Iranian-affiliated actors are exploiting internet-facing operational technology devices, leading to operational disruptions and financial losses across US infrastructure.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, and Department of Energy are warning US organizations of ongoing cyber exploitation targeting internet-connected operational technology (OT) devices.
The activity specifically targets programmable logic controllers (PLCs), including those manufactured by Rockwell Automation and Allen-Bradley. According to a joint advisory, these attacks have led to disruptions across several US critical infrastructure sectors through malicious interactions with project files and the manipulation of data on human machine interface and supervisory control and data acquisition displays.
In healthcare settings, PLCs often support facility systems such as HVAC, power, and other infrastructure that can directly affect clinical operations.
“The authoring agencies assess a group of Iranian-affiliated advanced persistent threat actors is conducting this activity to cause disruptive effects within the United States,” the advisory reads. The group has targeted sectors including water and wastewater systems, energy, and government services.
Impact on Operational Technology
The FBI identified that these activities resulted in the extraction of device project files and data manipulation, which in some cases caused operational disruption and financial loss. Targeted devices include CompactLogix and Micro850 PLC models. The agencies also suggest that actors may be targeting devices from other manufacturers, such as the Siemens S7 PLC.
The authoring agencies observed the actors using overseas-based IP addresses to access internet-facing PLCs. The actors reportedly used leased, third-party hosted infrastructure with configuration software to create connections to victim devices. Additionally, inbound malicious traffic has been directed to ports associated with various OT protocols, including ports 44818, 2222, 102, 22, and 502.
Recommended Mitigations
To safeguard against these threats, federal agencies urge organizations to review their cybersecurity protocols and implement immediate defensive measures. Recommended steps to prevent attacks include:
- Disconnecting all PLCs from the public-facing internet.
- Changing all default passwords on OT devices to strong, unique passwords.
- Implementing multifactor authentication for all remote access to OT networks.
- Ensuring PLCs are in “Run” mode rather than “Remote” or “Program” mode to prevent unauthorized logic changes.
- Using a firewall or virtual private network (VPN) to control access to OT devices.
The advisory follows similar historical activity from a group known as CyberAv3ngers, which targeted US-based PLCs beginning in late 2023. Federal officials urge organizations to review indicators of compromise and apply security updates provided by manufacturers to reduce the risk of compromise.
“Due to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure, the authoring agencies recommend US organizations urgently review the tactics, techniques, and procedures,” the advisory reads.
Device manufacturers are also encouraged to adopt secure-by-design principles to ensure products are protected “out of the box” without requiring users to make extensive configuration changes or purchase additional security software.
ID 451088417 © BiancoBlue | Dreamstime.com
