Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs

Cyber actors have been actively targeting internet-facing operational technology (OT) devices within critical infrastructure sectors in the United States. These attacks have primarily focused on programmable logic controllers (PLCs), causing significant disruptions. The U.S. Federal Bureau of Investigation (FBI) has reported that these cyber intrusions have led to reduced PLC functionality, data manipulation, and in some instances, operational disruptions and financial losses. The attacks are part of a broader escalation of cyber activities by Iranian hacking groups, which are believed to be in response to ongoing geopolitical tensions involving Iran, the U.S., and Israel. The cyber campaign has specifically targeted PLCs used in various U.S. critical infrastructure sectors, including government services, water and wastewater systems, and the energy sector. The attackers have manipulated project files and data on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems, leading to disruptions. Notably, the attacks have focused on Rockwell Automation and Allen-Bradley PLCs, which are widely deployed across these sectors. The attackers have utilized leased, third-party hosted infrastructure and configuration software like Rockwell Automation's Studio 5000 Logix Designer to establish connections with the targeted PLCs. Once they gain initial access, they deploy Dropbear, a Secure Shell (SSH) software, to establish command-and-control capabilities. This allows them to remotely access the devices, extract project files, and manipulate data on HMI and SCADA displays, further facilitating their malicious activities. To mitigate these threats, organizations are advised to implement several security measures. These include avoiding internet exposure of PLCs, preventing remote modifications, implementing multi-factor authentication, and using firewalls or network proxies to control access. Keeping PLC devices updated, disabling unused authentication features, and monitoring for unusual traffic are also recommended to enhance security and prevent further attacks. This wave of cyber attacks is not unprecedented, as Iranian threat actors have previously targeted OT networks and PLCs. In late 2023, a group known as Cyber Av3ngers was linked to the exploitation of Unitronics PLCs, targeting the Municipal Water Authority of Aliquippa in Pennsylvania. These attacks compromised numerous devices, highlighting a pattern of Iranian cyber activities aimed at disrupting critical infrastructure. The escalation in Iranian cyber activities is part of a broader trend involving distributed denial-of-service (DDoS) attacks and hack-and-leak operations by cyber proxy groups and hacktivists targeting Western and Israeli entities. According to Flashpoint, these activities are part of a coordinated cyber influence ecosystem aligned with Iran's Ministry of Intelligence and Security (MOIS). This ecosystem uses public-facing domains and Telegram channels for dissemination and command-and-control operations. Additionally, the Iranian state-sponsored threat actor MuddyWater has been linked to the use of CastleRAT, a remote access trojan, against Israeli targets. This operation involves deploying a PowerShell script that uses a smart contract on the Ethereum blockchain to retrieve command-and-control addresses. The increasing use of off-the-shelf tools by Iranian actors complicates attribution efforts and poses significant challenges for defenders, particularly in sectors like defense, aerospace, energy, and government.