Iranian APTs hit 3,891 US-exposed Rockwell PLCs as OT campaign escalates

A joint US federal advisory confirms Iranian state-backed operators have been targeting internet-reachable Rockwell Automation/Allen-Bradley programmable logic controllers since March 2026, pulling project files off devices and tampering with HMI and SCADA displays. The FBI ties the surge to retaliatory posture against the US and Israel, with operational disruption and financial damage already documented at victim sites.

Censys mapped 5,219 EtherNet/IP hosts worldwide self-identifying as Rockwell/Allen-Bradley gear, and 74.6 percent — 3,891 devices — sit on US networks. A disproportionate share live on cellular carrier ASNs, meaning field-deployed PLCs on mobile modems, the worst possible exposure profile for OT: routable, weakly segmented, and often outside corporate firewall policy.

The campaign extends a pattern set by IRGC-linked CyberAv3ngers, which hit 75+ Unitronics PLCs across US water utilities in late 2023, and the Handala group’s recent wiper attack against roughly 80,000 Stryker endpoints. Defender guidance is the usual OT hygiene — firewall or disconnect PLCs, MFA on OT access, patch, kill unused services, hunt for foreign-hosted traffic on OT ports — but the attack surface number says most operators have not done it.