Iranian APT Targets 5,219 Exposed Rockwell PLCs Worldwide, Disruption Reported

What Happened

On April 7, 2026, the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command jointly warned that Iranian-affiliated advanced persistent threat (APT) actors are actively targeting internet-facing Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs). This ongoing campaign has been linked to the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) and has escalated since at least March 2026. The advisory, labeled AA26-097A, highlights that these attacks have already resulted in diminished PLC functionality, manipulation of display data, and in some cases, operational disruption and financial loss.

Who's Affected

Censys researchers identified 5,219 internet-exposed Rockwell PLCs globally, with the United States accounting for 74.6% of that exposure (3,891 hosts). Other countries with notable exposure include Spain (110 hosts), Taiwan (78), and Italy (73). The targeted devices are primarily used in critical infrastructure sectors such as water treatment, energy facilities, and government operations.

What Data Was Exposed

The threat actors are using Rockwell's legitimate engineering software, Studio 5000 Logix Designer, to access these PLCs directly. This enables them to read and modify project files and manipulate HMI/SCADA display screens, making their activities harder to detect. Confirmed targeted device families include CompactLogix and Micro850, with additional probing of OT protocols like Modbus and S7, indicating a broader targeting strategy across multiple vendor platforms.

What's at Risk

The exposure of these PLCs poses significant risks to operational technology (OT) environments. The heavy reliance on consumer and mobile carrier networks for internet connectivity increases vulnerability, with nearly 49.1% of the devices behind Verizon Business cellular modems and 13.3% behind AT&T Mobility. This situation underscores a widespread deployment risk that has often gone overlooked.

Attack Techniques

The Iranian threat actors are not using zero-day exploits but rather leveraging legitimate software to establish connections with the PLCs. Upon gaining access, they deploy Dropbear, a Secure Shell (SSH) software, to maintain command-and-control capabilities. This allows them to extract project files and manipulate data on HMI and SCADA displays, leading to operational disruptions.

Patch Status

Organizations are urged to remove PLCs from direct internet exposure and implement robust security measures. This includes disabling unnecessary services like VNC and Telnet, implementing multi-factor authentication, and conducting audits on devices running outdated firmware.

Immediate Actions

To mitigate risks, organizations should:

• Remove PLCs from direct internet exposure.
• Implement physical and software controls to prevent remote modifications.
• Use firewalls or network proxies to control access.
• Keep PLC devices updated and disable unused authentication features.
• Monitor for unusual traffic patterns.

The ongoing campaign represents a significant escalation in cyber attacks by Iranian groups, which have previously targeted operational technology in the U.S. This advisory serves as a critical reminder of the vulnerabilities within critical infrastructure and the need for heightened security measures in OT environments.