Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs
The recent surge in cyber attacks orchestrated by Iranian hacking groups against U.S. organizations has resulted in significant disruptions in critical infrastructure, including programmable logic controllers (PLCs). The attacks have led to diminished PLC functionality, manipulation of display data, operational disruption, and financial loss.
To combat the threat, organizations are advised to take steps to prevent remote modification, implement multi-factor authentication (MFA), and erect a firewall or network proxy in front of the PLC. Additionally, keeping PLC devices up-to-date, disabling any unused authentication features, and monitoring for unusual traffic are also recommended.
The recent escalation in cyber attacks against U.S. organizations has significant implications for defenders, according to JUMPSEC. "The adoption of a Russian criminal MaaS by an Iranian state actor has direct implications for defenders," JUMPSEC said in a report shared with The Hacker News. "Organizations targeted by MuddyWater, especially in the defense, aerospace, energy, and government sectors, now face threats that combine state-level targeting with commercially developed offensive tools."
The recent surge in cyber attacks orchestrated by Iranian hacking groups against U.S. organizations has led to significant disruptions in critical infrastructure, including programmable logic controllers (PLCs), cybersecurity and intelligence agencies warned Tuesday.
The attacks have resulted in diminished PLC functionality, manipulation of display data, operational disruption, and financial loss, according to the U.S. Federal Bureau of Investigation (FBI) post on X. The campaign is part of a recent escalation in cyber attacks against U.S. organizations in response to the ongoing conflict between Iran and the U.S. and Israel.
Specifically, the activity has targeted PLC disruptions across several U.S. critical infrastructure sectors via malicious interactions with the project file and manipulation of data on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays. The attacked devices include CompactLogix and Micro850 PLC devices, according to the advisory.
The actors used leased, third-party hosted infrastructure with configuration software, such as Rockwell Automation's Studio 5000 Logix Designer software, to create an accepted connection to the victim's PLC. Upon obtaining initial access, the threat actors established command-and-control by deploying Dropbear, a Secure Shell (SSH) software, on victim endpoints to enable remote access through port 22 and facilitate the extraction of the device's project file and data manipulation on HMI and SCADA displays.
To combat the threat, organizations are advised to avoid exposing the PLC to the internet, take steps to prevent remote modification either via a physical or software switch, implement multi-factor authentication (MFA), and erect a firewall or network proxy in front of the PLC to control network access. Additionally, keeping PLC devices up-to-date, disabling any unused authentication features, and monitoring for unusual traffic are also recommended.
The recent escalation in cyber attacks against U.S. organizations has been attributed to Iranian hacking groups, which have been linked to the active exploitation of Unitronics PLCs in the past. In late 2023, Cyber Av3ngers (aka Hydro Kitten, Shahid Kaveh Group, and UNC5691) was linked to the active exploitation of Unitronics PLCs to target the Municipal Water Authority of Aliquippa in western Pennsylvania.
"This advisory confirms what we've observed for months: Iran's cyber escalation follows a known playbook," Sergey Shykevich, threat intelligence group manager at Check Point Research, said in a statement shared with The Hacker News. "Iranian threat actors are now moving faster and broader and targeting both IT and OT infrastructure."
The development comes amid a new-found surge in distributed denial-of-service (DDoS) attacks and claims of hack-and-leak operations carried out by cyber proxy groups and hacktivists targeting Western and Israeli entities, according to Flashpoint.
In a report published this week, DomainTools Investigations (DTI) described activity attributed to Homeland Justice, Karma/KarmaBelow80, and Handala Hack as a "single, coordinated cyber influence ecosystem" aligned with Iran's Ministry of Intelligence and Security (MOIS) rather than a set of distinct hacktivist groups.
"These personas function as interchangeable operational veneers applied to a consistent underlying capability," DTI said. "Their purpose is not to reflect organizational separation, but to enable segmentation of messaging, targeting, and attribution while preserving continuity of infrastructure and tradecraft."
Public-facing domains and Telegram channels serve as the primary dissemination and amplification hub, with the messaging platform also playing a huge role in command-and-control (C2) operations by allowing the malware to communicate with threat actor-controlled bots, reduce infrastructure overhead, and blend in with normal operations.
The development comes as JUMPSEC detailed MuddyWater ties with the criminal ecosystem, stating that the Iranian state-sponsored threat actor operates at least two CastleRAT builds against Israeli targets. It's worth noting that CastleRAT is a remote access trojan that's part of the CastleLoader framework attributed by Recorded Future to a group it tracks under the moniker GrayBravo (aka TAG-150).
Central to the operations is a PowerShell deployer ("reset.ps1") that deploys a previously undocumented JavaScript-based malware called ChainShell, which then contacts a smart contract on the Ethereum blockchain to retrieve a C2 address and use it to fetch next-stage JavaScript code for execution on compromised hosts.
The recent surge in cyber attacks against U.S. organizations has significant implications for defenders, according to JUMPSEC. "The adoption of a Russian criminal MaaS by an Iranian state actor has direct implications for defenders," JUMPSEC said in a report shared with The Hacker News. "Organizations targeted by MuddyWater, especially in the defense, aerospace, energy, and government sectors, now face threats that combine state-level targeting with commercially developed offensive tools."
In conclusion, the recent surge in cyber attacks orchestrated by Iranian hacking groups against U.S. organizations has significant implications for critical infrastructure, including PLCs, cybersecurity and intelligence agencies warned Tuesday. The attacks have resulted in diminished PLC functionality, manipulation of display data, operational disruption, and financial loss.
The campaign is part of a recent escalation in cyber attacks against U.S. organizations in response to the ongoing conflict between Iran and the U.S. and Israel. The targeted devices include CompactLogix and Micro850 PLC devices, according to the advisory.
To combat the threat, organizations are advised to avoid exposing the PLC to the internet, take steps to prevent remote modification either via a physical or software switch, implement multi-factor authentication (MFA), and erect a firewall or network proxy in front of the PLC to control network access. Additionally, keeping PLC devices up-to-date, disabling any unused authentication features, and monitoring for unusual traffic are also recommended.
The recent escalation in cyber attacks against U.S. organizations has significant implications for defenders, according to JUMPSEC. "The adoption of a Russian criminal MaaS by an Iranian state actor has direct implications for defenders," JUMPSEC said in a report shared with The Hacker News. "Organizations targeted by MuddyWater, especially in the defense, aerospace, energy, and government sectors, now face threats that combine state-level targeting with commercially developed offensive tools."
Related Information: