Ciphers Security News CISA AA26-097A: CyberAv3ngers Target 5,219 Exposed Rockwell Allen-Bradley PLCs
News

CISA AA26-097A: CyberAv3ngers Target 5,219 Exposed Rockwell Allen-Bradley PLCs

The FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command jointly released advisory AA26-097A on April 7, 2026, warning that Iranian-affiliated threat actors linked to the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC CEC) — tracked as CyberAv3ngers and also as Storm-0784, Bauxite, UNC5691, and Shahid Kaveh Group — are actively exploiting internet-exposed Rockwell Automation Allen-Bradley programmable logic controllers across U.S. critical infrastructure. As of the advisory date, 5,219 internet-facing Allen-Bradley hosts are globally exposed, with 3,891 (74.6%) located in the United States.

CISA AA26-097A and CyberAv3ngers: Technical Details

The IRGC-affiliated CyberAv3ngers campaign does not leverage zero-day exploits. Threat actors access internet-exposed PLCs using Rockwell Automation Studio 5000 Logix Designer — the vendor’s own legitimate engineering workstation software — to authenticate directly to exposed EtherNet/IP endpoints and interact with project files and HMI/SCADA display data. The advisory does not assign any CVE numbers to this activity; the attack surface is device exposure, not a software vulnerability.

Targeted Allen-Bradley PLC models:

| Model Family | Catalog Prefix | Notes | |————-|—————-|——-| | CompactLogix | 1769-, 5069- | Primary campaign target | | Micro850 | — | Secondary target | | MicroLogix 1400 | 1766- | End-of-sale; firmware C/21.02 and C/21.07 specifically noted |

Actors manipulate HMI/SCADA display data and project files once they reach an accessible PLC. Beyond EtherNet/IP (TCP port 44818), the campaign also probes Modbus (TCP/502) and Siemens S7 (TCP/102), indicating broad OT reconnaissance across device types beyond Allen-Bradley hardware.

Co-located services amplifying attack surface:

| Co-exposed Service | Instances | |——————-|———–| | VNC (direct HMI graphical access) | 771 | | Modbus | 292 | | Telnet (cleartext legacy access) | 280 | | Red Lion Crimson SCADA | 256 |

The 771 VNC-exposed instances are particularly severe: they allow an authenticated actor to interact with the HMI graphical interface directly, enabling real-world process manipulation without any PLC-level access required.

Exploitation and Threat Landscape

CyberAv3ngers is the same actor responsible for the November 2023 Unitronics PLC compromise, which disrupted more than 75 U.S. water and wastewater facilities by exploiting default credentials on Unitronics Vision Series PLCs. The CISA AA26-097A campaign, active since at least March 2026, represents a tactical evolution: where 2023 operations exploited a specific software vulnerability (default passwords, no CVE), 2026 operations rely entirely on internet-accessible attack surface and legitimate engineering software — removing the need for exploit code entirely and reducing detection signatures to near zero.

Some victims confirmed by the advisory experienced operational disruption and financial loss. MITRE ATT&CK for ICS techniques applicable to this campaign:

| Technique | ID | Description | |———–|—–|————-| | Internet Accessible Device | T0883 | PLCs directly accessible from the internet | | External Remote Services | T0888 | Studio 5000 used remotely over EtherNet/IP | | Damage to Property | T0879 | Operational disruption confirmed in victims | | Alarm Suppression | T0878 | HMI display manipulation can mask real-world process state | | Brute Force I/O | T0806 | Project file manipulation alters physical output states |

Confirmed indicators of compromise (IOCs) from Censys and the advisory:

Operator workstation cluster — AS214036 ULTAHOST, Amsterdam:

| IOC | Type | |—–|——| | 185.82.73.160–185.82.73.171 | IPv4 range | | TCP 43589 (non-standard RDP) | Exposed port | | CN: DESKTOP-BOE5MUC | Self-signed TLS certificate CN |

The workstation cluster hosts a complete Rockwell Automation toolchain: Studio 5000, FactoryTalk, RSLinx, and CodeMeter. Four IPs in this range (.160, .161, .163, .166) were identified by Censys threat research but are absent from the official CISA advisory text — they should still be treated as attributed to this threat cluster and blocked accordingly.

Staging box — AS9009 M247 Europe Romania:

| IOC | Type | |—–|——| | 135.136.1.133 | IPv4 | | WIN-U4IRECQ65UN | Default Windows Server hostname |

The staging box was active during a narrow window of March 14–18, 2026 (approximately four days), consistent with a temporary operational pivot point.

Censys threat hunting signatures for identifying actor infrastructure:


cert.parsed.subject.common_name="DESKTOP-BOE5MUC"
host.services.eip.identity.vendor_id="0x004d" AND
  host.services.eip.identity.product_name=/DESKTOP-.+/
web.endpoints.http.headers:(key="Server" AND value="WIBU-SYSTEMS HTTP Server")

Who Is Affected

Three U.S. critical infrastructure sectors are confirmed targets in CISA AA26-097A:

  • Water and Wastewater Systems (WWS) — highest concentration of exposed CompactLogix and MicroLogix 1400 devices
  • Energy and Utilities — substations and generation facilities with internet-connected OT
  • Government Services and Facilities — building management and infrastructure control systems

The exposure is disproportionately concentrated on cellular carrier networks: Verizon Business (2,564 devices) and AT&T Mobility (693 devices) together account for 62.4% of all U.S.-exposed Allen-Bradley hosts. This reflects the widespread use of cellular modems for remote PLC management in distributed water treatment facilities, pump stations, and substations — a configuration that eliminates the network perimeter entirely and places the device directly on the internet.

MicroLogix 1400 devices running end-of-sale firmware versions C/21.02 and C/21.07 are specifically called out in the advisory as a priority concern given their combination of internet exposure, legacy firmware, and end-of-support status.

What You Should Do Right Now

  • Remove PLCs from direct internet exposure immediately. Any CompactLogix, Micro850, or MicroLogix 1400 with a publicly routable IP address must be placed behind a firewall or VPN that restricts access to specific approved engineering workstation IPs. This eliminates the attack vector without requiring any device-side change.
  • Disable or restrict cellular modems on PLC panels. If cellular connectivity is operationally necessary, enforce connection through a VPN with client certificate authentication. Disable the modem entirely during non-maintenance windows where possible.
  • Switch CompactLogix and MicroLogix devices to RUN mode via the physical keyswitch. In RUN mode, project file downloads over the network are blocked, eliminating the primary mechanism by which actors manipulate PLC programs remotely.
  • Audit MicroLogix 1400 firmware and apply updates where available. Contact Rockwell Automation support (ra.rockwellautomation.com) for guidance on firmware C/21.02 and C/21.07 — both are end-of-sale. Where no firmware update path exists, compensate with network isolation.
    • Block all OT protocol ingress at the internet boundary:

DENY any → TCP 44818 # EtherNet/IP DENY any → TCP 502 # Modbus DENY any → TCP 102 # Siemens S7 DENY any → TCP/UDP 5900-5903 # VNC DENY any → TCP 23 # Telnet

    • Block confirmed adversary IP ranges at perimeter firewalls:

DENY 185.82.73.160/29 # ULTAHOST operator workstation cluster DENY 135.136.1.133/32 # M247 staging box

Detection and Verification

Query firewall and IDS logs for inbound connections to TCP 44818 from any source IP not on an approved engineering workstation allow-list. A connection to EtherNet/IP from any IP in AS214036 (ULTAHOST) or AS9009 (M247 Europe Romania) should be treated as a confirmed intrusion indicator.

On the PLC side, Rockwell Automation’s Studio 5000 audit logging and FactoryTalk Security can record project download events. Review audit logs for project downloads occurring outside business hours, from unrecognised source IPs, or with the Studio 5000 version matching the actor toolchain. Enable FactoryTalk Security event forwarding to your SIEM if not already configured.

SIEM query to detect EtherNet/IP access from untrusted sources:


SELECT src_ip, dst_ip, dst_port, timestamp
FROM firewall_logs
WHERE dst_port = 44818
  AND src_ip NOT IN (SELECT ip FROM approved_ot_workstations)
ORDER BY timestamp DESC
LIMIT 500

Conclusion

With 3,891 internet-exposed Allen-Bradley PLCs in the United States and a threat actor that requires no exploit code — only Rockwell’s own legitimate software and an open EtherNet/IP port — risk reduction is straightforward: remove the devices from the internet. Organizations in water, energy, and government sectors operating Rockwell Automation Allen-Bradley hardware should treat any internet-exposed PLC as a confirmed attack surface requiring immediate isolation and audit.

For any query contact us at contact@cipherssecurity.com

Tags:

Share This Post:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

NSA GRASSMARLIN CVE-2026-6807: XXE Flaw in End-of-Life OT Tool Has No Patch
News

NSA GRASSMARLIN CVE-2026-6807: XXE Flaw in End-of-Life OT Tool

May 3, 2026
EnOcean SmartServer CVE-2026-20761 Opens Buildings to Remote Takeover
News

EnOcean SmartServer CVE-2026-20761 Opens Buildings to Remote Takeover

April 30, 2026
12 Allied Agencies Warn: China-Nexus Actors Are Building Covert Botnets from Your Routers and Cameras
News

12 Allied Agencies Warn: China-Nexus Actors Are Building Covert

April 30, 2026