Ethical Hacking News
Iran-linked actors have been targeting internet-exposed Rockwell/Allen-Bradley PLCs used in critical infrastructure networks across the United States, resulting in operational disruptions and financial losses for several U.S.-based organizations. The attacks are linked to groups such as CyberAv3ngers, associated with Iran's IRGC, and other known Iranian-affiliated APT actors.
Iran-linked actors are targeting internet-exposed Rockwell/Allen-Bradley PLCs used in US critical infrastructure networks.The attacks began escalating in November 2023, causing operational disruptions and financial losses for several organizations.Iran-affiliated APT actors exploited a critical flaw (CVE-2025-59528) in the Flowise software for remote code execution.The attackers used ports including 44818, 2222, 102, 22, and 502, and deployed SSH tools like Dropbear for remote access.At least 75 devices, including Unitronics PLCs, have been compromised since November 2023.US agencies urge organizations to assess exposed devices, disconnect systems from the internet where possible, and prioritize cybersecurity measures.
In a recent alert issued by U.S. agencies, including the FBI and CISA, it has been revealed that Iran-linked actors are targeting internet-exposed Rockwell/Allen-Bradley Programmable Logic Controllers (PLCs) used in critical infrastructure networks across the United States. The attacks, which began to escalate in November 2023, have resulted in operational disruptions and financial losses for several U.S.-based organizations.
The joint advisory published by the agencies warns that Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing OT devices, including PLCs manufactured by Rockwell Automation/Allen-Bradley. The attackers gained initial access to these devices using overseas IPs and leased infrastructure, leveraging tools such as Studio 5000 Logix Designer.
The attacks involve manipulating project files and altering data shown on Human Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) displays, leading in some cases to operational disruptions and financial losses. Government experts recommend disconnecting PLCs from the internet or protecting them with a firewall, monitoring OT ports for suspicious traffic, scanning logs for indicators of compromise, enabling multifactor authentication, updating firmware, disabling unused services or default keys, and continuously monitoring network activity.
According to the advisory, Iran-linked actors exploited a critical flaw in the Flowise software, identified as CVE-2025-59528, which allows for remote code execution. This vulnerability has been widely reported and is considered a significant security risk. The attackers also used ports including 44818, 2222, 102, 22, and 502, and deployed SSH tools like Dropbear for remote access.
The attacks have been linked to groups such as CyberAv3ngers, associated with Iran's IRGC, and other known Iranian-affiliated APT actors. The campaign has been ongoing since November 2023, with the attackers compromising at least 75 devices, including Unitronics PLCs used across sectors like water and wastewater systems.
The U.S. agencies urge organizations to assess exposed devices, follow security guidance from vendors, disconnect systems from the internet where possible, and coordinate with authorities for incident response and mitigation support. The alert serves as a reminder of the growing threat posed by Iranian-linked actors and the importance of prioritizing cybersecurity measures to protect critical infrastructure networks.
Related Information:
https://www.ethicalhackingnews.com/articles/Iran-linked-Actors-Target-Critical-Infrastructure-PLCs-A-Growing-Threat-to-Global-Stability-ehn.shtml
https://securityaffairs.com/190485/apt/u-s-agencies-alert-iran-linked-actors-target-critical-infrastructure-plcs.html
https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
https://cybernews.com/security/iran-hackers-target-us-critical-infrastructure-plcs/
https://nvd.nist.gov/vuln/detail/CVE-2025-59528
https://www.cvedetails.com/cve/CVE-2025-59528/
https://attack.mitre.org/groups/G1027/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
Published: Wed Apr 8 04:15:12 2026 by llama3.2 3B Q4_K_M
