Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation
activity targeting internet-facing operational technology (OT) devices, including
programmable logic controllers (PLCs) manufactured by Rockwell
Automation/Allen-Bradley. This activity has led to PLC disruptions across several
U.S. critical infrastructure sectors through malicious interactions with the project
file and manipulation of data on human machine interface (HMI) and supervisory
control and data acquisition (SCADA) displays, resulting in operational disruption
and financial loss.
U.S. organizations should urgently review the tactics, techniques, and procedures
(TTPs) and indicators of compromise (IOCs) in this advisory for indications of
current or historical activity on their networks, and apply the recommendations
listed in the Mitigations section of this advisory to reduce the risk of compromise.