OT Security Advisory: Iranian-Affiliated PLC Exploitation and Critical Infrastructure Threats

Executive Summary

Three overlapping developments define the current OT threat environment for CRITICALSTART® customers. First, an Iranian-affiliated state-directed campaign against internet-facing PLCs has been active since November 2023, escalating through four capability phases to the active exploitation of CVE-2021-22681, an authentication bypass in Rockwell Automation Logix controller, with CVSS 9.8, for which no vendor patch exists. A six-agency joint advisory published April 7, 2026, confirmed operational disruptions and financial losses at victim organizations across water, energy, and government sectors.^[1]

Second, the December 29, 2025 coordinated destructive attack on Polish wind, photovoltaic, and combined heat and power facilities confirmed that adversaries with OT access are willing to cause physical damage, including RTU destruction and wiper-based firmware damage, against distributed energy infrastructure.^[6] Third, an accumulation of critical unpatched vulnerabilities across widely deployed OT platforms — including the BlastRADIUS flaw in Schneider Modicon network switches, critical weak-password controls in Horner PLCs, a legacy BACnet controller with no available fix, and a cluster of persistent Modicon controller vulnerabilities — is expanding the attack surface available to any actor operating in this space.^[7][9]

This advisory summarizes the OT threat landscape, identifies actionable vulnerabilities, and provides prioritized mitigation guidance for OT organizations.

Threat Context

Iranian-Affiliated OT Exploitation Campaign

CyberAv3ngers, also tracked as Storm-0784, BAUXITE, and Hydro Kitten, is a state-directed group operating under Iran's IRGC Cyber-Electronic Command. The U.S. Treasury sanctioned six IRGC-CEC officials for directing the group's operations in February 2024.^[3] The group's capability has escalated materially over three years: from default credential exploitation on Unitronics Vision Series PLCs in 2023, to deployment of the IOCONTROL custom OT malware platform in 2024,^[2] to active exploitation of CVE-2021-22681 against Rockwell Automation CompactLogix and Micro850 controllers in 2026.^[4]

Threat actors exploit Rockwell's own Studio 5000 Logix Designer and FactoryTalk software, installed on leased overseas VPS infrastructure, to establish sessions with victim PLCs that appear identical to authorized engineering activity.^[4] Confirmed actions on target include modification of PLC project files (.L5X) to alter ladder logic, manipulation of HMI and SCADA display data to show false process readings, and direct commands causing process disruption.^[1] The manipulation of display data is particularly consequential: operators acting on fabricated sensor readings may suppress legitimate alarms or take incorrect manual actions, compounding the physical impact beyond what the attacker directly causes.

Since the February 28, 2026 military escalation, several Iran-aligned hacktivist groups have activated. Confirmed or claimed post-advisory victims include a major medical technology company (three-week operational halt) and a claimed HMI access to a U.S. water treatment control system.^[10] Dragos assessed in its 2026 OT/ICS Year in Review that Iranian adversaries have moved beyond pre-positioning to actively mapping control loops and developing the capability to manipulate physical processes.^[5]

Iranian-Related Indicators of Compromise

Destructive OT Precedent: Poland, December 2025

On December 29, 2025, CERT Polska confirmed coordinated destructive attacks against Polish wind/PV farms and a combined heat and power plant. RTUs and local operator interfaces were physically damaged using wiper malware and firmware destruction. Communications between remote renewable sites and the distribution system operator were severed.^[6] Infrastructure overlap was assessed against Russian-aligned clusters including Static Tundra and Berserk Bear.^[8]

Independent of attribution, the Poland incident establishes that adversaries with OT access will use it destructively against distributed energy infrastructure, and that the consequence includes physical hardware damage and loss of supervisory communications, not merely data loss.

Current Vulnerability Surface

The following vulnerabilities span field-level controllers, OT network infrastructure, engineering workstations, and adjacent systems. Not all items will apply to every environment. Cross-reference against your asset inventory and prioritize by network reachability and operational criticality of the affected system. Where no patch is available, network isolation is the primary compensating control.

Implications for Organizations

The exploitation techniques documented in this advisory do not behave like conventional IT intrusions. Three characteristics make them operationally distinct:

• Standard IT security monitoring cannot see this. A Studio 5000 session from an actor-controlled VPS to a Rockwell PLC communicates entirely within EtherNet/IP on port 44818. There is no malicious executable, no lateral movement through endpoints, no anomalous DNS or HTTP. From an IT-focused security stack, the session is invisible. Detection requires OT protocol-layer visibility that most MDR programs, including Critical Start's, do not provide by default without dedicated integration.
• Display manipulation is an attack on operator judgment, not just the system. Actors in this campaign have manipulated HMI and SCADA displays to show false process readings without triggering alarms. An operator acting on fabricated sensor data may suppress a legitimate alarm, delay an emergency response, or take a manual corrective action that worsens the physical outcome. The consequence can exceed what the attacker directly causes.
• Exposure is not limited to organizations with direct OT targets. When a water utility or energy facility is disrupted, the effect propagates to dependent organizations including hospitals, manufacturers, and emergency services. The December 2025 Poland attack severed communications between remote renewable sites and the distribution system operator even though physical generation continued. Organizations that depend on utilities, shared infrastructure, or vendor-managed OT systems carry real secondary exposure from this campaign.

Prioritized Mitigation Strategies

To mitigate risks associated with OT cyberattacks, we recommend the following prioritized strategies:

1. Eliminate and contain internet exposure. Audit all OT devices using Shodan or Censys against industrial protocol ports (44818, 502, 102, 2222). Remove internet connectivity where possible. Where it cannot be removed, place the device in a completely isolated segment with no routing path back to the production OT network, no trust relationships to mission-critical systems, and no connection to safety instrumented systems. If those dependencies exist, design them out.
2. Restrict all programming and remote access. Set PLC mode keys to RUN position, restricting all logic changes to physical in-person access only. All remote access must route through a monitored jump server with MFA and session logging. Vendor access must be time-limited and terminated when maintenance concludes.

3. Patch deployed OT platforms and stay current on advisories. Cross-reference the vulnerability table against your asset inventory and apply available patches on an accelerated schedule, including OT networking equipment where a compromised switch undermines every segmentation control downstream. Actively monitor CISA ICS advisories and vendor security notifications, as many vulnerabilities go through multiple update cycles. For end-of-life devices with no fix path, begin replacement planning immediately.

4. Review logs, baseline project files, and validate display integrity. Review inbound OT traffic for connections from outside your authorized allowlist and cross-reference against the Iranian campaign IOCs in this advisory. Establish known-good baselines for all production PLC project files and flag any change not tied to an authorized change record. Cross-check SCADA display values against physical instrumentation during elevated threat periods, as fabricated data within normal operating ranges will not trigger automated alarms.
5. Close the MDR visibility gap and prepare for OT-specific incidents. Standard MDR coverage, including Critical Start's, does not extend to OT protocol-layer activity without dedicated integration. If your environment lacks a passive OT monitoring solution feeding into your SOC, your MDR provider cannot see the primary attack surface in this advisory. Engage your Critical Start Customer Success representative to assess OT telemetry coverage and integration options. Ensure incident response plans cover OT-specific scenarios including PLC access, project file modification, display manipulation, and RTU communication loss, with rehearsed transitions to manual operation.

---

Conclusion

The OT threat environment as of June 2026 is not defined by a single actor or a single advisory. It reflects the convergence of an active state-directed Iranian exploitation campaign, a confirmed precedent for destructive physical consequence in distributed energy environments, and a growing catalog of critical unpatched vulnerabilities across widely deployed OT platforms.

The Iranian campaign is the most directly confirmed risk. A group operating under IRGC direction has spent three years systematically developing and exercising the capability to access, manipulate, and disrupt U.S. OT systems, and confirmed disruptions at victim organizations show that capability is being used, not just held in reserve. The geopolitical conditions driving this activity remain unresolved.

The most effective response is architectural. Removing internet exposure, isolating devices that must remain connected, and restricting programming to in-person access eliminate the preconditions the actor requires. No detection investment substitutes for resolving those structural conditions first.

For organizations that have addressed exposure, the vulnerability table and advisory monitoring guidance in this document provide the next layer of action. The patch landscape across OT platforms is active and multi-cycle. Treating it as routine backlog underestimates the cumulative risk in the current environment.

For more threat reports, including H2 2025 detailing trending cybersecurity concerns, visit Critical Start's Intel Hub. Should anything new surface, this advisory will be updated. This advisory was written using the best intelligence available at the time and is subject to change as additional information becomes available.

---

Further Reading

• [1]CISA, FBI, NSA, EPA, DOE, USCYBERCOM, "Joint Advisory AA26-097A: Iranian-Affiliated Cyber Actors Exploit PLCs Across US Critical Infrastructure," Apr. 7, 2026. View advisory ↗
• [2]Claroty Team82, "Inside a New OT/IoT Cyberweapon: IOCONTROL," Claroty Research Blog, Dec. 2024. claroty.com ↗
• [3]Tenable Security Research, "CyberAv3ngers: FAQ About Iran-Linked Threat Group Targeting U.S. Critical Infrastructure," Tenable Blog, Apr. 9, 2026. tenable.com ↗
• [4]Palo Alto Networks Unit 42, "Threat Brief: Escalation of Cyber Risk Related to Iran," Unit 42 Threat Research, Apr. 17, 2026. unit42.paloaltonetworks.com ↗
• [5]Dragos, "2026 OT/ICS Cybersecurity Year in Review," Dragos Intelligence, 2026. dragos.com ↗
• [6]CERT Polska, "Energy Sector Incident Report – 29 December 2025," CERT Polska, Jan. 30, 2026. cert.pl ↗
• [7]OT-ISAC, "OT-ISAC Vulnerability Advisory – April 2026 Compilation (TLP:CLEAR)," OT-ISAC Asia-Pacific, Apr. 17, 2026. otisac.org ↗
• [8]OT-ISAC Threat Intelligence / Protos AI, "OT-ISAC Energy Sector Threat Advisory (TLP:CLEAR)," OT-ISAC Asia-Pacific, Apr. 24, 2026. otisac.org ↗
• [9]CISA / Schneider Electric CPCERT, "ICS Advisory ICSA-26-160-01: Schneider Electric Modicon Network Managed Switches," CISA ICS Advisories, Jun. 9, 2026. cisa.gov ↗
• [10]CyberScoop, "Iranian Hackers Launching Disruptive Attacks at U.S. Energy, Water Targets," CyberScoop, Apr. 7, 2026. cyberscoop.com ↗