Programmable logic controllers developed by software manufacturer Rockwell Automation/Allen-Bradley are actively being exploited, and PLCs from other companies are potentially being targeted as well, according to the advisory.
The agencies advised all U.S. organizations to remove the control software from direct internet exposure and check available logs for “suspicious traffic.” If an organization uses Rockwell Automation devices, the agencies recommend contacting the company if the organization may have been targeted.
The advisory does not specify which Iranian hacking group is behind the attacks, only noting that “Iranian-affiliated advanced persistent threat actors” were targeting U.S. critical infrastructure organizations with the intent to “cause disruptive effects.”
The agencies noted that the attacks bear a resemblance to cyberattacks in 2023 carried out by the Iranian hacking group CyberAv3ngers.
The group, affiliated with Iran’s Islamic Revolutionary Guard Corps, hacked into and defaced Israeli-made digital control panels at multiple U.S. water treatment facilities in Pennsylvania. These incidents occurred shortly after the Oct. 7, 2023, attack on Israel by Hamas militants and after subsequent strikes by Israeli forces in the Gaza Strip.
The advisory noted that the attacks were likely due to the ongoing U.S.-Israeli war on Iran, stating that “Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities.”
Kimberly Mielcarek — vice president of the North American Electric Reliability Corporation, which runs the Electricity Information Sharing and Analysis Center — said on Tuesday that the organization sent an “all-points bulletin” to energy sector members about the threat, encouraging “industry vigilance.”
“Our Watch Operations team is actively monitoring the grid, while we continue to coordinate closely with the Department of Energy, the Electricity Subsector Coordinating Council, and our federal and provincial partners,” Mielcarek said.
One industry source with knowledge of the incidents, granted anonymity to discuss non-public details, said the companies had been given a heads-up by two federal agencies in advance of the advisory going out. They noted the Department of Energy was involved in responding to the breaches.
The exact targets of the attack were not immediately clear. Spokespeople for DOE and Rockwell Automation did not immediately respond to requests for comment.
CISA added a major vulnerability in Rockwell industrial control systems to its catalog of known vulnerabilities in early March, an exploit that specifically impacts PLCs.
Acting CISA Director Nick Andersen told reporters last month that CISA had “not seen a rise in threat actor activity” linked to Iran since the war began, but that the agency was working with industry to track the threat.