Censys Warns 5,219 Rockwell/Allen-Bradley PLCs Exposed to Iranian APT Activity
Key Takeaways Iranian-backed APT groups are actively targeting internet-exposed Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs). Over 5,200 Rockwell/Allen-Bradley PLCs...
Key Takeaways
- Iranian-backed APT groups are actively targeting internet-exposed Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs).
- Over 5,200 Rockwell/Allen-Bradley PLCs globally, with 74.6% in the U.S., are directly exposed to the internet.
- Attackers are leveraging legitimate engineering software to manipulate PLCs, impacting critical infrastructure sectors.
- The campaign is an escalation from previous attacks on Unitronics PLCs, indicating a broadening scope of targets.
- Immediate action is required to remove these devices from direct internet exposure and implement robust security measures.
A recent joint alert from leading U.S. government agencies, including the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command, has revealed that advanced persistent threat (APT) actors with ties to Iran are actively compromising internet-accessible Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs). This disclosure, dated April 7, 2026, highlights a critical and ongoing risk to operational technology (OT) environments, particularly within vital sectors like water treatment, energy, and government facilities.
Table Of Content
The advisory, designated AA26-097A, underscores the severity of this persistent threat, which extends beyond U.S. borders. The implicated threat actors are associated with the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) and operate under various known aliases, including CyberAv3ngers, Shahid Kaveh Group, Storm-0784, Bauxite, and UNC5691.
This latest campaign, which has been active since at least March 2026, represents a significant escalation. It follows a series of attacks in November 2023 where the same group compromised at least 75 Unitronics PLCs in U.S. water and wastewater facilities, as detailed in CISA advisory AA23-335A. The current focus on Rockwell devices indicates a broadening of the group’s targeting strategy.
Global Exposure of Rockwell PLCs
Censys researchers have identified 5,219 internet-exposed hosts worldwide that communicate via EtherNet/IP (EIP) on port 44818 and are identified as Rockwell Automation/Allen-Bradley devices. This figure represents the full scope of the attack surface relevant to the recent advisory. A significant majority of this exposure, 74.6% or 3,891 hosts, is located within the United States. Other nations with notable exposure include Spain (110 hosts), Taiwan (78), and Italy (73).
The alarming aspect of this campaign is that the threat actors are not relying on zero-day exploits. Instead, they are exploiting legitimate functionalities by using Rockwell’s own Studio 5000 Logix Designer engineering software to directly access internet-facing PLCs. This method allows them to read and modify project files and manipulate Human-Machine Interface (HMI)/SCADA display screens, making their activities more difficult to detect. Confirmed targeted device families include CompactLogix and Micro850. Furthermore, active probing of other OT protocols such as Modbus (port 502) and S7 (port 102) suggests that the group may be expanding its targeting to include multiple vendor platforms.
A substantial portion of these exposed devices, nearly 49.1% globally, are situated behind Verizon Business cellular modems, with AT&T Mobility accounting for an additional 13.3%. Many of these PLCs are deployed in field locations such as pump stations, electrical substations, and municipal facilities, often connected to the internet through cellular modems rather than more secure network links. The prevalence of consumer and mobile carrier networks, rather than dedicated industrial ASNs, highlights a pervasive and often overlooked deployment risk that demands immediate attention.
Expanded Attack Surface: Co-Exposed Services and IOC Analysis
Beyond the direct EIP exposure, Censys’s comprehensive protocol enumeration across the 5,219 vulnerable hosts uncovered significant co-exposed services, further widening the potential attack surface. VNC services were detected on 771 instances, providing attackers with direct remote desktop access to HMI workstations. Additionally, Telnet was found on 280 hosts and Modbus on 292, both presenting unprotected entry points consistent with the attack behaviors described in advisory AA26-097A.
In terms of Indicators of Compromise (IOCs), Censys’s analysis of the published indicators revealed that CISA’s seven 185.82.73.x IP addresses actually resolve to a single multi-homed Windows engineering workstation running the full Rockwell toolchain, rather than seven distinct machines. The researchers also identified four additional operator IPs on the same host that were not included in the advisory. Furthermore, a separate staging server at 135.136.1.133 was provisioned in February 2026, activated for a precise four-day window in mid-March, and subsequently abandoned.
What You Should Do
- Immediately remove Rockwell/Allen-Bradley PLCs from direct internet exposure.
- For CompactLogix and MicroLogix devices, set the physical mode switch to the RUN position, as this cannot be overridden remotely.
- Disable VNC, Telnet, and FTP services on any host co-located with a PLC.
- Implement multi-factor authentication (MFA) for all remote operational technology (OT) access.
- Audit MicroLogix 1400 deployments running end-of-sale firmware versions C/21.02 and C/21.07 for potential vulnerabilities.
- Review all inbound traffic on TCP ports 44818, 2222, 102, 502, and 22 from known operator IPs, including the newly identified addresses: 185.82.73.160, 185.82.73.161, 185.82.73.163, and 185.82.73.166.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.