Iranian attacks on US critical infrastructure puts 3,900 devices in crosshairs
Iranian state-backed attackers target 3,900+ US critical infrastructure devices via exposed Rockwell Automation PLCs.
Summary
Censys researchers identified over 5,200 internet-exposed Rockwell Automation/Allen-Bradley programmable logic controllers vulnerable to Iranian government cyber attacks, with nearly 3,900 deployed across US energy, water, and government facilities. The attacks, ongoing since March, exploited industrial automation devices primarily connected via cellular networks (Verizon and AT&T), with many running end-of-life software. Federal agencies (FBI, NSA, CISA, EPA, DoE, USCYBERCOM) issued joint alerts warning of active exploitation and financial losses to victims.
Full text
The fallout and potential exposure from Iran’s state-backed targeting of U.S. critical infrastructure extends to more than 5,200 internet-connected devices, researchers at Censys said in a threat intelligence brief Wednesday. Of the programmable logic controllers manufactured by Rockwell Automation/Allen-Bradley that Censys identified as potentially exposed to Iranian government attackers, nearly 3,900, or about 3 out of every 4, are based in the United States. The cybersecurity firm identified the devices based on details multiple federal agencies shared in a joint alert Tuesday, and published additional indicators of compromise, including operator IPs and other threat hunting queries. Federal authorities earlier this week warned that Iranian government attackers have exploited devices that control industrial automation processes and disrupted multiple sectors during the past month. Some victims also experienced financial losses as a result of the attacks, officials said. The operational technology devices are deployed across the energy sector, water and wastewater systems, and U.S. government services and facilities. Censys scans spotted 5,219 internet-exposed Rockwell Automation/Allen-Bradley PLC hosts shortly after the joint alert was issued by the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and U.S. Cyber Command. Researchers at Censys determined most of the exposed devices are connected via cellular systems, posing a significant risk to remote field deployments. Nearly half of the devices globally are connected to Verizon’s wireless network and 13% are connected to AT&T’s infrastructure. “These devices are almost certainly field-deployed in physical infrastructure (pump stations, substations, municipal facilities) with cellular modems as their sole internet path,” Censys researchers wrote in the report. The potential attack surface is also amplified by additional services exposed in other ports on these devices, a discovery that Censys warned could allow attackers to gain direct paths to operations beyond PLC exploitation. Researchers fingerprinted MicroLogix and CompactLogix models exposed to the latest threat campaign and published a list of the 15 most-exposed products. Many of the most prominent devices are running end-of-life software, a compounding risk that could allow attackers to prioritize unpatched devices upon scanning, according to Censys. The attacks date back to at least March, following the U.S. and Israel’s war against Iran, and were underway as other Iranian government-backed attackers claimed other victims, including Stryker and local governments. Share Facebook LinkedIn Twitter Copy Link
Indicators of Compromise
- mitre_attack — T0849 - Modify Controller Tasking
- mitre_attack — T0801 - Activate Firmware Update Mode