Iran-Linked Hackers Target U.S. Industrial Control Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reports that “Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.”
According to CISA, this activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss.
CISA notes that U.S. organizations should urgently review the tactics, techniques and procedures and indicators of compromise (IOC) for indications of current or historical activity on their networks, which can be accessed at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
Other key steps recommended by CISA include:
- Remove PLCs from direct internet exposure via secure gateway and firewall.
- Query available logs for the provided IOCs in the corresponding time frames.
- Check available logs for suspicious traffic on the ports associated with OT devices, including 44818, 2222, 102 and 502, especially traffic originating from overseas hosting providers.
- For Rockwell Automation devices, place the physical mode switch on the controller into run position. Contact the authoring agencies and Rockwell Automation for guidance if you believe your organization was targeted.
