Iranian Cyber Attacks Disrupt U.S. Critical Infrastructure by Exploiting Internet-Exposed PLCs
In a significant escalation of cyber warfare, Iranian-affiliated hackers have been targeting internet-facing operational technology (OT) devices within critical U.S. infrastructure sectors. These attacks have primarily focused on programmable logic controllers (PLCs), leading to operational disruptions and financial losses.
The U.S. Federal Bureau of Investigation (FBI) has reported that these cyber intrusions have resulted in diminished PLC functionality and manipulation of display data. This campaign is part of a broader increase in cyber attacks orchestrated by Iranian hacking groups against U.S. organizations, coinciding with ongoing geopolitical tensions involving Iran, the U.S., and Israel.
Targeted Sectors and Methods
The attacks have specifically targeted Rockwell Automation and Allen-Bradley PLCs deployed across various sectors, including government services, water and wastewater systems, and the energy sector. The cyber actors utilized leased, third-party hosted infrastructure equipped with configuration software like Rockwell Automation’s Studio 5000 Logix Designer to establish accepted connections to the victim’s PLCs. The primary targets have been CompactLogix and Micro850 PLC devices.
Upon gaining initial access, the attackers deployed Dropbear, a Secure Shell (SSH) software, on victim endpoints. This allowed them to establish command-and-control channels through port 22, facilitating the extraction of project files and manipulation of data on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.
Recommended Mitigation Strategies
To counteract these threats, organizations are advised to implement several security measures:
– Avoid Internet Exposure: Ensure that PLCs are not directly accessible from the internet.
– Prevent Remote Modifications: Utilize physical or software switches to disable remote modifications.
– Implement Multi-Factor Authentication (MFA): Enhance access security by requiring multiple forms of verification.
– Deploy Firewalls or Network Proxies: Control network access to PLCs by placing them behind firewalls or proxies.
– Regular Updates: Keep PLC devices updated with the latest firmware and security patches.
– Disable Unused Authentication Features: Turn off any authentication features that are not in use to reduce potential attack vectors.
– Monitor Network Traffic: Continuously monitor for unusual or suspicious network activity.
Historical Context and Escalation
This is not the first instance of Iranian threat actors targeting OT networks and PLCs. In late 2023, a group known as Cyber Av3ngers (also referred to as Hydro Kitten, Shahid Kaveh Group, and UNC5691) was linked to the exploitation of Unitronics PLCs, affecting the Municipal Water Authority of Aliquippa in western Pennsylvania. These attacks compromised at least 75 devices.
Sergey Shykevich, threat intelligence group manager at Check Point Research, noted that Iranian cyber activities are accelerating, targeting both IT and OT infrastructures. Similar targeting patterns were observed against Israeli PLCs in March, indicating a broader strategy of disruption.
Broader Cyber Threat Landscape
The current developments occur amid a surge in distributed denial-of-service (DDoS) attacks and hack-and-leak operations conducted by cyber proxy groups and hacktivists targeting Western and Israeli entities. According to Flashpoint, groups such as Homeland Justice, Karma/KarmaBelow80, and Handala Hack are part of a coordinated cyber influence ecosystem aligned with Iran’s Ministry of Intelligence and Security (MOIS).
These groups utilize public-facing domains and Telegram channels for dissemination and amplification, with the messaging platform also serving as a command-and-control (C2) hub. This integration of technical operations with narrative manipulation aims to achieve strategic effects.
MuddyWater’s Involvement
Further complicating the cyber threat landscape, the Iranian state-sponsored group MuddyWater has been linked to the deployment of CastleRAT builds against Israeli targets. MuddyWater operates within the CastleLoader framework, which includes a PowerShell deployer (reset.ps1) that installs a previously undocumented JavaScript-based malware called ChainShell. ChainShell contacts an Ethereum blockchain smart contract to retrieve a C2 address, facilitating the execution of additional JavaScript code on compromised hosts.
This adoption of Russian criminal malware-as-a-service (MaaS) by an Iranian state actor underscores the evolving nature of cyber threats, combining state-level targeting with commercially developed offensive tools.
Conclusion
The recent cyber attacks attributed to Iranian-affiliated actors highlight the increasing sophistication and coordination of state-sponsored cyber operations targeting U.S. critical infrastructure. Organizations must remain vigilant, implementing robust security measures to protect against these evolving threats.
