Iranian Hackers Target US Critical Infrastructure Providers
In a worrying development in cybersecurity, the US government has disclosed that Iranian-affiliated hackers have been attacking critical national infrastructure (CNI) providers since last month. This wave of attacks is reportedly causing operational disruptions and financial losses across various sectors. The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on April 7, indicating that the threat actors are specifically targeting internet-facing operational technology (OT) assets. Notably, these include programmable logic controllers (PLCs) manufactured by Rockwell Automation and Allen-Bradley.
The sectors primarily affected by these cyber incursions include government services and facilities—such as local municipalities—water and wastewater systems (WWS), and energy sectors. The CISA advisory urges US organizations to take immediate action by reviewing the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) detailed in the advisory. This proactive measure is essential for identifying any current or historical malicious activity within their networks. The advisory emphasizes that these PLCs are widely used in various critical infrastructures and highlights the potential for further targeting of other OT devices.
The advisory further explains that malicious interactions within project files have been recorded, alongside manipulations of the data displayed on Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) systems. These PLCs play a crucial role in managing diverse industrial processes, heightening the stakes of this attack series.
To facilitate their incursions, the hackers utilize configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer. This allows them to establish what is termed an “accepted connection” to targeted PLCs using overseas IP addresses and third-party hosted infrastructures. The incoming malicious traffic is known to exploit specific ports like 44818, 2222, 102, 22, and 502. Notably, the attacks on port 22 involve the deployment of Dropbear Secure Shell (SSH) software on compromised endpoints, enabling unauthorized remote access.
Recommended Actions for CNI Providers
In light of these alarming developments, the advisory underscores a series of protective measures that CNI firms should undertake:
-
Utilize Secure Gateways: Providers are urged to employ secure gateways and firewalls to shield their PLCs from direct exposure to the internet.
-
Examine Log Data: Organizations should meticulously query their available logs for the IOCs specified in the advisory.
-
Monitor Traffic: A close check on logs for suspicious traffic, particularly from overseas, is recommended, especially on ports associated with OT devices.
- Set Physical Mode Switches: It is advised that organizations place the physical mode switch on Rockwell Automation controllers into the "run" position and seek guidance from CISA, FBI, NSA, or other relevant agencies if they suspect they have already been compromised.
This recent campaign follows another major attack during March, dubbed the Handala attack, which targeted the US medical technology firm Stryker, resulting in the wiping of tens of thousands of devices. Additionally, it echoes a similar campaign from earlier this year when Iran’s Islamic Revolutionary Guard Corps (IRGC) breached US water plants that utilized PLCs manufactured by Israeli firm Unitronics.
Expert Insights
Industry experts have voiced their concerns over this evolving threat landscape. Ross Filipek, Chief Information Security Officer (CISO) at Corsica Technologies, stated that the ongoing campaign didn’t arise in isolation. He highlighted that historical incidents involving high-profile infrastructure breaches have illuminated two fundamental issues: the persistent availability of internet-reachable interfaces in operational technologies and the chaos that can ensue even from minor disruptions. According to him, every successful campaign not only raises the stakes but also lowers the barrier for future attacks, encouraging hackers to escalate their tactics from mere defacement to serious operational disruptions.
Steve Povolny, Vice President of AI strategy and security research at Exabeam, added that firms managing OT should brace for increased reconnaissance and credential harvesting during the ongoing conflicts between the US and Iran. He pointed out the visibility gaps between IT and OT systems as a significant vulnerability for critical infrastructure operators. Therefore, he recommends prioritizing passive network monitoring, enforcing strict segmentation between enterprise and control zones, and validating remote access pathways. Additionally, Povolny stressed the importance of incident response plans that account for the loss of control system integrity.
As the situation continues to evolve, the reality remains that the potential ramifications of these cyberattacks extend far beyond immediate operational impacts, threatening national security and public safety. The urgency for CNI providers to implement robust security measures has never been greater, as they strive to mitigate future risks in an increasingly hostile cyber landscape.