Iran-linked cyber attackers are targeting internet-connected operational technology (OT) devices across critical U.S. infrastructure, including programmable logic controllers (PLCs), cybersecurity and intelligence agencies warned Tuesday.
“These attacks resulted in PLC degradation, display data manipulation, and in some cases business disruption and financial loss,” the Federal Bureau of Investigation (FBI) said in a post on X.
The agency said the campaign is part of a recent escalation of cyberattacks orchestrated by Iranian hacker groups against U.S. organizations in response to the ongoing conflict between Iran, the United States, and Israel.
Specifically, this activity caused disruption of PLCs across several critical infrastructure sectors in the United States through what the producing agency described as malicious interaction with project files and manipulation of data on human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) displays.
These attacks target Rockwell Automation and Allen Bradley PLCs deployed in government services and facilities, water and wastewater systems (WWS), and the energy sector.
“The attackers used leased third-party hosted infrastructure with configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer software, to create an authorized connection to the victim’s PLC,” the advisory states. “Eligible devices include CompactLogix and Micro850 PLC devices.”
Once the attackers gained initial access, they established command and control by deploying Dropbear, a secure shell (SSH) software, to the victim’s endpoint, allowing remote access through port 22 and facilitating the extraction of the device’s project files and data manipulation on the HMI and SCADA displays.
To combat this threat, organizations recommend that they do not expose their PLCs to the Internet, take steps to prevent remote changes through physical or software switches, implement multi-factor authentication (MFA), build a firewall or network proxy in front of the PLC to control network access, keep PLC devices up to date, disable unused authentication features, and monitor anomalous traffic.
This is not the first time Iranian attackers have targeted OT networks and PLCs. In late 2023, Cyber Av3ngers (aka Hydro Kitten, Shahid Kaveh Group, UNC5691) was found to be involved in active exploitation of Unitronics PLC targeting the Aliquippa City Water District in western Pennsylvania. These attacks resulted in at least 75 devices being compromised.
“This advisory confirms what we’ve been observing for months: Iranian cyber escalation is following a known strategy: Iranian threat actors are now moving faster and more broadly, targeting both IT and OT infrastructure,” Sergey Shkevich, threat intelligence group manager at Check Point Research, said in a statement shared with Hacker News.
“We documented an identical targeting pattern against Israeli PLCs in March. This is not the first time Iranian attackers have targeted U.S. operational technology for the purpose of disruption, so organizations should treat this as an accelerating threat, not a new threat.”
The development comes amid a new surge in distributed denial-of-service (DDoS) attacks and newly confirmed claims of hack-and-leak operations targeting Western and Israeli organizations by cyber proxy groups and hacktivists, according to Flashpoint.
In a report released this week, DomainTools Investigations (DTI) described the operations by Homeland Justice, Karma/KarmaBelow80, and Handala Hack as a “single, coordinated cyber impact ecosystem” aligned with Iran’s Ministry of Intelligence and Security (MOIS), rather than a series of separate hacktivist groups.
“These personas serve as interchangeable operational veneers that apply consistent underlying functionality,” DTI said. “The goal is not to reflect organizational separation, but to enable disaggregation of messaging, targeting, and attribution while maintaining continuity of infrastructure and tradecraft.”
Public domains and Telegram channels serve as key spread and amplification hubs, and messaging platforms also play a large role in command and control (C2) operations by allowing malware to communicate with threat actor-controlled bots, reducing infrastructure overhead and blending into normal operations.
“This ecosystem represents a state-driven means of cyber-enabled influence, where technological manipulation is tightly integrated with narrative manipulation and media amplification dynamics to achieve coercive and strategic effects,” DTI added.
MuddyWater as a CastleRAT Affiliate
This development comes as JUMPSEC detailed MuddyWater’s ties to the criminal ecosystem and said Iranian state-sponsored threat actors operate at least two CastleRAT builds targeting Israel. It is worth noting that CastleRAT is a remote access Trojan that is part of the CastleLoader framework, and that Recorded Future has identified it as belonging to a group it tracks under the name GrayBravo (also known as TAG-150).
At the heart of the operation is a PowerShell deployer (‘reset.ps1’) that deploys previously undocumented JavaScript-based malware called ChainShell. The malware connects to a smart contract on the Ethereum blockchain to obtain a C2 address and uses it to fetch and execute the next stage JavaScript code on the compromised host.
Some aspects of these connections between MOIS and the cybercrime ecosystem have also been reported by Ctrl-Alt-Intel, Broadcom, and Check Point, highlighting increased engagement as evidence of increased reliance on off-the-shelf tools to support national goals and complicate attribution efforts.
The same PowerShell loader was also found to deliver botnet malware called Tsuundere (also known as Dindoor). According to JUMPSEC, ChainShell and Tsundere are both separate TAG-150 platform components that are deployed alongside CastleRAT.
“The introduction of Russian criminal MaaS by Iranian state actors has direct implications for defense,” JUMPSEC said in a report shared with Hacker News. “Organizations targeted by Muddy Water, particularly in the defense, aerospace, energy, and government sectors, now face a combination of nation-state targets and commercially developed attack tools.”
Source link
