Six U.S. agencies — the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command — released joint advisory AA26-097A on April 7, warning that Iranian-affiliated threat actors are actively exploiting internet-exposed Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs) across multiple critical infrastructure sectors. The attacks have already caused operational disruptions and financial losses at victim organizations.

Who’s Behind It

The campaign is attributed to CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). The group is also tracked as Shahid Kaveh Group, Hydro Kitten, Storm-0784, and UNC5691 across various threat intelligence platforms.

CyberAv3ngers previously made headlines in late 2023 when they compromised Unitronics PLCs at a Pennsylvania water authority. This latest campaign represents a significant escalation in both scope and sophistication — shifting from Israeli-made controllers to Rockwell Automation devices, which dominate U.S. industrial environments.

What’s Happening

Since at least March 2026, the group has been targeting internet-facing PLCs across three sectors:

  • Water and Wastewater Systems (WWS)
  • Energy
  • Government Services and Facilities (including local municipalities)

The attack chain follows a consistent pattern:

  1. Initial access via internet-exposed PLCs — no phishing, no user interaction required
  2. Persistence by deploying Dropbear SSH on port 22, establishing a persistent C2 channel
  3. Extraction and modification of PLC project files, altering control logic
  4. SCADA/HMI manipulation — operators see falsified process readings while the attackers’ modified control logic runs in the background

Communication with compromised devices occurs over EtherNet/IP (ports 44818 and 2222), Modbus TCP (port 502), and SSH (port 22).

The SCADA display manipulation is particularly concerning. Operators watching their dashboards see normal readings while the underlying process has been altered — a direct path to physical consequences in water treatment or energy distribution systems.

CVEs in Play

The advisory references CVE-2021-22681, an insufficiently protected cryptographic key vulnerability in Rockwell’s Studio 5000 Logix Designer and multiple Logix PLC families. CISA added this CVE to the Known Exploited Vulnerabilities (KEV) catalog in March 2026, confirming active exploitation.

While CVE-2021-22681 is the named vulnerability, the primary attack vector is simply internet-exposed PLCs with default or weak authentication — a configuration problem that persists across thousands of deployments.

The advisory also notes exploitation of known VPN and edge device vulnerabilities for network access, including CVE-2019-11510 (Pulse Secure), CVE-2018-13379 (Fortinet), and CVE-2019-19781 (Citrix ADC).

Who’s Affected

Any organization running Rockwell Automation/Allen-Bradley PLCs with internet exposure. The advisory specifically calls out water utilities, energy providers, and municipal government facilities, but the attack techniques apply to any sector using these controllers.

NERC has confirmed it is actively monitoring the electrical grid in response to the advisory.

What To Do Right Now

The advisory’s mitigations are straightforward but critical:

Immediate actions:

  • Disconnect PLCs from public-facing networks. There is no legitimate reason for a PLC to be directly internet-accessible. Route all remote access through monitored VPN gateways with MFA.
  • Audit for Dropbear SSH on port 22 across all OT devices. Its presence on a PLC is a strong indicator of compromise.
  • Check PLC project files against known-good backups. Any unauthorized modifications to control logic require immediate investigation.

Network-level mitigations:

  • Block inbound traffic on ports 44818, 2222, 502, and 22 at the OT network perimeter
  • Patch all internet-facing VPN appliances and firewalls against the referenced CVEs
  • Implement network segmentation between IT and OT environments with strict access controls

Monitoring:

  • Deploy OT-aware network monitoring to detect unauthorized EtherNet/IP and Modbus traffic
  • Monitor HMI/SCADA displays against independent process sensors to detect display manipulation
  • Develop and test an OT-specific incident response plan that covers PLC project file restoration from verified backups

The STIX data for this advisory is available at CISA’s advisory page for automated ingestion into threat intelligence platforms.

The Bigger Picture

This advisory lands amid escalating tensions between Iran and the U.S./Israel. The shift from targeting Israeli-made Unitronics controllers to American-made Rockwell devices signals that CyberAv3ngers is adapting to hit infrastructure where it matters most to U.S. operators. The fact that six agencies co-authored this advisory — including Cyber Command and DOE — reflects how seriously the government is taking the threat to physical infrastructure.

If you run Rockwell PLCs in any capacity, audit your internet exposure today. The advisory is clear: these attacks are ongoing.