What’s Happening?
U.S. cybersecurity and intelligence agencies, including the FBI and CISA, have issued a formal warning confirming that Iranian-affiliated threat actors are actively targeting internet-facing Operational Technology (OT) devices, specifically Programmable Logic Controllers (PLCs), deployed across critical infrastructure sectors in the United States.
The consequences are real and already documented: degraded PLC functionality, falsified readings on industrial control screens, operational disruptions, and in some cases, direct financial losses.
Who Is Being Targeted and How?
The attacks are focused on Rockwell Automation and Allen-Bradley PLC devices, particularly CompactLogix and Micro850 models. The targeted sectors include:
- Government services and facilities
- Water and Wastewater Systems (WWS)
- Energy infrastructure
The attack method is methodical. The threat actors leveraged third-party hosted infrastructure combined with legitimate engineering software, specifically Rockwell Automation’s Studio 5000 Logix Designer, to establish what appeared to be a trusted connection to the victim’s PLC. Once inside, they deployed Dropbear, a lightweight SSH tool, through port 22 to maintain persistent remote access. From there, they extracted device project files and manipulated data displayed on HMI (Human-Machine Interface) and SCADA dashboards, the screens that operators rely on to monitor and control industrial systems.
The Broader Context: An Escalating Campaign
This is not an isolated incident. Intelligence agencies characterize this activity as part of a deliberate escalation by Iranian hacking groups in response to the ongoing geopolitical tensions between Iran, the U.S., and Israel.
It is also not the first time Iranian actors have struck industrial control systems on American soil. Back in late 2023, the group Cyber Av3ngers (also tracked as Hydro Kitten, Shahid Kaveh Group, and UNC5691) breached Unitronics PLCs at the Municipal Water Authority of Aliquippa in Pennsylvania, compromising at least 75 devices.
Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research, put it plainly: Iranian cyber actors are now moving faster and hitting broader targets, both IT and OT infrastructure and organizations should treat this not as a new threat, but as an accelerating one. Identical targeting patterns were documented against Israeli PLCs just weeks prior.
The Influence Layer: More Than Just Hacking
Beyond the technical intrusions, researchers at DomainTools Investigations (DTI) have published findings connecting several seemingly independent hacktivist groups, Homeland Justice, Karma/KarmaBelow80, and Handala Hack into a single, coordinated influence ecosystem aligned with Iran’s Ministry of Intelligence and Security (MOIS).
These groups are not truly separate organizations. Rather, they function as interchangeable operational identities applied over a shared underlying capability used to segment messaging, vary attribution, and amplify narratives through public-facing websites and Telegram channels. Telegram serves a dual purpose: public-facing propaganda and actual command-and-control (C2) communication with deployed malware.
MuddyWater and the CastleRAT Connection
In a related development, security firm JUMPSEC has published research linking the Iranian state-sponsored group MuddyWater to at least two builds of CastleRAT, a remote access trojan deployed against Israeli targets.
The attack chain begins with a PowerShell deployer that installs a previously undocumented JavaScript-based malware called ChainShell. This malware then queries an Ethereum blockchain smart contract to retrieve its command-and-control address an unconventional technique designed to evade detection. From there, it pulls down additional JavaScript payloads for execution on compromised hosts.
Alongside ChainShell, the same loader also deploys a botnet malware called Tsundere (also known as Dindoor). Both are components of the broader TAG-150 platform, which MuddyWater appears to have adopted from the Russian criminal ecosystem, a significant development that complicates attribution and blends state-directed operations with commercially available offensive tooling.
What Should Organizations Do?
Agencies and security researchers recommend the following defensive measures for any organization operating PLCs or OT systems:
- Do not expose PLCs to the public internet, if they’re accessible, take them offline or restrict access immediately
- Prevent remote modification via a physical key switch or software configuration
- Enforce multi-factor authentication (MFA) on all OT management interfaces
- Deploy a firewall or network proxy in front of PLC devices to control inbound/outbound traffic
- Keep firmware and software up to date on all industrial control devices
- Disable unused authentication features that could serve as an entry point
- Monitor for anomalous traffic, particularly unexpected SSH connections or unusual outbound communication
Key Takeaway
This campaign demonstrates that Iranian cyber operations have matured significantly, combining precise OT targeting, influence operations, blockchain-based evasion, and criminal-grade tooling under a coordinated state strategy. For organizations operating in critical infrastructure, the message from intelligence agencies is unambiguous: patch, isolate, and monitor before adversaries make the decision for you.