Iran-linked cyberattacks have recently disrupted several critical infrastructure sectors in the United States, according to a joint advisory issued by federal agencies. The attacks targeted operational technology (OT) devices, causing significant concern among officials.
Widespread Impact on Critical Sectors
The FBI, CISA, NSA, EPA, DOE, and United States Cyber Command collectively warned of these cyber threats in a recent advisory. The attacks have impacted multiple sectors, including Government Services, Water and Wastewater Systems, and Energy Sectors.
Iranian-linked threat actors have been found to be actively targeting internet-exposed programmable logic controllers (PLCs), particularly those manufactured by Rockwell Automation/Allen-Bradley. However, other vendors are also potentially at risk.
Potential for Extensive Disruptions
The advisory highlighted that organizations across various U.S. critical infrastructure sectors experienced disruptions due to malicious interactions with project files and data manipulation on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.
Due to the extensive use of these PLCs and the possibility of other OT devices being targeted, federal agencies urge U.S. organizations to review tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to identify current or historical activities on their networks.
Similarities with Previous Attacks
The recent cyber activity resembles past operations linked to groups such as CyberAv3ngers, known for targeting U.S. infrastructure sectors. This group, associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has previously attacked water utilities in both the United States and Ireland.
In October 2024, it was reported that CyberAv3ngers utilized OpenAI’s ChatGPT tool to plan industrial control system attacks, aiding them in reconnaissance and vulnerability exploitation.
Escalating Iran-Linked Operations
The attacks are part of a broader trend of increasing Iran-linked cyber operations. Notably, the Handala group targeted medical technology giant Stryker, wiping over 200,000 devices. The U.S. government has linked Handala to Iranian state actions, following the seizure of numerous websites used by the group.
Federal agencies recommend that organizations assess their OT environments for vulnerabilities and apply recommended mitigations to prevent exploitation by such cyber threats.
To support defense efforts, downloadable lists of IOCs are available in both XML and JSON formats, providing valuable resources for organizations seeking to reinforce their cybersecurity measures.
Conclusion
As cyber threats linked to Iran continue to escalate, it is crucial for U.S. organizations to remain vigilant and proactive in defending their critical infrastructure. By staying informed and implementing recommended security measures, the risk of compromise can be significantly reduced.
