Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure

h2 strong Advisory at a Glance /strong /h2 table tbody tr th Title /th td Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure /td /tr tr th Original Publication /th td April 7, 2026 /td /tr tr th Executive Summary /th td p Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss. nbsp; /p p U.S. organizations should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the a href="#Mitigations" strong Mitigations /strong /a strong /strong section of this advisory to reduce the risk of compromise. /p /td /tr tr th Affected Products /th td ul li Rockwell Automation/Allen-Bradley manufactured PLCs /li li Potentially other branded PLCs /li /ul /td /tr tr th Key Actions /th td ul li Remove PLCs from direct internet exposure via secure gateway and firewall. /li li Query available logs for the provided IOCs in the corresponding time frames. /li li Check available logs for suspicious traffic on the ports associated with OT devices, including code 44818 /code , code 2222 /code , code 102 /code , and code 502 /code , especially traffic originating from overseas hosting providers. /li li For Rockwell Automation devices, place the physical mode switch on the controller into run position. nbsp;Contact the authoring agencies and Rockwell Automation for guidance if you believe your organization was targeted. /li /ul /td /tr tr th Indicators of Compromise /th td p For a downloadable copy of IOCs, see: /p ul li a href="https://www.cisa.gov/sites/default/files/2026-04/AA26-097A.stix_.xml" AA26-097A STIX XML /a (35KB) /li li a href="https://www.cisa.gov/sites/default/files/2026-04/AA26-097A.stix_.json" AA26-097A STIX JSON /a (12 KB) br nbsp; /li /ul /td /tr tr th Intended Audience /th td p strong Organizations: /strong Critical Infrastructure /p p strong Sectors: /strong a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/government-services-facilities-sector" title="Government Services and Facilities" Government Services and Facilities /a , a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/water-and-wastewater-sector" title="Water and Wastewater Systems" Water and Wastewater Systems /a (WWS), and a href="ht