Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure
Iranian-affiliated APT actors are actively targeting internet-exposed programmable logic controllers (PLCs), specifically Rockwell Automation devices, across multiple U.S. critical infrastructure sectors. The attackers utilize native configuration software and Dropbear SSH to manipulate project files and HMI displays, leading to operational disruptions and financial losses.
Authors: CISA, FBI, NSA, EPA, DOE, CNMF
Source:
CISA
Key Takeaways
- Iranian-affiliated APT actors are actively exploiting internet-facing Rockwell Automation/Allen-Bradley PLCs across US critical infrastructure.
- Attacks involve malicious interaction with project files and manipulation of HMI/SCADA displays, causing operational disruption.
- Threat actors utilize configuration software like Studio 5000 Logix Designer and deploy Dropbear SSH for remote access.
- Organizations must immediately disconnect PLCs from direct internet exposure and place physical mode switches into the RUN position.
Affected Systems
- Rockwell Automation/Allen-Bradley PLCs (CompactLogix, Micro850)
- Potentially Siemens S7 PLCs
- Internet-facing Operational Technology (OT) devices
Vulnerabilities (CVEs)
- CVE-2021-22681
Attack Chain
The threat actors identify internet-facing PLCs, specifically Rockwell Automation/Allen-Bradley devices, and establish connections using leased third-party infrastructure. They utilize native configuration software like Studio 5000 Logix Designer to access the devices and deploy Dropbear SSH for persistent remote access. Once connected, the attackers extract and maliciously interact with project files (.ACD files) and manipulate data on HMI and SCADA displays, resulting in operational disruption.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The advisory provides STIX XML and JSON files containing IOCs (IP addresses) for network defense, but does not include specific detection engineering rules like YARA or Sigma.
Detection Engineering Assessment
EDR Visibility: Low — PLCs and OT devices typically do not support standard EDR agents; visibility relies heavily on network monitoring and jump host telemetry. Network Visibility: High — The attack relies on inbound connections over specific OT ports and SSH from external IP addresses, which are highly visible in network flow and firewall logs. Detection Difficulty: Moderate — Detecting external connections to OT ports is straightforward if logging is enabled, but distinguishing malicious configuration software traffic from legitimate engineering traffic requires deep packet inspection or strict access control lists.
Required Log Sources
- Firewall logs
- VPN/Gateway logs
- Network flow logs
- Asset management system logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for inbound network connections from external or unauthorized IP addresses to internal OT assets over ports 44818, 2222, 102, 502, or 22. | Firewall logs, NetFlow | Initial Access | Low |
| Identify unexpected SSH (port 22) traffic originating from or destined to PLC devices, which may indicate Dropbear SSH deployment. | Network traffic analysis | Command and Control | Medium |
| Monitor for unauthorized changes to PLC project files (.ACD) or unexpected device configuration modifications detected by asset management systems. | Asset management logs, OT monitoring tools | Impact | Medium |
Control Gaps
- Direct internet exposure of OT devices
- Lack of MFA on remote access gateways
- Physical mode switches left in 'Remote' or 'Program' mode instead of 'Run'
Key Behavioral Indicators
- Traffic on ports 44818, 2222, 102, 502 from overseas hosting providers
- Presence of Dropbear SSH on OT endpoints
- Unexpected interactions with .ACD project files
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Disconnect PLCs from the public-facing internet immediately.
- Place the physical mode switch on Rockwell Automation controllers into the 'Run' position.
- Query network logs for the provided malicious IP addresses.
Infrastructure Hardening
- Implement a secure gateway, firewall, or VPN to broker all remote connections to OT networks.
- Configure external and internal firewalls to block traffic using common OT ports (44818, 2222, 102, 502) from unauthorized segments.
- Disable unused services such as Telnet, FTP, RDP, and VNC on OT devices.
User Protection
- Implement multifactor authentication (MFA) for all remote access to the OT network.
- Create and test offline backups of PLC logic and configurations.
Security Awareness
- Ensure OT engineers understand the risks of leaving physical mode switches in 'Program' or 'Remote' positions.
- Review Rockwell Automation's security guidelines and apply necessary software patches during established downtime windows.
MITRE ATT&CK Mapping
- T0883 - Internet Accessible Device
- T1565 - Data Manipulation
- T0885 - Commonly Used Port
- T1219 - Remote Access Software
Additional IOCs
- Other:
Port 44818- Commonly targeted OT port for inbound malicious trafficPort 2222- Commonly targeted OT port for inbound malicious trafficPort 102- Commonly targeted OT port for inbound malicious trafficPort 502- Commonly targeted OT port for inbound malicious trafficPort 22- Targeted for Dropbear SSH remote access