Federal cybersecurity and intelligence agencies warned today that organizations should “urgently review” their networks for signs of compromise from Iran-affiliated threat actors targeting U.S. critical infrastructure.
Iranian-affiliated threat actors are targeting multiple U.S. critical infrastructure sectors, including government services and facilities, water systems, and energy, according to a joint advisory from the U.S. Cyber Command, Cybersecurity and Infrastructure Security Agency, Energy Department, Environmental Protection Agency, FBI, and National Security Agency.
The agencies said the threat actors are “conducting this activity to cause disruptive effects within the United States,” and have targeted internet-connected operational technology (OT) devices.
“As a result of this activity, organizations from multiple U.S. critical infrastructure sectors experienced disruptions through malicious interactions with the project files and the manipulation of data displayed on human machine interface … and supervisory control and data acquisition … displays. In a few cases, this activity has resulted in operational disruption and financial loss,” the advisory states.
The agencies said that Iranian-affiliated targeting campaigns against U.S. organizations have recently increased, likely in response to ongoing “hostilities” between Iran, Israel, and the United States.
Since last month, the agencies said they identified an Iranian-affiliated group that disrupted programmable logic controllers (PLCs) – which control and automate critical infrastructure processes – and that some victims “experienced operational disruption and financial loss.”
The FBI said that tactics most recently used include “maliciously interacting with project files, and manipulating data displayed on HMI [human-machine interface] and SCADA [supervisory control and data acquisition] displays.”
The agencies said they observed Iranian-affiliated threat actors “using several overseas-based IP addresses to access internet-facing Rockwell Automation/Allen-Bradley-manufactured PLCs … The actors used leased, third-party hosted infrastructure with configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer software, to create an accepted connection to the victim’s PLC.”
That activity is similar to efforts by the Iranian government-linked hacker group known as “CyberAv3ngers,” which targeted U.S. critical infrastructure in a 2023 campaign and compromised at least 75 OT devices, the agencies said.
Organizations should review their systems for indicators of activity on their network from the threat actors and take mitigatory steps outlined in the advisory to address compromised devices, according to the advisory.