CISA Advisory AA26-097A: Iranian APT Actors Exploit Internet-Facing PLCs in US Critical Infrastructure

On April 7, 2026, CISA and partner agencies released advisory AA26-097A documenting an active campaign by Iranian-affiliated APT actors targeting internet-exposed Operational Technology (OT) devices, specifically Rockwell Automation/Allen-Bradley CompactLogix and Micro850 PLCs. The threat actors use legitimate configuration software (Rockwell Automation Studio 5000 Logix Designer) to establish connections with publicly exposed PLCs via common OT ports (44818, 2222, 102, 22, 502). Once connected, they extract PLC project files and manipulate data displayed on HMI and SCADA displays, causing false process readings and operational disruption. The actors deploy Dropbear SSH on victim endpoints for persistent remote access. This campaign is an evolution of the December 2023 CyberAv3ngers (IRGC-affiliated) campaign targeting Unitronics PLCs. Affected sectors include Government Services and Facilities, Water and Wastewater Systems, and Energy. Mitigations: Immediately disconnect PLCs from the public internet and route all access through secure gateways or VPNs with MFA. Place physical mode switches in 'run' position. Create and test offline backups of PLC logic and configurations. Block unnecessary OT ports at the network perimeter. Review logs for access from unfamiliar geographies.