The **Federal Bureau of Investigation (FBI)**, **Cybersecurity and Infrastructure Security Agency (CISA)**, **National Security Agency (NSA)**, **Environmental Protection Agency (EPA)**, **Department of Energy (DOE)**, and **United States Cyber Command – Cyber National Mission Force (CNMF)** are jointly issuing an urgent warning regarding the exploitation of internet-connected operational technology (OT) devices, specifically **Rockwell Automation/Allen-Bradley** programmable logic controllers (PLCs), across U.S. critical infrastructure sectors. This activity has resulted in disruptions through malicious interactions with project files and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays. In some instances, this has led to operational disruption and financial losses. ### Target Sectors and Threat Actor The authoring agencies assess that Iranian-affiliated APT actors are behind these attacks, aiming to cause disruptive effects within the United States. The targeted sectors include: * Government Services and Facilities * Water and Wastewater Systems (WWS) * Energy Previously, similar activity targeting PLCs was attributed to **CyberAv3ngers** (aka Shahid Kaveh Group), a cyber threat actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC). ### Recommended Actions U.S. organizations are urged to review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) provided in the advisory. Key actions include: * Removing PLCs from direct internet exposure via secure gateway and firewall. * Querying available logs for provided IOCs. * Checking logs for suspicious traffic on OT device ports (e.g., `44818`, `2222`, `102`, and `502`), especially from overseas hosting providers. * For Rockwell Automation devices, placing the physical mode switch on the controller into run position. ### Indicators of Compromise IOCs are available for download: * [AA26-097A STIX XML](https://www.cisa.gov/sites/default/files/2026-04/AA26-097A.stix_.xml) (35KB) * [AA26-097A STIX JSON](https://www.cisa.gov/sites/default/files/2026-04/AA26-097A.stix_.json) (12 KB) ### Rockwell Automation Guidance Organizations using Rockwell Automation/Allen-Bradley PLCs should review the following guidance: * [PN1550 | CVE-2021-22681: Authentication Bypass Vulnerability Found in Logix Controllers](https://www.rockwellautomation.com/en-fi/trust-center/security-advisories/advisory.PN1550.html) (published 2021) * [SD1771 | Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats](https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1771.html) (published 2026) Contact the Rockwell Automation Product Security Incident Response Team (PSIRT) at [[email protected]](mailto:[email protected]) for questions or to report incidents. ### Historical Context Similar campaigns have been observed since November 2023, with the IRGC CEC-affiliated **CyberAv3ngers** targeting U.S.-based PLCs and HMIs, causing disruptive effects. These attacks compromised at least 75 devices, targeting U.S.-based Unitronics PLC devices with an HMI used across multiple critical infrastructure sectors, including WWS. This group is also known as Hydro Kitten, Storm-0784, APT Iran, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and the Shahid Kaveh Group.