The Cybersecurity and Infrastructure Agency (CISA) on April 7 issued a public advisory warning of cyberthreats to American critical infrastructure sectors from Iran-affiliated threat actors.
The agency joined the National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and United States Cyber Command – Cyber National Mission Force (CNMF) in warning that Iranian hackers were exploiting programmable logic controllers (PLCs) and other internet-facing operational technology (OT) devices, including those made by Rockwell Automation/Allen-Bradley.
According to CISA, the activity led to PLC disruptions across several U.S. critical infrastructure sectors, resulting in “operational disruption and financial loss.” The attacks were targeting devices spanning multiple U.S. critical infrastructure sectors, including government services and facilities including local municipalities, water and wastewater systems, and energy sectors.
The agency recommended U.S. organizations should review their tactics, techniques, and procedures and indicators of compromise for indications of current or historical activity on their networks. Additionally, the alert gave recommendations for mitigation, including disconnecting the PLC from the public-facing internet, placing the physical mode switch into run position to prevent remote modification, and enable programming protection in PLC configuration software to limit who can modify PLCs remotely. Additionally, CISA recommended creating and testing strong backups of the logic and configurations of PLCs and storing backup files offline and to secure the physical removal media.
The agencies said previously similar campaigns were discovered beginning in November 2023 from the Islamic Revolutionary Guard Corps cyber threat actors known as “CyberAv3ngers.” Private industry and open sources also refer to this group as Hydro Kitten, Storm-0784, APT Iran, Bauxite, Mr. Soul, Soldiers of Solomon, UNC5691, and the Shahid Kaveh Group.
Those prior attacks compromised at least 75 devices, targeting U.S.-based Unitronics PLC devices with a human machine interface used across multiple critical infrastructure sectors, including water and wastewater systems.