Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/Threats/Iran-Linked CyberAv3ngers Exploits Unitronics PLCs in Water Utilities
Threats

Iran-Linked CyberAv3ngers Exploits Unitronics PLCs in Water Utilities

Key Takeaways Iranian state-sponsored threat group CyberAv3ngers (also known as Storm-0784, Bauxite, or UNC5691) is actively targeting critical infrastructure globally. The group exploits...

Marcus Rodriguez
Marcus Rodriguez
April 13, 2026 4 Min Read
28 0

Key Takeaways

  • Iranian state-sponsored threat group CyberAv3ngers (also known as Storm-0784, Bauxite, or UNC5691) is actively targeting critical infrastructure globally.
  • The group exploits internet-exposed Programmable Logic Controllers (PLCs) from Unitronics and Rockwell Automation, including a critical unpatched vulnerability, CVE-2021-22681 (CVSS 9.8).
  • Attacks have caused real-world operational disruptions and financial losses in water utilities, energy, and government sectors across the U.S., UK, and Ireland.
  • CyberAv3ngers utilizes a sophisticated, custom-built malware platform called IOCONTROL, designed to evade detection within industrial networks.

Iranian-Linked CyberAv3ngers Intensifies Attacks on Global Critical Infrastructure

A sophisticated threat group, identified as CyberAv3ngers and formally tied to Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), has significantly escalated its operations against critical infrastructure worldwide. Active since at least 2020, the group has consistently refined its cyber offensive capabilities, posing a growing risk to essential services.

Table Of Content

  • Key Takeaways
  • Iranian-Linked CyberAv3ngers Intensifies Attacks on Global Critical Infrastructure
  • Evolution of Tactics and Targets
  • IOCONTROL: Built to Hide Inside Industrial Networks
  • What You Should Do

On April 7, 2026, a comprehensive advisory, designated AA26-097A, was jointly issued by six prominent U.S. agencies: the FBI, CISA, NSA, EPA, Department of Energy, and Cyber Command. This advisory confirmed that Iranian-affiliated actors are systematically exploiting internet-facing Programmable Logic Controllers (PLCs) within water and wastewater systems, energy grids, and government facilities. The documented attacks have led to tangible operational disruptions and financial damages at numerous organizations across the United States. The agencies explicitly attributed these malicious activities to CyberAv3ngers, a group also tracked under various aliases by other cybersecurity firms, including Storm-0784 by Microsoft, Bauxite by Dragos, and UNC5691 by Mandiant.

Evolution of Tactics and Targets

Researchers at Tenable have observed a methodical enhancement in CyberAv3ngers’ capabilities. In late 2023, the group successfully compromised at least 75 Unitronics Vision Series PLCs in the U.S., United Kingdom, and Ireland. These breaches were primarily facilitated by exploiting devices that were exposed to the public internet and still utilized their factory-default passwords.

A notable incident involved the Municipal Water Authority of Aliquippa, Pennsylvania, where a vulnerable PLC was directly accessible online without any authentication safeguards. Another attack in Ireland resulted in residents experiencing a multi-day interruption of water services, highlighting the severe real-world impact of these cyber operations.

By mid-2024, CyberAv3ngers introduced IOCONTROL, a custom-developed malware platform specifically engineered for Linux-based IoT and operational technology environments. This marked a significant advancement in their toolkit. Subsequently, in early 2026, the group pivoted its focus to Rockwell Automation Logix controllers, actively exploiting CVE-2021-22681, a critical authentication bypass vulnerability with a CVSS score of 9.8. This flaw allows an attacker to gain unauthorized access to affected PLCs by intercepting a single cryptographic key, bypassing legitimate credentials. Rockwell Automation has confirmed that no software patch currently exists for this vulnerability, impacting several controller families including CompactLogix, ControlLogix, GuardLogix, DriveLogix, and SoftLogix.

Despite sanctions from the U.S. Treasury against six IRGC-CEC officials linked to CyberAv3ngers in February 2024, and a State Department reward offer of up to ten million dollars for information on the group, CyberAv3ngers continues to operate. A new communication channel, “Cyber4vengers,” emerged in January 2026 after a previous one was taken down. The group’s industrial control system (ICS) exploitation techniques have also been adopted by approximately 60 affiliated hacktivist groups, creating a distributed threat that is challenging to neutralize through singular enforcement actions.

IOCONTROL: Built to Hide Inside Industrial Networks

IOCONTROL represents the most advanced tool in CyberAv3ngers’ current operational arsenal. This modular malware is designed to operate across a broad spectrum of Linux-based devices commonly found in industrial and IoT environments, including routers, Human-Machine Interfaces (HMIs), IP cameras, firewalls, and fuel management systems from manufacturers such as D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.

Claroty’s Team82 has characterized IOCONTROL as a nation-state cyberweapon specifically developed to target civilian critical infrastructure. Before its formal identification as IOCONTROL in 2024, the malware was tracked under the names OrpraCab and QueueCat.

A key feature that makes IOCONTROL particularly evasive is its sophisticated command-and-control (C2) architecture, which allows it to blend seamlessly with legitimate network traffic. The malware communicates with its C2 server using the MQTT protocol over TLS on port 8883, a standard communication channel for IoT devices. Furthermore, it employs DNS-over-HTTPS for domain resolution, effectively bypassing many traditional network monitoring tools. For persistence, IOCONTROL installs itself as a systemd boot script, ensuring it survives device reboots. Its configuration data is encrypted using AES-256-CBC, and it possesses capabilities to execute arbitrary system commands, perform port scanning, or self-delete upon command.

What You Should Do

  • Isolate Vulnerable PLCs: Immediately disconnect all internet-facing Unitronics Vision Series and Rockwell Automation Logix PLCs from the public internet.
  • Implement Network Segmentation: Employ robust network segmentation to isolate operational technology (OT) networks from IT networks and other less secure segments.
  • Isolate Engineering Workstations: Ensure engineering workstations used for PLC programming and monitoring are isolated and secured, ideally without direct internet access.
  • Utilize Physical Mode Switches: Set physical mode switches on PLCs to “Run” to prevent unauthorized remote logic modifications.
  • Backup Configurations: Regularly back up all PLC configurations to secured, offline media.
  • Enhance Remote Access Security: Replace remote access tools like TeamViewer or AnyDesk with enterprise-grade VPN solutions that enforce multi-factor authentication (MFA).
  • Monitor for IOCONTROL Indicators: Configure security information and event management (SIEM) systems and firewalls to detect and alert on MQTT over TLS traffic on port 8883 and DNS-over-HTTPS activity originating from OT network segments.
  • Ingest IOCs: Promptly ingest all Indicators of Compromise (IOCs) provided in CISA Advisory AA26-097A into your SIEM and firewall platforms.
  • Patch and Update: While no patch exists for CVE-2021-22681, ensure all other industrial control system (ICS) software and firmware are kept up-to-date to mitigate other known vulnerabilities.
  • Review Default Credentials: Audit and change all default passwords on industrial control devices and systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitMalwarePatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

VIPERTUNNEL Python Backdoor Hidden in Fake DLLs and Obfuscated Loaders

Next Post

MSBuild LOLBin Abused in Fileless Windows Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us