Censys Warns 5,219 Rockwell/Allen-Bradley PLCs Are Exposed Amid Iranian APT Activity

The FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command jointly disclosed on April 7, 2026, that Iranian-affiliated advanced persistent threat (APT) actors are actively targeting internet-facing Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs).

These industrial devices are widely used in critical infrastructure, including water treatment plants, energy facilities, and government operations.

The advisory, labeled AA26-097A, confirmed that this threat is ongoing and poses a serious risk to operational technology (OT) environments across the United States and beyond.​

The threat actors behind this campaign are linked to the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) and have been tracked under multiple aliases, including CyberAv3ngers, Shahid Kaveh Group, Storm-0784, Bauxite, and UNC5691.

Beginning in November 2023, the same group compromised at least 75 Unitronics PLCs across U.S. water and wastewater facilities, as documented in CISA advisory AA23-335A.

The current campaign, active since at least March 2026, marks a significant escalation now targeting Rockwell devices.​

Censys researchers identified 5,219 internet-exposed hosts globally that respond to EtherNet/IP (EIP) on port 44818 and self-identify as Rockwell Automation/Allen-Bradley devices — representing the full attack surface tied to this advisory.

The United States alone accounts for 74.6% of that exposure, with 3,891 hosts at risk. Countries like Spain (110 hosts), Taiwan (78), and Italy (73) also showed notable exposure.

Figure 1: Global Distribution of Internet-Exposed Rockwell/Allen-Bradley PLC Hosts.​

What makes this campaign particularly concerning is that the threat actors are not using zero-day exploits. Instead, they are using Rockwell’s own legitimate engineering software — Studio 5000 Logix Designer — to access internet-facing PLCs directly.

This allows them to read and modify project files and manipulate HMI/SCADA display screens, making the activity harder to detect.

Confirmed targeted device families include CompactLogix and Micro850, while additional OT protocols such as Modbus (port 502) and S7 (port 102) are also being actively probed, suggesting the group may be extending its targeting across multiple vendor platforms.​

A large share of exposed devices — nearly 49.1% of the global total — sit behind Verizon Business cellular modems, with AT&T Mobility accounting for another 13.3%.

Many of these PLCs are field-deployed at pump stations, electrical substations, and municipal facilities, connected to the internet through cellular modems rather than secure network links.

The heavy presence of consumer and mobile carrier networks over industrial ASNs highlights a widespread and often overlooked deployment risk that demands attention.​

Expanded Attack Surface: Co-Exposed Services and IOC Analysis

Beyond EIP exposure, Censys protocol enumeration across the 5,219 hosts revealed significant co-exposed services that widen the attack surface.

VNC services were found on 771 instances — giving attackers direct remote desktop access to HMI workstations.

Telnet appeared on 280 hosts and Modbus on 292, both adding further unprotected entry points that are directly consistent with the attack behaviors described in AA26-097A.​

On the IOC front, Censys pivoting of the published indicators revealed that CISA’s seven 185.82.73.x IP addresses actually represent a single multi-homed Windows engineering workstation running the full Rockwell toolchain — not seven separate machines.

Four additional operator IPs on that same host were absent from the advisory. A separate staging box at 135.136.1.133 was provisioned in February 2026, activated for a carefully timed four-day window in mid-March, then completely abandoned.

Organizations running Rockwell/Allen-Bradley PLCs should immediately remove these devices from direct internet exposure.

For CompactLogix and MicroLogix devices, placing the physical mode switch in RUN position is the single most effective control that cannot be overridden remotely.

Administrators should disable VNC, Telnet, and FTP on any host co-located with a PLC, implement multi-factor authentication for all remote OT access, and audit MicroLogix 1400 deployments running end-of-sale firmware versions C/21.02 and C/21.07.

All inbound traffic on TCP ports 44818, 2222, 102, 502, and 22 from known operator IPs — including the newly identified addresses 185.82.73.160, .161, .163, and .166 — should be reviewed immediately.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Censys Warns 5,219 Rockwell/Allen-Bradley PLCs Are Exposed Amid Iranian APT Activity appeared first on Cyber Security News.