[{"data":1,"prerenderedAt":167},["ShallowReactive",2],{"article-slug-cisa-warns-of-iranian-apt-attacks-on-us-critical-infrastructure-exploiting-rockwell-plcs":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":42,"sources":43,"events":64,"mitre_techniques":70,"mitre_mitigations":89,"d3fend_countermeasures":107,"iocs":126,"cyber_observables":127,"tags":147,"extract_datetime":154,"article_type":155,"impact_scope":156,"pub_date":47,"reading_time_minutes":166,"createdAt":154,"updatedAt":154},"9690aacb-61a5-4456-a85e-a559d4861c16","cisa-warns-of-iranian-apt-attacks-on-us-critical-infrastructure-exploiting-rockwell-plcs","Iranian APTs Target US Critical Infrastructure, Exploiting Internet-Exposed Rockwell PLCs","CISA Warns of Iranian APT Attacks on US Critical Infrastructure, Exploiting Rockwell PLCs","A coalition of U.S. federal agencies, including CISA, the FBI, and the NSA, has issued a joint advisory (AA26-097A) warning of ongoing disruptive attacks by Iranian-affiliated APT actors against U.S. critical infrastructure. The campaign specifically targets internet-connected operational technology (OT) devices, with a focus on Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs). These attacks have already caused operational disruptions in the Water and Wastewater Systems (WWS) and energy sectors. The threat actors, known by aliases such as Hydro Kitten and Storm-0784, are manipulating the PLCs to disrupt industrial processes. The advisory strongly urges organizations to disconnect OT devices from the public internet and apply hardening measures recommended by Rockwell Automation to prevent further compromises.","## Executive Summary\n\nOn April 7, 2026, a coalition of U.S. federal agencies, including the **[Cybersecurity and Infrastructure Security Agency (CISA)](https://www.cisa.gov)**, the **[Federal Bureau of Investigation (FBI)](https://www.fbi.gov)**, and the **[National Security Agency (NSA)](https://www.nsa.gov)**, released joint cybersecurity advisory **AA26-097A**. The advisory warns of a concerted campaign by Iranian-affiliated Advanced Persistent Threat (APT) actors targeting U.S. critical infrastructure. The attackers are exploiting internet-exposed Operational Technology (OT) devices, specifically **[Rockwell Automation](https://www.rockwellautomation.com/)** Allen-Bradley Programmable Logic Controllers (PLCs). \n\nThis activity has resulted in tangible operational disruptions at multiple facilities, primarily within the Water and Wastewater Systems (WWS) and energy sectors. The threat actors, tracked under various aliases including **Hydro Kitten** and **Storm-0784**, are known for their disruptive and destructive capabilities. The advisory serves as an urgent call to action for all critical infrastructure owners and operators to immediately assess their OT environments for internet exposure and apply recommended mitigations to prevent hostile takeover of industrial control systems.\n\n---\n\n## Threat Overview\n\nThe campaign represents a direct threat to the physical processes that underpin U.S. critical infrastructure. By targeting PLCs—the small, industrial computers that automate and control processes like water treatment, power distribution, and manufacturing—the attackers can cause physical disruption, equipment damage, and potential public safety risks. The actors are believed to be leveraging publicly available information and tools to identify and exploit Rockwell PLCs that are improperly connected to the internet.\n\nThe advisory connects this activity to previous campaigns by the same actors, such as the attacks on U.S.-based Unitronics PLCs in late 2025. The motivation appears to be geopolitical, with attacks escalating in response to regional hostilities. The actors are not just gaining access; they are actively manipulating the PLCs, which demonstrates an intent to cause disruptive or destructive effects rather than simply conduct espionage. The primary initial access vector is direct exploitation of these exposed OT devices, bypassing traditional IT security perimeters.\n\n## Technical Analysis\n\nThe TTPs associated with this campaign are focused on the direct manipulation of Industrial Control Systems (ICS).\n\n1.  **Reconnaissance:** The actors likely use search engines like Shodan to identify internet-accessible PLCs and other OT/ICS devices. This aligns with [`T1595.002 - Active Scanning: Vulnerability Scanning`](https://attack.mitre.org/techniques/T1595/002/).\n2.  **Initial Access:** Attackers are gaining access to PLCs by exploiting weak or default credentials, or potentially unpatched vulnerabilities in the device's firmware or management interface. This corresponds to [`T1078 - Valid Accounts`](https://attack.mitre.org/techniques/T1078/) and [`T1190 - Exploit Public-Facing Application`](https://attack.mitre.org/techniques/T1190/). In the context of ICS, this is also mapped to [`T0886 - Remote Services`](https://attack.mitre.org/techniques/T0886/).\n3.  **Execution & Impact:** Once they have access, the actors interact with the PLC's logic and settings to alter its behavior. This can involve stopping processes, changing setpoints, or disabling safety systems. This is a direct application of [`T0831 - Manipulation of Control`](https://attack.mitre.org/techniques/T0831/) and [`T0829 - Loss of Control`](https://attack.mitre.org/techniques/T0829/) within the MITRE ATT&CK for ICS framework.\n\n> The core vulnerability being exploited is not a specific software flaw, but an architectural one: the direct connection of sensitive OT devices to the public internet. These devices were not designed for such exposure and often lack robust security features.\n\n## Impact Assessment\n\nThe impact of this campaign extends beyond data theft to physical consequences. Successful attacks on WWS facilities could disrupt the supply of safe drinking water or the treatment of wastewater, posing a direct public health risk. In the energy sector, manipulation of PLCs could lead to power outages or damage to expensive equipment. While the advisory does not mention specific financial institutions as targets, widespread disruption to critical infrastructure would have cascading economic effects, impacting all sectors of the economy. The reported operational disruptions and financial losses at victim organizations are likely just the initial wave of a more significant threat if OT environments are not secured.\n\n## Cyber Observables for Detection\n\nDetecting these attacks requires visibility into OT networks, which is often a blind spot for security teams.\n\n| Type | Value | Description |\n| --- | --- | --- |\n| Network Traffic Pattern | Inbound connections from untrusted IPs to PLC ports | Monitor for any internet-sourced traffic to common ICS ports (e.g., `44818/TCP` for EtherNet/IP, `2222/TCP` for Rockwell) on OT network segments. |\n| Log Source | PLC/HMI Audit Logs | Review logs for unauthorized login attempts, configuration changes, or logic downloads. |\n| Process Name | `RSLinxNG.exe`, `Studio5000.exe` | Monitor for execution of Rockwell engineering software from unexpected sources or at unusual times. |\n| Network Traffic Pattern | Outbound connections from OT network | Any outbound connection from a PLC to an external IP address is highly suspicious and could indicate compromise. |\n\n## Detection & Response\n\n*   **Detection Strategies:**\n    1.  **Network Monitoring:** Implement a network intrusion detection system (NIDS) with ICS-aware signatures at the boundary between the IT and OT networks. Use D3FEND's [`D3-NTA - Network Traffic Analysis`](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis) to baseline normal traffic and alert on anomalies, such as connections from new external IPs or the use of programming protocols from untrusted sources.\n    2.  **Asset Inventory:** Actively scan for and inventory all internet-facing devices. Use tools like Shodan or other external scanning services to see your organization from an attacker's perspective and identify exposed PLCs or other OT assets.\n    3.  **Log Analysis:** Centralize and monitor logs from PLCs, HMIs, and engineering workstations. Look for unauthorized access, changes to controller logic, or modifications to device configurations. This is an application of D3FEND's [`D3-SFA - System File Analysis`](https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis) applied to controller project files.\n\n*   **Response:**\n    *   If a compromise is suspected, immediately follow established incident response plans to isolate the affected OT network segment from the internet and the corporate IT network.\n    *   Engage with ICS incident response specialists to safely assess the state of the controllers and return them to a known-good configuration.\n    *   Report the incident to CISA to aid in broader threat intelligence efforts.\n\n## Mitigation\n\nThe recommendations in advisory AA26-097A are clear and should be prioritized.\n\n1.  **Network Isolation:** The most critical mitigation is to ensure that no PLCs or other OT devices are directly accessible from the internet. All remote access should be managed through a secure, multi-factor authenticated VPN connection to a DMZ, with strict access controls. This is the core principle of D3FEND's [`D3-NI - Network Isolation`](https://d3fend.mitre.org/technique/d3f:NetworkIsolation).\n2.  **Network Segmentation:** Implement a robust network segmentation strategy based on the Purdue Model to separate the OT network from the corporate IT network. Use firewalls to strictly control all traffic between these zones. This aligns with D3FEND's [`D3-BDI - Broadcast Domain Isolation`](https://d3fend.mitre.org/technique/d3f:BroadcastDomainIsolation).\n3.  **Firmware Updates:** Regularly update PLC firmware to the latest versions to patch any known vulnerabilities, as recommended by Rockwell Automation. This is an application of D3FEND's [`D3-SU - Software Update`](https://d3fend.mitre.org/technique/d3f:SoftwareUpdate).\n4.  **Credential Hardening:** Change all default passwords on PLCs, HMIs, and network equipment. Implement strong, unique passwords for all accounts. Where possible, use centralized authentication (e.g., Active Directory) with MFA for OT access.","🚨 URGENT: CISA, FBI & NSA warn of Iranian APTs targeting US critical infrastructure. Attackers are exploiting internet-exposed Rockwell PLCs in the water & energy sectors, causing operational disruptions. 🏭 #ICS #CyberAttack #OTsecurity #CISA","CISA, FBI, and NSA issue a joint advisory on Iranian-affiliated APTs actively exploiting internet-connected Rockwell Automation PLCs in US critical infrastructure, causing disruptions.",[13,14,15],"Industrial Control Systems","Cyberattack","Threat Actor","critical",[18,22,25,28,32,35,37,40],{"name":19,"type":20,"url":21},"CISA","government_agency","https://www.cisa.gov",{"name":23,"type":20,"url":24},"FBI","https://www.fbi.gov",{"name":26,"type":20,"url":27},"NSA","https://www.nsa.gov",{"name":29,"type":30,"url":31},"Rockwell Automation","vendor","https://www.rockwellautomation.com/",{"name":33,"type":34},"Allen-Bradley","product",{"name":36,"type":30},"Unitronics",{"name":38,"type":39},"Hydro Kitten","threat_actor",{"name":41,"type":39},"Storm-0784",[],[44,49,54,59],{"url":45,"title":46,"date":47,"friendly_name":19,"website":48},"https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a","Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure","2026-04-07","cisa.gov",{"url":50,"title":51,"date":47,"friendly_name":52,"website":53},"https://www.cyberscoop.com/iran-hackers-water-energy-feds/","Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn","CyberScoop","cyberscoop.com",{"url":55,"title":56,"date":47,"friendly_name":57,"website":58},"https://bankingjournal.aba.com/2026/04/cisa-federal-agencies-issue-advisory-on-iran-related-cyberattacks/","CISA, federal agencies issue advisory on Iran-related cyberattacks","ABA Banking Journal","bankingjournal.aba.com",{"url":60,"title":61,"date":47,"friendly_name":62,"website":63},"https://www.emergencybrief.com/p/todays-emergency-brief-iranian-cyber-risks-national-firefighting-efforts-severe-weather-water-advisories-and-kilauea","Today's Emergency Brief: Iranian Cyber Risks, National Firefighting Efforts, Severe Weather, Water Advisories, and Kilauea","Emergency Brief","emergencybrief.com",[65,68],{"datetime":66,"summary":67},"2026-03","Attacks by Iranian-affiliated APTs against US critical infrastructure escalate.",{"datetime":47,"summary":69},"CISA, FBI, NSA, and other agencies issue joint advisory AA26-097A.",[71,75,79,83,86],{"id":72,"name":73,"tactic":74},"T0886","Remote Services","Initial Access",{"id":76,"name":77,"tactic":78},"T0867","Valid Accounts","Defense Evasion",{"id":80,"name":81,"tactic":82},"T0831","Manipulation of Control","Impact",{"id":84,"name":85,"tactic":82},"T0829","Loss of Control",{"id":87,"name":88,"tactic":74},"T0885","Spearphishing Attachment",[90,95,99,103],{"id":91,"name":92,"description":93,"domain":94},"M0930","Network Segmentation","Isolate OT networks from IT networks and the internet to prevent unauthorized access to critical controllers like PLCs. This is the most effective defense.","ics",{"id":96,"name":97,"description":98,"domain":94},"M0936","Filter Network Traffic","Apply strict firewall rules to control all traffic entering and exiting the OT network, blocking all non-essential communication.",{"id":100,"name":101,"description":102,"domain":94},"M0920","Update Software","Keep PLC firmware and engineering software updated to the latest vendor-supplied versions to mitigate known vulnerabilities.",{"id":104,"name":105,"description":106,"domain":94},"M0942","Password Policies","Enforce strong, unique passwords for all ICS devices and applications, and change all default credentials immediately upon deployment.",[108,114,120],{"technique_id":109,"technique_name":110,"url":111,"recommendation":112,"mitre_mitigation_id":113},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","The primary mitigation against this threat is to enforce strict network isolation for all Operational Technology (OT) assets. Rockwell PLCs and other industrial controllers should never be directly connected to the internet. Organizations must conduct an immediate audit of their network architecture to identify and remove any public-facing OT devices. All remote access to the OT environment must be brokered through a secure gateway, such as a VPN concentrator within a properly configured Industrial DMZ. This access must be protected with Multi-Factor Authentication (MFA). This single measure effectively removes the initial access vector used by the Iranian APTs, forcing them to find a much more difficult path through the IT network, which is typically better monitored and defended.","M1035",{"technique_id":115,"technique_name":116,"url":117,"recommendation":118,"mitre_mitigation_id":119},"D3-ITF","Inbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering","At the boundary between the IT and OT networks, deploy a firewall capable of deep packet inspection for industrial protocols. Configure rules to strictly enforce a 'default deny' policy, only allowing explicitly authorized communication. For Rockwell PLCs, this means only allowing EtherNet/IP traffic (port 44818) from specific, authorized engineering workstations or HMIs. All other traffic from the IT network to the OT network should be blocked. This creates a strong defensive perimeter that prevents unauthorized actors who may have compromised the IT network from easily pivoting into the more sensitive OT environment. This technique hardens the environment against lateral movement and contains threats within the IT zone.","M1037",{"technique_id":121,"technique_name":122,"url":123,"recommendation":124,"mitre_mitigation_id":125},"D3-PH","Platform Hardening","https://d3fend.mitre.org/technique/d3f:PlatformHardening","In addition to network controls, the PLCs themselves must be hardened. This involves several key steps outlined in Rockwell's advisories (PN1550, SD1771). First, change all default credentials on the devices to strong, unique passwords. Second, place the PLC's mode switch into the 'Run' position to prevent remote programming changes. Third, disable or block unnecessary services and ports on the device. Finally, utilize features like controller-based access control to restrict which users or devices can communicate with the PLC. These hardening steps increase the difficulty for an attacker to manipulate the device even if they manage to gain network access to it.","M1028",[],[128,134,137,142],{"type":129,"value":130,"description":131,"context":132,"confidence":133},"port","44818","Default port for EtherNet/IP, the protocol used by Rockwell PLCs. Inbound traffic from the internet to this port is a strong indicator of an exposed device.","Firewall logs, network traffic analysis.","high",{"type":129,"value":135,"description":136,"context":132,"confidence":133},"2222","Default TCP port for some Rockwell services. Inbound traffic from the internet to this port is a strong indicator of an exposed device.",{"type":138,"value":139,"description":140,"context":141,"confidence":133},"log_source","PLC Controller Logs","Logs indicating mode changes (e.g., from 'Run' to 'Program' or 'Remote'), logic modifications, or firmware updates from untrusted sources.","Industrial Control System (ICS) monitoring platforms, Syslog from devices.",{"type":143,"value":144,"description":145,"context":146,"confidence":133},"network_traffic_pattern","Outbound traffic from OT subnets","Any network connection initiated from a PLC or other OT device to an external internet address is highly anomalous and should be investigated.","Egress firewall logs, Netflow analysis.",[148,149,19,150,151,29,152,153,38],"ICS","OT","Iran","APT","PLC","Critical Infrastructure","2026-04-07T15:00:00.000Z","Advisory",{"geographic_scope":157,"countries_affected":158,"industries_affected":160,"other_affected":164},"national",[159],"United States",[153,161,162,163],"Energy","Government","Manufacturing",[165],"Water and Wastewater Systems (WWS)",5,1775683821211]