The digital front lines of modern geopolitics have shifted from office computers to the heavy machinery that powers our cities. On April 7, 2026, a massive coalition of U.S. agencies, including CISA, the FBI, and the NSA, issued a critical advisory (AA26-097A) regarding a surge in aggressive cyber activity targeting the “brains” of American infrastructure.
Iranian-affiliated Advanced Persistent Threat (APT) groups are actively exploiting Programmable Logic Controllers (PLCs), specifically those manufactured by Rockwell Automation/Allen-Bradley. These attacks aren’t just about stealing data; they are designed to disrupt physical operations in the Energy, Water, and Government Services sectors.
The Attack: How Project Files Become Weapons
In a typical IT hack, an attacker steals an email. In an OT (Operational Technology) hack, the attacker manipulates reality.
The Tactic: Malicious Interaction
The threat actors are scanning the internet for PLCs that are directly connected to the web without a firewall. Once found, they use legitimate engineering software, like Rockwell’s Studio 5000 Logix Designer, to connect to the device.
By gaining access, the attackers can:
- Extract Project Files: They download the code (ladder logic) that tells the machine how to behave.
- Manipulate Displays: They alter the data shown on Human Machine Interfaces (HMIs) and SCADA displays. This is particularly dangerous because a technician might see “Normal” on their screen while a water pump is actually failing or a valve is being forced open.
- Cause Financial Loss: Several victims have already reported operational shutdowns that resulted in significant revenue loss and repair costs.
Technical Indicators: Ports to Watch
The attackers are leveraging specific communication ports to find and command these devices. If your network logs show unexpected traffic from overseas IP addresses, particularly from hosting providers on these ports, you may be in the crosshairs:
- Ports 44818 & 2222: Associated with EtherNet/IP (Rockwell/Allen-Bradley).
- Port 102: Associated with Siemens S7 protocols.
- Port 502: Standard Modbus protocol.
- Port 22: Used by the actors to deploy Dropbear SSH for permanent remote access.
This reliance on common ports and unverified inputs is a recurring theme in modern exploits, much like the OS command injection flaw recently discovered in Nokia MantaRay NM.
Immediate Defensive Actions
If you manage an industrial site, CISA and the FBI recommend taking these three “Emergency” steps today:
1. The Physical “Run” Switch
For Rockwell Automation controllers, locate the physical mode switch on the front of the hardware. Move it to the “Run” position. *Why? This physically prevents anyone from changing the code or logic remotely. The device should only be in “Remote” or “Program” mode during scheduled maintenance.
2. Kill the Direct Connection
No PLC should ever be directly reachable from the public internet.
- Place all OT devices behind a secure gateway (jump host) or a robust firewall.
- If your field technicians use cellular modems for remote access, ensure they use Multi-Factor Authentication (MFA) and strong, unique passwords.
3. Backup and Air-Gap
Create a clean backup of your PLC logic and configurations. Store these backups offline on physical media (like a USB drive kept in a safe). If an attacker wipes your controller, an offline backup is your only path to a fast recovery.
The Big Picture: Secure by Design
This advisory is a wake-up call for the “Secure by Design” movement. CISA is urging manufacturers to stop shipping devices with “convenience” features that double as security holes such as default passwords or internet-exposed administrative interfaces. We saw a similar “critical security void” recently when obsolete BASC 20T controllers were exposed due to a lack of basic input verification.
For the operators on the ground, the message is simpler: The machinery that keeps the lights on and the water flowing is now a primary target. Security is no longer an IT problem; it is a fundamental part of keeping the plant running.
Critical Response Checklist
- Audit Connectivity: Use tools to see if your PLCs show up on public internet scans (like Shodan).
- Switch to Run Mode: Ensure all controllers are physically locked into “Run” mode.
- Check Logs: Look for the IOC IP addresses (e.g., 185.82.73[.]162) in your traffic history from early 2026.
- Isolate Ports: Block inbound traffic on ports 44818, 502, and 102 at the network perimeter.
Read on to know: Hard-Coded Backdoors in Industrial Control Systems: The Yokogawa CENTUM VP Alert For decades, hard-coded credentials, essentially permanent, unchangeable passwords baked into the software, were viewed as a vital safety net.
