Federal cybersecurity agencies are sounding the alarm that Iran‑affiliated hackers have been messing with programmable logic controllers, the industrial brains that move water, control valves and keep power systems humming, across U.S. critical infrastructure. The activity, first spotted in March, involved pulling down controller project files and tampering with data on HMI and SCADA screens, which in some cases knocked devices off their game and led to real operational and financial headaches. Utilities and municipal operators are being urged to run urgent checks, and network defenders are being pushed to hunt aggressively for any signs that intruders have already slipped in.
How the intrusions work
Investigators say the attackers leaned on leased third‑party hosting and configuration tools, including Rockwell's Studio 5000 Logix Designer software, to make their connections to PLCs look legitimate. Once in, they planted Dropbear SSH on victim endpoints to open the door for remote access. The malicious traffic homed in on common OT ports, particularly 44818, 2222, 102, 22 and 502, with some of it traced back to overseas hosting providers. These technical details are laid out in reporting by BleepingComputer.
Who’s most at risk
The advisory specifically calls out Government Services and Facilities, including local municipalities, along with Water and Wastewater Systems and the Energy sector as top targets, a reflection of how heavily these environments rely on PLCs. Similar activity was documented in 2023, when attackers exploited Unitronics PLCs at U.S. water utilities, a case study in how exposed OT devices can become the on‑ramp to much broader disruption, according to CISA.
Rockwell guidance and fixes
Rockwell Automation has rolled out security notices telling customers to yank controllers off the public internet, flip on built‑in security protections and tighten up PLC configurations. Where the hardware allows, Rockwell also recommends setting the physical mode switch on controllers to the Run position to limit tampering. Its advisory SD1771 and PN1550 notice on Logix controller vulnerabilities walk customers through step‑by‑step mitigations and firmware updates that track closely with the federal recommendations, per Rockwell Automation.
What operators should do now
Right now, network defenders are being told to cut off or block any direct internet access to PLCs behind properly configured gateways and firewalls, then comb through available logs for the indicators of compromise listed in the advisory. Teams should also be scouting for suspicious traffic on ports commonly used by OT devices. If an internet‑accessible device looks affected, agencies say it is time to bring in incident response support and reach out to the authoring agencies and vendors using established support channels. The joint cybersecurity advisory includes contact information and a full rundown of the known IOCs.
Bottom line
The warning is a not‑so‑gentle reminder that industrial control systems remain prime targets in a tense geopolitical climate, and that basic OT hygiene, such as closing unused ports, killing off default passwords, keeping firmware patched and keeping PLCs off public networks, can dramatically cut risk. Security reporting notes that the tactics on display are all too familiar, but the advisory’s focus on activity observed in March puts extra urgency on proactive audits and fast patch cycles, as noted by BleepingComputer.
