Iranian APT group is actively disrupting US water, energy, and government facility operations by compromising internet-exposed Rockwell Automation PLCs.
Six US agencies including the FBI, CISA, NSA, and US Cyber Command issued an urgent joint advisory warning that an Iranian-affiliated APT group has been disrupting programmable logic controllers (PLCs) at US critical infrastructure sites since at least March 2026. Targeted sectors include water treatment, energy, and government facilities. Security firm Censys identified 5,219 Rockwell Automation/Allen-Bradley PLCs exposed to the internet, with 75% located in the US. The attack infrastructure consists of a single multi-homed Windows engineering workstation running Rockwell's own toolchain.
If you build software that interfaces with OT/ICS environments, Rockwell PLCs, or industrial automation systems, this attack vector — a Windows engineering workstation running vendor toolchain with internet exposure — is now a documented, active exploit path. The attack doesn't require zero-days; it exploits configuration failures. Developers building SCADA dashboards, remote monitoring tools, or ICS integrations need to audit whether their software creates or assumes internet-exposed PLC access.
Run a Censys or Shodan query this week to check if any Rockwell Allen-Bradley PLCs associated with your clients or your own infrastructure are internet-exposed, then cross-reference with the advisory's IoCs from CISA.
Go to search.censys.io and log in or create a free account
Tags
Also today
Signals by role
Also today
Tools mentioned