Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
Home/Threats/Censys Warns 5,219 Rockwell/Allen-Bradley PLCs Exposed to Iranian APT Activity
Threats

Censys Warns 5,219 Rockwell/Allen-Bradley PLCs Exposed to Iranian APT Activity

Key Takeaways Iranian-backed APT groups are actively targeting internet-exposed Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs). Over 5,200 Rockwell/Allen-Bradley PLCs...

Sarah simpson
Sarah simpson
April 10, 2026 4 Min Read
29 0

Key Takeaways

  • Iranian-backed APT groups are actively targeting internet-exposed Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs).
  • Over 5,200 Rockwell/Allen-Bradley PLCs globally, with 74.6% in the U.S., are directly exposed to the internet.
  • Attackers are leveraging legitimate engineering software to manipulate PLCs, impacting critical infrastructure sectors.
  • The campaign is an escalation from previous attacks on Unitronics PLCs, indicating a broadening scope of targets.
  • Immediate action is required to remove these devices from direct internet exposure and implement robust security measures.

A recent joint alert from leading U.S. government agencies, including the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command, has revealed that advanced persistent threat (APT) actors with ties to Iran are actively compromising internet-accessible Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs). This disclosure, dated April 7, 2026, highlights a critical and ongoing risk to operational technology (OT) environments, particularly within vital sectors like water treatment, energy, and government facilities.

Table Of Content

  • Key Takeaways
  • Global Exposure of Rockwell PLCs
  • Expanded Attack Surface: Co-Exposed Services and IOC Analysis
  • What You Should Do

The advisory, designated AA26-097A, underscores the severity of this persistent threat, which extends beyond U.S. borders. The implicated threat actors are associated with the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) and operate under various known aliases, including CyberAv3ngers, Shahid Kaveh Group, Storm-0784, Bauxite, and UNC5691.

This latest campaign, which has been active since at least March 2026, represents a significant escalation. It follows a series of attacks in November 2023 where the same group compromised at least 75 Unitronics PLCs in U.S. water and wastewater facilities, as detailed in CISA advisory AA23-335A. The current focus on Rockwell devices indicates a broadening of the group’s targeting strategy.

Global Exposure of Rockwell PLCs

Censys researchers have identified 5,219 internet-exposed hosts worldwide that communicate via EtherNet/IP (EIP) on port 44818 and are identified as Rockwell Automation/Allen-Bradley devices. This figure represents the full scope of the attack surface relevant to the recent advisory. A significant majority of this exposure, 74.6% or 3,891 hosts, is located within the United States. Other nations with notable exposure include Spain (110 hosts), Taiwan (78), and Italy (73).

The alarming aspect of this campaign is that the threat actors are not relying on zero-day exploits. Instead, they are exploiting legitimate functionalities by using Rockwell’s own Studio 5000 Logix Designer engineering software to directly access internet-facing PLCs. This method allows them to read and modify project files and manipulate Human-Machine Interface (HMI)/SCADA display screens, making their activities more difficult to detect. Confirmed targeted device families include CompactLogix and Micro850. Furthermore, active probing of other OT protocols such as Modbus (port 502) and S7 (port 102) suggests that the group may be expanding its targeting to include multiple vendor platforms.

A substantial portion of these exposed devices, nearly 49.1% globally, are situated behind Verizon Business cellular modems, with AT&T Mobility accounting for an additional 13.3%. Many of these PLCs are deployed in field locations such as pump stations, electrical substations, and municipal facilities, often connected to the internet through cellular modems rather than more secure network links. The prevalence of consumer and mobile carrier networks, rather than dedicated industrial ASNs, highlights a pervasive and often overlooked deployment risk that demands immediate attention.

Expanded Attack Surface: Co-Exposed Services and IOC Analysis

Beyond the direct EIP exposure, Censys’s comprehensive protocol enumeration across the 5,219 vulnerable hosts uncovered significant co-exposed services, further widening the potential attack surface. VNC services were detected on 771 instances, providing attackers with direct remote desktop access to HMI workstations. Additionally, Telnet was found on 280 hosts and Modbus on 292, both presenting unprotected entry points consistent with the attack behaviors described in advisory AA26-097A.

In terms of Indicators of Compromise (IOCs), Censys’s analysis of the published indicators revealed that CISA’s seven 185.82.73.x IP addresses actually resolve to a single multi-homed Windows engineering workstation running the full Rockwell toolchain, rather than seven distinct machines. The researchers also identified four additional operator IPs on the same host that were not included in the advisory. Furthermore, a separate staging server at 135.136.1.133 was provisioned in February 2026, activated for a precise four-day window in mid-March, and subsequently abandoned.

What You Should Do

  • Immediately remove Rockwell/Allen-Bradley PLCs from direct internet exposure.
  • For CompactLogix and MicroLogix devices, set the physical mode switch to the RUN position, as this cannot be overridden remotely.
  • Disable VNC, Telnet, and FTP services on any host co-located with a PLC.
  • Implement multi-factor authentication (MFA) for all remote operational technology (OT) access.
  • Audit MicroLogix 1400 deployments running end-of-sale firmware versions C/21.02 and C/21.07 for potential vulnerabilities.
  • Review all inbound traffic on TCP ports 44818, 2222, 102, 502, and 22 from known operator IPs, including the newly identified addresses: 185.82.73.160, 185.82.73.161, 185.82.73.163, and 185.82.73.166.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitThreatzero-day

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

HPE Aruba Private 5G Platform Vulnerability Lets Attackers Steal Credentials

Next Post

Fake BTS Tour Sites Deliver Malware, Scam Fans Globally

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us