A recurring Iranian playbook: The advisory linked the current campaign to a pattern of Iranian state-affiliated targeting of US industrial control systems. The authoring agencies have previously reported similar activity by CyberAv3ngers, affiliated with Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command, which compromised at least 75 Unitronics PLC devices across water, wastewater, and other critical infrastructure sectors beginning in November 2023.The current activity is attributed to a separate, though related, group of Iranian-affiliated APT actors, the advisory said.The authoring agencies assessed that the group is “conducting this activity to cause disruptive effects within the United States.” The advisory said the escalation is likely tied to ongoing US-Iran-Israel hostilities.Ross Filipek, CISO at Corsica Technologies, said the consequences of even partial compromises extend well beyond individual victim organizations. “If a municipal utility goes down, suppliers, hospitals, and regional partners feel it,” he said. “Each successful or even partially successful campaign lowers the barrier for the next one, and emboldens actors to move from nuisance-level defacement into real operational interference.”
Indicators of compromise and recommended actions: The advisory listed eight IP addresses linked to the threat actors, active as far back as January 2025, along with downloadable indicators of compromise, and recommended organizations query their logs for any matching activity, particularly traffic on OT-associated ports originating from overseas hosting providers.”Ensure all access is mediated, monitored, and controlled,” the advisory said. For Rockwell Automation controllers with a physical mode switch, it is recommended to place the switch in run position to block remote modification.The advisory also placed responsibility on device manufacturers, stating: “It is ultimately the responsibility of the device manufacturer to build products that are secure by design and default.” Hempel said that the principle needs to become an enforced baseline. “‘Secure by design’ needs to be enforced as a baseline expectation across the board,” she said.Povolny said organizations should treat the advisory as an active warning, not a routine notification. “Adversaries are signaling intent, capability, and access patterns, and defenders should respond with the assumption that probing activity is already underway,” he said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4155665/iran%e2%80%91linked-plc-attacks-cause-real%e2%80%91world-disruption-at-critical-us-infra-sites.html
