Iran-Backed Hackers Strike US Critical Infrastructure Through Internet-Connected OT Devices

Iranian-affiliated hackers have launched a series of attacks on US critical national infrastructure (CNI) providers, causing operational disruptions and significant financial losses, according to a recent advisory from the Cybersecurity and Infrastructure Security Agency (CISA). The campaign, which began last month, specifically targets internet-facing operational technology (OT) assets, including programmable logic controllers (PLCs) from Rockwell Automation and Allen-Bradley.

This coordinated effort by an advanced persistent threat (APT) group has already affected government services, local municipalities, water and wastewater systems (WWS), and the energy sector. The attackers are manipulating project files and tampering with data displayed on human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) displays, as reported by CISA. These PLCs are critical for managing a wide range of industrial processes, making them prime targets for disruption.

How Iran Hackers Target US CNI via Internet-Facing OT Systems

The threat actors are exploiting internet-connected OT devices, bypassing traditional security perimeters. They use configuration software like Rockwell Automation’s Studio 5000 Logix Designer to establish ‘accepted connections’ to targeted PLCs. These connections often originate from overseas IP addresses and third-party hosted infrastructure, making detection challenging.

Inbound malicious traffic typically appears on ports such as 44818, 2222, 102, 22, and 502. Particularly concerning are attacks on port 22, where the hackers deploy Dropbear Secure Shell (SSH) software on victim endpoints to maintain remote access. This method allows them to persist within networks and continue their malicious activities undetected.

As a result, CISA has urged all US CNI providers to urgently review their systems for indicators of compromise (IOCs) and apply the recommended mitigations. The advisory emphasizes that the widespread use of these PLCs across critical infrastructure increases the risk of further targeting of other OT devices.

Immediate Actions for Critical Infrastructure Firms

In response to this escalating threat, CISA has outlined several critical steps for CNI operators. First, organizations should use secure gateways and firewalls to protect PLCs from direct internet exposure. This is a fundamental measure to reduce the attack surface for threat actors.

Additionally, firms must query available logs for the IOCs provided in the advisory and check for suspicious traffic on the associated ports, especially if it originates from overseas. For Rockwell Automation devices, placing the physical mode switch on the controller into the ‘run’ position can help prevent unauthorized modifications. If an organization has already been targeted, it should immediately contact the FBI, CISA, NSA, or other authoring agencies for guidance.

This campaign follows a similar attack in March, when the Handala group targeted US medtech firm Stryker, wiping tens of thousands of devices. It also echoes a 2023 operation by Iran’s Islamic Revolutionary Guard Corps (IRGC) that struck US water plants running PLCs from Israeli manufacturer Unitronics. These patterns highlight a persistent and evolving threat to critical infrastructure.

Expert Insights on the Attack Campaign

Security experts warn that this campaign did not emerge in a vacuum. Ross Filipek, CISO at Corsica Technologies, points out that years of high-profile infrastructure incidents have revealed two critical truths. First, many OT environments still have internet-reachable interfaces and remote access paths that were never intended to be permanent. Second, even limited disruptions can create outsized chaos, from emergency response strain to financial loss and reputational damage.

Filipek adds, ‘Each successful or even partially successful campaign lowers the barrier for the next one, and emboldens actors to move from nuisance-level defacement into real operational interference.’ This sentiment underscores the urgency of proactive security measures.

Steve Povolny, VP of AI strategy and security research at Exabeam, emphasizes that CNI firms operating OT should assume increased reconnaissance, credential harvesting, and opportunistic attempts to exploit systems during the US campaign in Iran. He notes, ‘Visibility gaps between IT and OT telemetry remain one of the most persistent weaknesses I see across critical infrastructure operators.’

Povolny recommends prioritizing passive network monitoring for control protocols, enforcing strict segmentation between enterprise and control zones, validating remote access pathways, and ensuring that engineering workstations and vendor maintenance channels are tightly controlled and logged. He stresses that incident response plans must explicitly account for loss of control system integrity, not just loss of data confidentiality. However, he fears it may be too late for much of this to have short-term impact.

For more on protecting critical infrastructure, see our guide on OT security best practices and learn about building an industrial cybersecurity framework.

Strengthening Defenses Against Future Attacks

To mitigate the risk of similar attacks, CNI providers must adopt a multi-layered security approach. This includes implementing robust network segmentation, deploying intrusion detection systems, and conducting regular security audits. Employee training on phishing and social engineering is also crucial, as these attacks often serve as entry points for deeper intrusions.

Furthermore, organizations should collaborate with government agencies like CISA and the FBI to stay informed about emerging threats. Sharing threat intelligence within the industry can help build a collective defense against state-sponsored actors.

Ultimately, the recent campaign by Iran-backed threat actors serves as a stark reminder that internet-facing OT systems are vulnerable to exploitation. By taking immediate action and adopting long-term security strategies, US CNI providers can better protect their critical assets from future attacks.