Iranian-linked hackers are actively targeting thousands of Internet-exposed programmable logic controllers (PLCs) manufactured by **Rockwell Automation** in cyberattacks against U.S. critical infrastructure networks. According to a joint advisory issued by multiple U.S. federal agencies, Iranian state-backed hacking groups have been targeting **Rockwell Automation/Allen-Bradley** PLC devices since March 2026, causing operational disruptions and financial losses. "Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel," the authoring agencies warned. The **FBI** has confirmed that this activity resulted in the extraction of the device's project file and data manipulation on HMI and SCADA displays. ### Exposed PLCs: A Significant Risk Cybersecurity firm **Censys** reports that over 5,200 industrial control systems are exposed online globally, with a significant portion originating from the United States. "Censys data identifies 5,219 internet-exposed hosts globally responding to EtherNet/IP (EIP) and self-identifying as **Rockwell Automation/Allen-Bradley** devices," Censys stated. "The United States accounts for 74.6% of global exposure (3,891 hosts), with a disproportionate share on cellular carrier ASNs indicative of field-deployed devices on cellular modems."  *Internet-exposed Rockwell/Allen Bradley PLCs (Censys)* ### Mitigation Strategies To defend against these ongoing attacks, network defenders are advised to: * Secure PLCs using a firewall or disconnect them from the Internet. * Scan logs for signs of malicious activity. * Check for suspicious traffic on OT ports (especially when it originates from overseas hosting providers). * Enforce multifactor authentication (MFA) for access to OT networks. * Keep all PLC devices up to date. * Disable unused services and authentication methods. ### Echoes of Past Attacks This campaign follows similar attacks from nearly three years ago, when a threat group affiliated with the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) and tracked as **CyberAv3ngers** targeted vulnerabilities in U.S.-based **Unitronics** operational technology (OT) systems. **CyberAv3ngers** compromised at least 75 **Unitronics** PLC devices between November 2023 and January 2024, with half of those impacting Water and Wastewater Systems critical infrastructure networks across the United States. More recently, the **Handala** hacktivist group (linked to Iran's Ministry of Intelligence and Security) wiped approximately 80,000 devices from the network of U.S. medical giant **Stryker**, including employees' mobile devices and company-managed personal computers.