Iranian‑Backed Hackers Expose Nearly 4,000 U.S. Rockwell PLCs, Manipulate OT Data
What Happened – Iranian state‑linked APT groups have been scanning and exploiting Internet‑exposed Rockwell Automation/Allen‑Bradley programmable logic controllers (PLCs) across the United States. Over 3,800 U.S. devices were identified as reachable via EtherNet/IP, and the FBI confirmed extraction of device project files and manipulation of HMI/SCADA displays.
Why It Matters for TPRM –
- Internet‑exposed OT assets create a direct attack surface that can be leveraged to disrupt critical‑infrastructure operations.
- Compromise of PLC project files reveals process logic, enabling sabotage or espionage against downstream vendors and partners.
- The campaign demonstrates that mis‑configuration of legacy OT devices remains a systemic risk for any organization that relies on third‑party industrial control systems.
Who Is Affected – Energy & utilities, manufacturing, transportation, and any sector that integrates Rockwell Automation PLCs into its operational technology stack.
Recommended Actions –
- Conduct an inventory of all Rockwell/Allen‑Bradley PLCs and verify they are not Internet‑reachable.
- Deploy network segmentation and firewalls to isolate OT traffic; block EtherNet/IP from untrusted networks.
- Enforce MFA for OT management consoles, apply firmware patches, and disable unused services.
- Continuously monitor OT ports for anomalous traffic, especially from foreign IP ranges.
Technical Notes – The exposure stems from default or poorly hardened network configurations that allow PLCs to respond to EtherNet/IP queries on the public Internet. No specific CVE was cited, but the attack leverages open‑access endpoints to download project files and alter SCADA/HMI displays. Source: BleepingComputer