6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
On April 7, 2026, CISA warned that Iranian affiliated threat actors linked to CyberAv3ngers are actively exploiting internet facing operational technology devices across U.S. critical infrastructure, including water, energy, and government facilities. The campaign targets exposed PLCs, such as Rockwell Automation and Allen‑Bradley systems, resulting in confirmed operational disruptions, manipulation of HMI and SCADA data, and financial loss. The activity underscores the urgent need to eliminate direct internet exposure of OT assets and strengthen monitoring and access controls in critical sectors.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
THREAT ACTOR
CyberAv3ngers
Threat Activity
CISA and partner agencies warned on April 7, 2026 that Iranian-affiliated advanced persistent threat actors are actively targeting internet-facing operational technology devices, including Rockwell Automation and Allen-Bradley programmable logic controllers, across U.S. critical infrastructure. Affected sectors include Government Services and Facilities, Water and Wastewater Systems, and Energy.
PoC or Exploitation
This is confirmed real-world activity. The advisory states the activity has already led to PLC disruptions across several U.S. organizations, including operational disruption and financial loss caused by manipulation of project files and data displayed on HMI and SCADA systems.
Description
The threat involves direct targeting of exposed operational technology assets rather than traditional enterprise entry points. Attackers are leveraging internet-accessible PLCs to gain access and interfere with industrial processes.
Observed impacts include manipulation of HMI and SCADA data, persistence on OT devices, and disruption of operational processes. This activity aligns with previously reported campaigns attributed to the Iranian-aligned group CyberAv3ngers, which has historically targeted industrial control systems and water infrastructure.
Update / Advisory
Primary advisory:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
Mitigation Recommendation
- Immediately remove PLCs and other OT assets from direct internet exposure.
- Route remote access through secure gateways or jump hosts.
- Use device-level protections such as setting PLC mode switches to run mode where applicable to prevent unauthorized changes.
- Review logs for suspicious activity associated with exposed OT services.
- Monitor network traffic for connections to industrial protocols such as Modbus from untrusted or external sources.
- Conduct threat hunting in OT environments, especially for internet-facing systems in critical sectors.
