Point Research, said in a statement shared with The Hacker\u00a0News.<\/p>\n

\u00abWe documented identical targeting patterns against Israeli PLCs in March. It\u00a0is not the first time Iranian actors are targeting operational technology in the US for disruption purposes, so organizations shouldn’t treat this as a new threat, but as an accelerating\u00a0one.\u00bb<\/p>\n

The development comes amid\u00a0a new-found\u00a0surge in distributed denial-of-service (DDoS) attacks and claims of hack-and-leak operations carried out by cyber proxy groups and hacktivists targeting Western and Israeli entities, according to Flashpoint.<\/p>\n

\"\"<\/a><\/div>\n

In a report published this week, DomainTools Investigations (DTI) described activity attributed to Homeland Justice, Karma\/KarmaBelow80, and Handala Hack as a \u00absingle, coordinated cyber influence ecosystem\u00bb aligned with Iran’s Ministry of Intelligence and Security (MOIS) rather than a set of distinct hacktivist\u00a0groups.<\/p>\n

\u00abThese personas function as interchangeable operational veneers applied to a consistent underlying capability,\u00bb\u00a0DTI said<\/a>. \u00abTheir purpose is not to reflect organizational separation, but to enable segmentation of messaging, targeting, and attribution while preserving continuity of infrastructure and tradecraft.\u00bb<\/p>\n

Public-facing domains and Telegram channels serve as the primary dissemination and amplification hub, with the messaging platform also playing a huge role in command-and-control (C2) operations by allowing the malware to communicate with threat actor-controlled bots, reduce infrastructure overhead, and blend in with normal operations.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThis ecosystem represents a state-directed instrument of cyber-enabled influence, in which technical operations are tightly integrated with narrative manipulation and media amplification dynamics to achieve coercive and strategic effects,\u00bb DTI\u00a0added.<\/p>\n

MuddyWater a\u0219 a CastleRAT\u00a0Affiliate<\/h3>\n

The development comes as JUMPSEC detailed MuddyWater ties with the criminal ecosystem, stating that the Iranian state-sponsored threat actor operates at least two CastleRAT builds against Israeli\u00a0targets. It’s worth noting that CastleRAT is a remote access trojan that’s part of\u00a0the CastleLoader\u00a0framework attributed by Recorded Future to a group it tracks under the moniker GrayBravo\u00a0(aka\u00a0TAG-150).<\/p>\n

Central to the operations is a PowerShell deployer (\u00abreset.ps1\u00bb) that deploys a previously undocumented JavaScript-based malware called ChainShell,\u00a0which then contacts a smart contract on the Ethereum blockchain to retrieve a C2 address and use it to fetch next-stage JavaScript code for execution on compromised\u00a0hosts.<\/p>\n

\"\"<\/a><\/div>\n

Some aspects of these connections between MOIS and the cybercrime ecosystem were\u00a0also flagged\u00a0by Ctrl-Alt-Intel, Broadcom,\u00a0and Check\u00a0Point, highlighting\u00a0the growing engagement as evidence\u00a0of\u00a0a growing reliance on off-the-shelf tools to support state objectives and complicate attribution\u00a0efforts.<\/p>\n

The same PowerShell loader has\u00a0also been\u00a0found to deliver a botnet malware referred to as Tsundere\u00a0(aka Dindoor). According to JUMPSEC, both ChainShell and Tsundere are separate TAG-150 platform components\u00a0that are\u00a0deployed along with CastleRAT.<\/p>\n

\u00abThe adoption of a Russian criminal MaaS by an Iranian state actor has direct implications for defenders,\u00bb JUMPSEC said in a report shared with The Hacker News. \u00abOrganizations targeted by MuddyWater, especially in the defence, aerospace, energy, and government sectors, now face threats that combine state-level targeting with commercially developed offensive\u00a0tools.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across critical infrastructures in the U.S., including programmable logic controllers (PLCs), cybersecurity and intelligence\u00a0agencies warned\u00a0Tuesday. \u00abThese attacks have led to…<\/p>\n","protected":false},"author":1,"featured_media":532,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[58,651,338,141,1113,491,1114,431,96],"class_list":["post-531","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-critical","tag-disrupt","tag-hackers","tag-infrastructure","tag-internetexposed","tag-iranlinked","tag-plcs","tag-targeting","tag-u-s"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=531"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/531\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/532"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}