CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024.
-
CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024. Has anyone seen recent evidence of this? None was provided from CISA, and we'd love independent confirmation.
-
M mttaggart@infosec.exchange shared this topic
-
CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024. Has anyone seen recent evidence of this? None was provided from CISA, and we'd love independent confirmation.
This was put out by CISA on April 7th. Attacks against Rockwell/Allen Bradley PLCs.
-
CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024. Has anyone seen recent evidence of this? None was provided from CISA, and we'd love independent confirmation.
@ifin There appears to have been some articles preceding the CISA advisory, and when viewed together may paint some sort of "capability" picture.
2026-01-28: https://lab52.io/blog/black-industry-irgc-linked-offensive-ot-framework/
2026-03-30: https://censys.com/blog/ics-iran-part-2-revisiting-exposure-of-previously-targeted-ics-devices/
And a few more. I have not spent a significant amount of time exploring these in depth, but just some quick references to potentially relevant articles.
-
This was put out by CISA on April 7th. Attacks against Rockwell/Allen Bradley PLCs.
@kiddcutty That's exactly the report we're trying to verify.
-
@ifin There appears to have been some articles preceding the CISA advisory, and when viewed together may paint some sort of "capability" picture.
2026-01-28: https://lab52.io/blog/black-industry-irgc-linked-offensive-ot-framework/
2026-03-30: https://censys.com/blog/ics-iran-part-2-revisiting-exposure-of-previously-targeted-ics-devices/
And a few more. I have not spent a significant amount of time exploring these in depth, but just some quick references to potentially relevant articles.
@nopatience Thank you for these!
The first is a measurement of exposure of OT of types previously attacked, not a report of current exploitation. The second is a report about a new attack tool available for sale. These are useful, but neither are confirmation of CISA's claim that:
Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.
Note the present tense, as of 2026-04-07.
-
@nopatience Thank you for these!
The first is a measurement of exposure of OT of types previously attacked, not a report of current exploitation. The second is a report about a new attack tool available for sale. These are useful, but neither are confirmation of CISA's claim that:
Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.
Note the present tense, as of 2026-04-07.
@ifin @nopatience I no longer work there, but USEPA may have corroborating information; as I understand it, the PLC targets are in drinking wand waste water systems; hence EPA’s potential involvement.
-
System shared this topic
-
CISA is claiming that #Iran is once again targeting Programmable Logic Controllers (PLCs), similar to efforts in 2024. Has anyone seen recent evidence of this? None was provided from CISA, and we'd love independent confirmation.
For the record, we have received independent confirmation of this activity.
