CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024.

Reply to CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024. on Mon, 13 Apr 2026 20:48:03 GMT

ifin@infosec.exchange — Mon, 13 Apr 2026 20:48:03 GMT

For the record, we have received independent confirmation of this activity.

Reply to CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024. on Mon, 13 Apr 2026 19:57:07 GMT

tahomasoft@puget.social — Mon, 13 Apr 2026 19:57:07 GMT

@ifin @nopatience I no longer work there, but USEPA may have corroborating information; as I understand it, the PLC targets are in drinking wand waste water systems; hence EPA’s potential involvement.

Reply to CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024. on Mon, 13 Apr 2026 19:32:10 GMT

ifin@infosec.exchange — Mon, 13 Apr 2026 19:32:10 GMT

@nopatience Thank you for these!

The first is a measurement of exposure of OT of types previously attacked, not a report of current exploitation. The second is a report about a new attack tool available for sale. These are useful, but neither are confirmation of CISA's claim that:

Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.

Note the present tense, as of 2026-04-07.

Reply to CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024. on Mon, 13 Apr 2026 19:29:19 GMT

ifin@infosec.exchange — Mon, 13 Apr 2026 19:29:19 GMT

@kiddcutty That's exactly the report we're trying to verify.

Reply to CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024. on Mon, 13 Apr 2026 19:28:01 GMT

nopatience@swecyb.com — Mon, 13 Apr 2026 19:28:01 GMT

@ifin There appears to have been some articles preceding the CISA advisory, and when viewed together may paint some sort of "capability" picture.

2026-01-28: https://lab52.io/blog/black-industry-irgc-linked-offensive-ot-framework/

2026-03-30: https://censys.com/blog/ics-iran-part-2-revisiting-exposure-of-previously-targeted-ics-devices/

And a few more. I have not spent a significant amount of time exploring these in depth, but just some quick references to potentially relevant articles.

Reply to CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024. on Mon, 13 Apr 2026 19:23:38 GMT

kiddcutty@infosec.exchange — Mon, 13 Apr 2026 19:23:38 GMT

@ifin

This was put out by CISA on April 7th. Attacks against Rockwell/Allen Bradley PLCs.

Access Denied

(www.cisa.gov)