The Active Threat: Critical Infrastructure is Under Attack by Iranian Threat Actors  

What’s Happening Right Now

Iranian-affiliated cyber actors are actively targeting operational technology (OT) environments, specifically internet-exposed programmable logic controllers (PLCs), across critical infrastructure sectors.

These activities are a result of escalating geopolitical tensions in the Middle East, increasing the likelihood of spillover attacks beyond regional boundaries. The observed activity demonstrates a shift from reconnaissance to disruptive operations impacting physical systems.

How Iranian Threat Actors Are Attacking PLCs

Threat actors are exploiting internet-facing OT devices and weak configurations to gain access and control.

• Targeted sectors include:
  • Energy
  • Water & wastewater
  • Government facilities
• Attack techniques observed:
  • Unauthorized access to PLCs via exposed services and weak configurations
  • Manipulation of PLC project files and control logic
  • Alteration of HMI/SCADA display data
  • Deployment of remote access tools (e.g., SSH backdoors)
• Specific activity includes:
  • Use of legitimate engineering software (e.g., Rockwell Studio 5000) to interact with PLCs
  • Communication over industrial ports such as 44818, 2222, 102, and 502
• Impact observed:
  • Operational disruption and financial loss across multiple sectors
• Threat actors associated:
  • Iran-linked APT groups (e.g., activity like CyberAv3ngers)

Geopolitical & Threat Context (Dragos Insight):

• Rising Middle East tensions are driving:
  • Increased OT-focused cyber operations
  • Expansion of targeting beyond regional conflicts
• Threat landscape evolution:
  • Shift from pre-positioning → active disruption
  • Increased involvement of:
    • Nation-state actors
    • Hacktivists
    • Opportunistic cybercriminal groups
  • Adversaries are:
    • Scanning and mapping OT environments globally
    • Preparing for potential large-scale disruptive or destructive attacks

Exposure of Critical Infrastructure – What’s at Stake

This activity represents a significant escalation in OT cyber threats, where attackers are directly impacting physical processes rather than limiting actions to IT systems. Successful exploitation can lead to operational outages, safety risks, and financial damage.

The geopolitical context increases the likelihood of spillover attacks affecting organizations outside the immedniate conflict zone. As attackers gain deeper access to control systems, the risk of large-scale disruption and long-term persistence within critical infrastructure environments increases.

What to Do

• Remove or restrict internet exposure of PLCs and OT assets
• Implement strong IT–OT network segmentation
• Enforce:
  • Multi-factor authentication (MFA)
  • Strong credential policies
• Monitor for:
  • Unauthorized PLC configuration changes
  • Abnormal command execution or engineering activity
  • Suspicious traffic on industrial ports (e.g., 44818, 502, 102)
• Apply:
  • Security patches and firmware updates
  • Vendor hardening guidelines
• Maintain secure backups of PLC logic and configurations
• Conduct proactive threat hunting for early-stage OT compromise

ProArch’s OT Managed Services & Insights provides 24x7x365 SOC response to both IT and OT cyber threats. We map your industrial control system dataflow, maintain managed and tested offsite backups, and centralize security monitoring and network support across your entire environment.

OTIMS prevents unplanned outages by detecting threats before they impact your operations. When incidents occur, our team responds immediately.

Explore our OTIMS Services to get the visibility, resilience, and response capability needed to operate with confidence.