FBI: Iran-Linked Attackers Targeting Critical Infrastructure OT Devices

The threat actors are ‘conducting exploitation activity’ targeting operational technology (OT) devices from manufacturers including Rockwell Automation, according to an advisory from the FBI and other agencies.

A cyberattack campaign linked to Iran is attempting to compromise U.S. critical infrastructure through targeting operational technology (OT) devices, according to an advisory Tuesday from the FBI and other federal agencies.

The advisory from the FBI, CISA, NSA and other agencies indicated that Iran-linked threat actors are “conducting exploitation activity” targeting internet-facing OT devices from manufacturers including Rockwell Automation.

The targeted devices include programmable logic controllers (PLCs) made by Rockwell Automation-owned Allen-Bradley, the advisory said.

The attacks from Iran-linked advanced persistent threat (APT) actors have “led to PLC disruptions across several U.S. critical infrastructure sectors,” the agencies said in the advisory.

The threat actors’ “malicious interactions” with project files and manipulation of data have led to “operational disruption and financial loss,” according to the advisory.

In a statement provided to CRN, Rockwell Automation said that it “takes seriously the security of its products and solutions and has been closely coordinating with government agencies in connection with the Joint Cybersecurity Advisory” released Tuesday.

Rockwell Automation also pointed to several of its own advisories, including recommendations released March 20 with guidance around disconnecting devices from the internet.

“Rockwell Automation has become aware of potential threat actor activity targeting Rockwell Automation controllers,” the company said in the March 20 advisory.

In the joint advisory issued Tuesday by the FBI and other agencies, recommendations included removing PLCs from direct internet exposure, querying logs for IOCs (indicators of compromise) provided in the advisory and placing the physical mode switch for Rockwell Automation devices into the “run” position.

In terms of the recent campaigns targeting U.S. critical infrastructure, the agencies have assessed that Iran-linked APT actors are “conducting this activity to cause disruptive effects within the United States,” the advisory said. “The group has targeted devices spanning multiple U.S. critical infrastructure sectors, including Government Services and Facilities (to include local municipalities), Water and Wastewater Systems (WWS), and Energy Sectors.”

The agencies noted that they had previously disclosed findings of “similar activity targeting PLCs” by CyberAv3ngers, also known as Shahid Kaveh Group, which is a threat actor “affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC).”