When OT Becomes the Target. Iran-Linked Activity Disrupts PLCs Across Critical Infrastructure
Iran-linked threat actors have been observed targeting internet-exposed programmable logic controllers (PLCs) across critical infrastructure sectors in the United States.
According to the Federal Bureau of Investigation, the activity has led to operational disruption, manipulation of industrial processes, and financial impact in affected environments.
What Happened
The campaign focuses on operational technology (OT) systems, specifically PLC devices used to control industrial processes.
Affected sectors include:
- water and wastewater systems
- energy infrastructure
- government facilities
The attacks involve direct interaction with PLC project files and manipulation of data displayed through HMI and SCADA systems.
How the Attacks Work
The activity targets internet-exposed PLCs.
Attackers establish access by:
- connecting through legitimate industrial configuration tools
- interacting with PLC project files
- modifying process data and system behavior
In observed cases, the attackers deployed:
- SSH access via Dropbear
- remote command-and-control channels over port 22
This allowed them to:
- extract configuration data
- manipulate system logic
- disrupt operational processes
Targeted Systems
The campaign has specifically involved:
- Rockwell Automation systems
- Allen-Bradley PLCs
including:
- CompactLogix
- Micro850 devices
These systems are widely used across industrial and critical infrastructure environments.
Why This Matters
This is not a traditional IT attack.
It directly affects physical processes.
Three key observations:
1. Exposure defines risk
Internet-facing OT systems become immediate entry points.
2. Legitimate tools are used for access
The activity blends into expected operational workflows.
3. Impact is operational, not only digital
Disruption affects real-world processes.
DIAMATIX Perspective
This case highlights a critical reality.
The boundary between IT and OT is no longer theoretical.
It is operational.
The entry point is not sophisticated exploitation.
It is exposure.
Once access is established, attackers operate within the logic of the system itself.
This changes how risk must be approached.
From an operational standpoint:
- OT assets must not be directly exposed to the internet
- access must be tightly controlled and monitored
- visibility must extend beyond IT into industrial environments
- abnormal interactions with control systems must be detected early
The challenge is not only protection.
It is understanding what “normal” looks like in operational systems.
Broader Context
The activity is part of a broader pattern of escalation.
Threat actors linked to Iran have previously targeted OT systems, including water infrastructure, using similar approaches.
Recent intelligence also indicates increasing overlap between state-directed activity and cybercriminal tooling, further complicating attribution and detection.
Conclusion
This campaign demonstrates that critical infrastructure is an active target.
The risk is no longer limited to data.
It extends to the systems that support essential services.
Sources
Federal Bureau of Investigation. Advisory on PLC targeting activity
Public threat intelligence reporting on OT-focused campaigns
