Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.
This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss.
An advisory tied to the activity has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies.
Organizations should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in the advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the Mitigations section of the advisory to reduce the risk of compromise.
In addition to the mitigations listed in the advisory, there has been observed malicious activity from the below IP addresses.
• 135.136.1[.]133
• 185.82.73[.]162
• 185.82.73[.]164
• 185.82.73[.]165
• 185.82.73[.]167
• 185.82.73[.]168
• 185.82.73[.]170
• 185.82.73[.]171
