Research and Insights from RADICL's vSOC and research team

Iranian APT Actors Are Targeting Your PLCs — Here's What to Do

Written by Josh Shepard | Apr 09, 2026

CISA, the FBI, NSA, EPA, DOE, and U.S. Cyber Command published a joint advisory this week (AA26-097A) warning of active exploitation of internet-facing Programmable Logic Controllers (PLCs) by Iranian-affiliated advanced persistent threat (APT) actors. If your organization operates in the government services, energy, or water and wastewater sectors, this demands immediate attention.

Our Director of the RAID Team sat down to walk through the advisory and give you clear, actionable guidance. Watch the full breakdown here:

What's happening

Since at least March 2026, Iranian-affiliated APT actors have been accessing internet-exposed PLCs, primarily Rockwell Automation/Allen-Bradley CompactLogix and Micro850 devices, with some targeting of Siemens S7 PLCs as well.

Once inside, they're doing two things:

  1. Corrupting project files (.ACD files containing ladder logic and controller configuration)

  2. Manipulating data displayed on HMI and SCADA screens.

The goal isn't espionage — it's disruption. Several victim organizations have already experienced operational downtime and financial loss. With ongoing U.S.-Iran tensions, the authoring agencies assess this activity is likely to continue and escalate.

How they're getting in

The attack vector is straightforward: PLCs that are directly internet-exposed. Threat actors are using legitimate Rockwell configuration software (Studio 5000 Logix Designer) over standard OT ports to establish connections that look like normal engineering traffic. Key ports to watch in your telemetry include:

  • 44818 — Ethernet/IP (primary)
  • 2222 — Ethernet/IP (secondary)
  • 22 — SSH (Dropbear SSH has been deployed on victim endpoints)
  • 502 — Modbus
  • 102 — Siemens S7

What to do right now

If you operate PLCs in any of the targeted sectors, take these steps immediately:

  1. Remove your PLCs from direct internet exposure. Any remote access needs to go through a jump host or secure gateway. Attackers should never be able to reach OT ports directly from the internet.
  2. Check your logs against the published IOCs. The advisory includes a list of Iranian-affiliated IP addresses active from January 2025 through March 2026. Query your network telemetry against these and investigate any hits. IOC files (STIX XML and JSON) are available directly from the CISA advisory.
  3. Hunt for unusual connections on OT ports. Look for any external IP addresses, especially from overseas hosting providers, communicating with the ports listed above.
  4. For Rockwell Allen-Bradley PLCs: The physical selector switch on your controller should be moved from Remote or Program to Run mode. This prevents remote modification of PLC logic entirely. Only move it back to Program when you're actively performing updates, and switch it back immediately when done.

Stay vigilant

Due to recent world events, Iranian threat actors have significantly increased their operational tempo. As this situation continues to evolve, we'll keep publishing updates when new information becomes available.

Full advisory and downloadable IOCs: CISA AA26-097A
View full post