Six federal agencies do not publish a joint advisory on a Monday afternoon unless something is already happening.
On April 7, 2026, the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command's Cyber National Mission Force released Joint Cybersecurity Advisory AA26-097A, warning that Iranian affiliated APT actors are actively exploiting internet facing programmable logic controllers across multiple U.S. critical infrastructure sectors. The activity has already caused operational disruptions and financial losses at victim organizations.
This is not a forecast. This is a campaign in progress with confirmed impact.
If your organization runs Rockwell Automation or Allen-Bradley PLCs, especially CompactLogix or Micro850 models, and any of those devices are reachable from the internet, this advisory applies to you directly.
The problem here is not sophisticated malware or a novel zero day. PLCs are sitting on the internet without segmentation or authentication, and the attackers are walking in through the front door using legitimate engineering software.
Who is behind this
The authoring agencies assess this is a group of Iranian affiliated APT actors conducting disruptive operations against U.S. targets. The advisory ties the activity to patterns previously attributed to CyberAv3ngers, also tracked as Shahid Kaveh Group, Hydro Kitten, Storm-0784, Bauxite, Mr. Soul, Soldiers of Solomon, and UNC5691. The group is affiliated with Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command.
This is the same cluster that compromised at least 75 Unitronics PLC devices starting in November 2023, going after U.S. water and wastewater systems. That campaign relied on default credentials and internet exposure for defacement and disruption. The current campaign is broader and has moved to include Rockwell Automation devices, which are among the most widely deployed PLCs in North American industrial automation.
The agencies note that Iranian affiliated APT campaigns against U.S. organizations have escalated recently, likely tied to hostilities between Iran, the United States, and Israel.
What they are targeting
Primary targets: Rockwell Automation/Allen-Bradley PLCs, specifically CompactLogix and Micro850 models. These controllers use the EtherNet/IP protocol over port 44818 for programming and data exchange. When exposed directly to the internet, which is common in legacy or poorly segmented networks, they accept remote engineering software connections without additional authentication in many deployments.
Broader OT scope: The actors are also scanning ports tied to other vendors' protocols, including Siemens S7 (port 102), Modbus (port 502), and SSH (port 22). That suggests the targeting may go beyond Rockwell devices.
Confirmed sectors: Water and Wastewater Systems, Energy, and Government Services and Facilities, including local municipalities. The advisory notes that some victims experienced operational disruption and financial loss.
How the attack works
The TTPs here are simple but they work against exposed OT environments. There is no complex exploit chain. The actors are taking advantage of the most basic hygiene failure in OT security: devices sitting on the open internet with no segmentation, no authentication, and no monitoring.
Initial access (MITRE ICS T0883): Actors scan for publicly accessible PLCs and connect using legitimate Rockwell engineering software like Studio 5000 Logix Designer, operating from overseas hosted infrastructure. No exploit needed. The exposure is the vulnerability.
Command and control (MITRE ICS T0885, Enterprise T1219): Traffic targets ports 44818 (EtherNet/IP), 2222, 102 (S7comm), 502 (Modbus), and 22 (SSH). The actors also deploy Dropbear SSH, a lightweight SSH server, on victim endpoints to maintain persistent remote access.
Impact (Enterprise T1565): Actors extract or interact with the PLC's project file (the .ACD file containing ladder logic and configuration) and manipulate data displayed on connected HMI and SCADA systems. That translates to diminished PLC functionality, misleading operator displays, and operational disruption.
None of this requires advanced capability. But manipulating control logic and operator displays in a water treatment plant or energy facility can lead to unsafe conditions, downtime, and process failures. The advisory does not describe physical damage or safety system compromise so far, but the potential is obvious.
Indicators of compromise
The advisory provides specific IP addresses used by the threat actors with associated timeframes. Query these against your network and device logs now.
| Indicator | First Observed | Last Observed |
|---|---|---|
135.136.1[.]133 |
March 2026 | March 2026 |
185.82.73[.]162 |
January 2025 | March 2026 |
185.82.73[.]164 |
January 2025 | March 2026 |
185.82.73[.]165 |
January 2025 | March 2026 |
185.82.73[.]167 |
January 2025 | March 2026 |
185.82.73[.]168 |
January 2025 | March 2026 |
185.82.73[.]170 |
January 2025 | March 2026 |
185.82.73[.]171 |
January 2025 | March 2026 |
Pay attention to the 185.82.73.0/24 range. It has been in use since January 2025, over a year. If you have not checked for historical connections from this range to your OT assets, do it now.
Ports to watch for suspicious inbound traffic: 44818, 2222, 102, 22, 502, especially from overseas hosting providers.
CISA has published STIX JSON and XML IOC packages for automated ingestion into threat intelligence platforms and SIEM tooling.
What defenders should do now
The advisory's recommendations line up with CISA's Cross Sector Cybersecurity Performance Goals 2.0. Here is what matters most, organized by urgency.
Immediate: stop the exposure
The single most important thing you can do right now is get your PLCs off the internet. Every device should sit behind a secure gateway, firewall, or VPN. There should be no inbound internet access to port 44818 or any other OT port. Period. Use jump hosts for any remote access that is actually needed.
For Rockwell controllers with a physical mode switch: set it to RUN now. Only switch to PROGRAM or REMOTE for legitimate updates, then switch it back. This blocks remote logic changes while the switch is in the run position.
For Siemens or similar controllers with software key switching: enable programming protection in the PLC configuration software to restrict who can modify controllers remotely.
Create and test full offline backups of PLC logic and configurations. Store them on air gapped or physically secured media. If a device has been compromised, you need a known good baseline to restore from.
Short term: check your logs
Query network and device logs for the IOC IP addresses listed above, scoped to the timeframes in the table. Look for inbound connections to ports 44818, 2222, 102, 502, and 22 from external sources, especially overseas hosting providers.
Look for unexpected changes to PLC operating mode, project files, or HMI and SCADA display values. Check asset management logs for unauthorized configuration changes. If you have OT specific monitoring tools or passive network sensors, use them to establish a baseline of normal traffic and flag anything that does not belong.
Longer term: harden the environment
Implement multifactor authentication for all OT network and remote access. Even if the PLC itself does not support MFA, the VPN or gateway layer in front of it can enforce it.
Put real segmentation in place. Use firewalls with strict allow lists for engineering workstations connecting to OT zones. Disable services you are not using, including Telnet, FTP, RDP, and VNC. Remove default credentials. Keep PLC firmware patched using established downtime windows. Review Rockwell's guidance on CVE-2021-22681 (authentication bypass in Logix controllers) and their 2026 advisory SD1771 reiterating guidance to disconnect devices from the internet.
If you have cellular modems or remote field devices, make sure strong authentication and logging are enabled and firmware is current.
Why this keeps happening
This is the second major joint advisory in three years about Iranian affiliated actors going after U.S. PLCs through internet exposure. The 2023 Unitronics campaign had the same root cause. Devices that should never be directly reachable from the internet were directly reachable from the internet.
The advisory spells it out. The actors are not doing anything clever. They are scanning for exposed devices and connecting with legitimate software. The attack surface exists because of network architecture decisions, or more often, the absence of any deliberate architecture at all.
This will keep happening. Every internet exposed PLC is a target, not just for this Iranian group but for any state backed or opportunistic actor who understands industrial protocols. The mitigations in this advisory are not new. What is new is that the consequences are confirmed and the campaign is still active.
What CyberClues recommends
If you operate in water, energy, or government services and you have Rockwell PLCs in your environment, treat this as an action item today. Not a document to file.
Start with three things:
-
Confirm your exposure. Identify every PLC, HMI, and SCADA device that is reachable from the internet. If you do not have a current OT asset inventory, build one. CISA offers free scanning and hygiene services that can help.
-
Check your logs against the IOCs. Query for the IP addresses and ports listed above. The
185.82.73.0/24range has been active for over a year. Historical compromise is a real possibility. -
Close the door. Move every OT device behind a secure gateway. Set Rockwell physical mode switches to RUN. Create offline backups. Do not wait for the next advisory.
If you believe your organization has been targeted, contact CISA (1-844-729-2472), your local FBI field office, and Rockwell Automation PSIRT.
The full advisory PDF, STIX IOCs, and referenced Rockwell guidance are available on CISA's advisory page.
This post is based on Joint Cybersecurity Advisory AA26-097A, published April 7, 2026, by the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command Cyber National Mission Force. The advisory is marked TLP:CLEAR. CyberClues is not affiliated with or endorsed by any of the authoring agencies.