The FBI and the Cybersecurity and Infrastructure Security Agency in a joint advisory released Tuesday warned that Iran-linked threat actors have exploited internet-facing devices at U.S. critical infrastructure sites, including water, energy and municipal locations.
The hackers have targeted programmable logic controllers (PLCs) made by Rockwell Automation/Allen-Bradley, in attacks involving malicious interactions with project files. The attacks led to data manipulation on both the human machine interface and supervisory control and data acquisition displays, according to the advisory.
The agencies did not specify the number or specific locations of the attacks, but noted the incidents resulted in financial losses and operational disruption, the advisory stated.
The Environmental Protection Agency, Department of Energy, National Security Agency and U.S. Cyber Command also participated in the advisory, which urged security teams to enable multifactor authentication, remove devices from the public internet and check logs for suspicious activity, as well as place physical-mode switches on Rockwell devices to the “run” position.
Rockwell Automation authentication bypass vulnerability
At the center of the campaign is an authentication bypass vulnerability in Rockwell Automation’s Logix controllers. Rockwell Automation in March updated an advisory on the flaw (CVE-2021-22681) in its Studio 5000 Logix Designer software that could allow a cryptographic key to be found and let a non-Rockwell application connect with Logix controllers.
The company at the time also issued an advisory reminding customers to disconnect devices from the open internet and harden security on their PLC environments. The Rockwell guidance was specifically referenced in the federal advisory Monday.
The company “takes seriously the security of its products and solutions and has been closely coordinating with government agencies,” a spokesperson told Cybersecurity Dive.
More than 3,000 Rockwell devices remain visible on the public internet, either because organizations are not aware they are exposed or they underestimate the risk, Markus Mueller, field CISO at Nozomi Networks, told Cybersecurity Dive.
“The public exposure of these OT devices creates a vast attack surface that a motivated and capable adversary can exploit, which is especially relevant given the current conflict,” Mueller said.
The recent attacks are reminiscent of prior exploitation of Unitronics PLCs by Iran hackers during the Gaza war in 2023-2024. The previous targeting was linked to an Islamic Revolutionary Guard Corp.-linked actor tracked as CyberAv3ngers.
Hundreds of U.S. water systems were found to have weak security configurations that exposed them to hacking and, in dozens of cases, water utilities were compromised.
Iran-linked threat actors have targeted numerous critical infrastructure targets in Israel, the Persian Gulf region and the U.S. since the beginning of the war in late February.
Stryker, a major U.S. medical technology provider, was attacked in March after hackers manipulated the company’s Microsoft Intune environment. The attack led to brief disruptions of the company’s manufacturing, ordering and shipping capabilities.
