Iranian-Affiliated APT Targeting of Rockwell/Allen-Bradley PLCs
ID: f4e1e3f6-eff6-540d-9825-53589622ee28
STIX ID: report--f4e1e3f6-eff6-540d-9825-53589622ee28
Feed Name: Censys Blog
**Executive summary:** A joint US advisory (FBI/CISA/NSA/etc.) and Censys analysis report an active Iranian‑affiliated APT campaign (CyberAv3ngers/IRGC CEC) exploiting internet‑facing Rockwell/Allen‑Bradley PLCs and engineering workstations since at least March 2026; Censys enumeration found 5,219 EtherNet/IP‑responding hosts (3,891 in the US), concentrated on cellular carrier ASNs, with confirmed targeting of CompactLogix and Micro850 families, operator workstation multi‑homing (185.82.73.160–.171), a single‑use staging host (135.136.1.133), IOCs and prioritized mitigations and hunting queries provided.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.