Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
CyberAv3ngers, an Iranian-affiliated threat group also tracked as Hydro Kitten, Shahid Kaveh Group, UNC5691, and Storm-0784, conducted a targeted cyber attack campaign against internet-exposed programmable logic controllers deployed across U.S. critical infrastructure sectors beginning in March 2026. This operational technology attack specifically targeted Rockwell Automation CompactLogix and Micro850 PLCs deployed within government facilities, water and wastewater systems, and energy sector environments, exploiting CVE-2021-22681 to bypass authentication mechanisms and establish unauthorized connections to industrial control systems.
CVE-2021-22681 is a Common Industrial Protocol security vulnerability affecting Rockwell Automation Studio 5000 Logix Designer versions 21 and later, as well as RSLogix 5000 versions 16 through 20. This vulnerability allows unauthenticated attackers to bypass the key-based verification mechanism used when communicating with Rockwell Automation CompactLogix and ControlLogix controller families, enabling direct unauthorized access to PLC devices without valid credentials. The flaw represents a critical weakness in industrial control system security, as PLCs typically operate as trusted components within operational technology networks with minimal authentication requirements.
CyberAv3ngers leveraged leased third-party hosted infrastructure and legitimate Rockwell Automation configuration software including Studio 5000 Logix Designer and RSLogix 5000 to craft accepted connections to internet-exposed PLC devices. This operational approach deliberately reduced attribution overhead and allowed malicious activity to blend into expected industrial communications traffic patterns, as connections originated from commercial hosting providers using legitimate industrial engineering tools rather than obviously malicious infrastructure or custom exploit code.
Following successful initial access to compromised PLC environments, the threat actors deployed Dropbear SSH, a lightweight Secure Shell implementation, directly on victim endpoints to establish persistent encrypted remote access channels. Dropbear was configured to listen on TCP port 22, providing CyberAv3ngers with reliable command-and-control capabilities for ongoing operations. This persistence mechanism enabled sustained access to compromised industrial control systems independent of the initial vulnerability exploitation, allowing continued operations even if the CVE-2021-22681 vulnerability was subsequently patched.
Using the persistent remote access provided by Dropbear SSH, CyberAv3ngers proceeded to interact with PLC project files, the authoritative configuration artifacts governing PLC logic and operational behavior. The threat actors extracted these project files for intelligence purposes and manipulated display data presented on Human-Machine Interface and Supervisory Control and Data Acquisition panels. This manipulation of SCADA display data represents a particularly disruptive capability in operational technology environments, as operators rely on accurate display readings to make safety-critical operational decisions regarding industrial processes.
The manipulation of HMI and SCADA displays directly undermined the situational awareness of operators monitoring industrial processes across affected facilities. In multiple documented cases, these malicious actions resulted in diminished PLC functionality, operational disruption requiring manual intervention, and documented financial losses across targeted critical infrastructure sectors. The campaign demonstrates CyberAv3ngers’ capability and intent to conduct disruptive operations against U.S. critical infrastructure rather than limiting activities to passive intelligence collection.
The broader strategic context links CyberAv3ngers to a coordinated cyber influence and operational ecosystem aligned with Iran’s Ministry of Intelligence and Security. The threat group operates under the TAG-150 umbrella alongside associated Iranian threat actors including MuddyWater, with malware components including ChainShell, Tsundere, and CastleRAT assessed as co-deployed elements of this broader operational platform. Public-facing domains and Telegram channels serve as primary amplification and command-and-control infrastructure for this ecosystem, enabling malware to communicate with threat actor-controlled infrastructure while blending into legitimate platform traffic.
CISA published advisory AA26-097A in response to this campaign, designating it as a significant threat to U.S. critical infrastructure and urging immediate remediation actions across affected sectors. The advisory emphasizes the urgent need to remove PLCs from direct internet exposure, apply available patches for CVE-2021-22681, and implement comprehensive monitoring for indicators of compromise associated with CyberAv3ngers operations.
CyberAv3ngers represents an Iranian-affiliated cyber threat group with demonstrated capabilities and operational focus targeting industrial control systems and operational technology infrastructure. The group operates under multiple tracking designations across different security vendors and threat intelligence organizations, including Hydro Kitten, Shahid Kaveh Group, UNC5691 (Mandiant designation), and Storm-0784 (Microsoft designation). This proliferation of naming conventions reflects the distributed nature of threat intelligence collection and the challenge of definitively clustering activities to specific organizational structures within Iranian offensive cyber operations.
The group’s affiliation with Iranian state interests is assessed with high confidence based on targeting patterns focused on U.S. and Israeli critical infrastructure, operational timelines correlating with Iranian geopolitical objectives, infrastructure overlaps with known Iranian threat actors, and tactical tradecraft consistent with Iranian cyber operations doctrine. CyberAv3ngers appears to operate as a component of Iran’s broader offensive cyber ecosystem rather than as an isolated threat actor, with operational and infrastructure connections to other Iranian groups including MuddyWater and entities operating under the TAG-150 operational umbrella.
The campaign’s focus on operational technology and industrial control systems reflects a deliberate strategic shift in Iranian cyber operations toward developing capabilities for disruptive and potentially destructive effects against critical infrastructure. This evolution from primarily IT-focused espionage and influence operations toward OT targeting represents an escalation in Iranian cyber threat capabilities and demonstrates intent to develop pre-positioned access and capabilities within U.S. critical infrastructure that could be leveraged during periods of heightened geopolitical tension or conflict.
The primary attack vector exploited by CyberAv3ngers was CVE-2021-22681, a Common Industrial Protocol security vulnerability affecting Rockwell Automation engineering software and compatible PLC controllers. This vulnerability enables unauthenticated attackers to bypass the CIP Security key-based verification mechanism that normally authenticates connections between engineering workstations and PLC devices. By exploiting this authentication bypass, threat actors can establish connections to vulnerable PLCs without possessing valid cryptographic keys or credentials, effectively impersonating legitimate engineering workstations.
The vulnerability affects Rockwell Automation Studio 5000 Logix Designer versions 21 and later, as well as the legacy RSLogix 5000 software versions 16 through 20. These engineering platforms are industry-standard tools used globally for programming, configuring, and monitoring Rockwell Automation CompactLogix and ControlLogix PLC families. The widespread deployment of affected software versions across industrial environments, combined with the common practice of exposing PLCs directly to the internet for remote engineering access, created a substantial attack surface for CyberAv3ngers exploitation operations.
CyberAv3ngers’ exploitation methodology involved using legitimate, unmodified copies of Rockwell Automation engineering software to craft connections to internet-exposed PLC devices. This approach leverages the fact that CVE-2021-22681 is a protocol-level vulnerability rather than a software bug requiring custom exploit code. By using legitimate industrial engineering tools, CyberAv3ngers ensured their traffic appeared consistent with normal remote engineering activities, making detection significantly more challenging compared to attacks using custom malware or exploit tools that would trigger security monitoring systems.
The threat actors conducted internet-wide scanning operations to identify exposed Rockwell Automation PLCs accessible via public IP addresses. Industrial control systems deployed in critical infrastructure environments are frequently exposed to the internet to enable remote monitoring and maintenance by vendors, third-party service providers, or internal engineering staff accessing systems from remote locations. This operational convenience creates significant security risks, as demonstrated by CyberAv3ngers’ ability to identify and compromise systems across multiple critical infrastructure sectors.
CyberAv3ngers operated attack infrastructure consisting of leased third-party hosted servers rather than infrastructure directly attributable to Iranian entities or government networks. This use of commercial hosting providers and virtual private server platforms provided operational security benefits including reduced attribution to Iranian origins, ability to rapidly provision and decommission infrastructure, geographic diversity enabling attacks to appear to originate from various locations, and cost-effective scalability for campaigns targeting multiple victims simultaneously.
The identified command-and-control IP addresses associated with the campaign included infrastructure hosted across multiple autonomous systems and geographic regions. Indicators of compromise published by CISA included IP addresses in the 135.136.x.x and 185.82.73.x ranges, suggesting use of European and international hosting providers rather than infrastructure obviously linked to Iranian networks. This geographic and organizational diversity in attack infrastructure complicated network-based detection and blocking efforts, as defenders could not rely on simple geographic filtering to prevent Iranian threat actor access.
The use of legitimate Rockwell Automation engineering software rather than custom exploit tools provided additional operational security benefits for CyberAv3ngers. Network security monitoring systems configured to detect unusual protocols or suspicious binary transfers would not flag connections using standard industrial protocols and legitimate vendor software. The malicious nature of the activity was determined by the unauthorized intent and target selection rather than any technical anomaly in the connections themselves, making behavioral analytics and baseline deviations the primary detection mechanisms rather than signature-based threat detection.
Following successful initial access to target environments, CyberAv3ngers deployed Dropbear SSH to establish persistent encrypted remote access independent of the CVE-2021-22681 vulnerability. Dropbear is a lightweight, open-source SSH server and client implementation designed for embedded systems and resource-constrained environments, making it well-suited for deployment on industrial control system components with limited computational resources compared to traditional IT systems.
The threat actors configured Dropbear to listen on TCP port 22, the standard SSH port, enabling encrypted command-and-control communications that would blend into normal administrative traffic in many environments. SSH is commonly used for legitimate remote administration of industrial systems, making Dropbear traffic less suspicious than custom malware protocols. The encryption provided by SSH also prevented network security monitoring systems from inspecting the contents of command-and-control communications, limiting visibility into post-compromise activities.
Dropbear deployment provided CyberAv3ngers with several operational advantages for sustained access to compromised environments. The persistent backdoor remained functional even if CVE-2021-22681 was subsequently patched, ensuring continued access independent of the initial compromise vector. The encrypted channel enabled secure file transfer for exfiltrating PLC project files and downloading additional tools. The lightweight nature of Dropbear minimized resource consumption and detection risk compared to more feature-rich backdoors.
Using persistent access provided by Dropbear SSH, CyberAv3ngers interacted with PLC project files, the authoritative configuration artifacts that define PLC logic, input/output mappings, alarm configurations, and operational parameters. These project files represent the complete operational programming of industrial control systems and contain sensitive information about process control logic, safety interlocks, equipment configurations, and operational setpoints. Exfiltration of these files provided CyberAv3ngers with comprehensive intelligence regarding facility operations and potential vulnerabilities in industrial processes.
The threat actors manipulated display data presented on Human-Machine Interface and Supervisory Control and Data Acquisition systems, which operators use to monitor industrial processes and make operational decisions. HMI and SCADA displays present real-time process data including sensor readings, equipment status, alarm conditions, and process trends. By manipulating this display data, CyberAv3ngers created scenarios where operators received false information about actual process conditions, potentially leading to inappropriate operational decisions or delayed responses to actual equipment failures or safety conditions.
The manipulation of SCADA display data represents a particularly insidious attack technique in operational technology environments. Unlike traditional IT systems where data integrity issues primarily affect business operations or data analysis, inaccurate process data in industrial environments can lead to safety incidents, equipment damage, environmental releases, or production disruptions. Operators making decisions based on manipulated display data may shut down functioning equipment, fail to respond to actual alarm conditions, or make process adjustments that exacerbate rather than resolve operational issues.
The CyberAv3ngers campaign resulted in documented operational disruptions and financial losses across multiple affected organizations in government, water and wastewater systems, and energy sectors. The specific mechanisms of disruption included diminished PLC functionality resulting from unauthorized configuration changes, operational disruptions requiring manual intervention to restore normal operations, equipment downtime during investigation and remediation activities, and costs associated with incident response, forensic analysis, and system restoration.
The targeting of water and wastewater systems represents a particularly concerning aspect of the campaign, as these critical infrastructure sectors directly impact public health and safety. Disruptions to water treatment processes could potentially affect water quality, while disruptions to wastewater treatment could lead to environmental releases. The fact that CyberAv3ngers demonstrated both capability and intent to disrupt these systems elevates the threat level beyond intelligence collection to potentially life-safety-impacting cyber operations.
The campaign demonstrates an accelerating pattern of Iranian offensive cyber activity targeting both information technology and operational technology infrastructure across Western and Israeli entities. This escalation in targeting scope and operational sophistication suggests Iranian cyber operations are developing pre-positioned access within critical infrastructure that could be leveraged for more disruptive or destructive effects during periods of heightened geopolitical tension or armed conflict between Iran and the United States or its regional allies.
Organizations must immediately audit all operational technology network perimeters to identify and eliminate direct internet exposure of PLC devices. No CompactLogix, Micro850, or other PLC systems should be directly reachable from public internet IP addresses. All PLCs must be positioned behind dedicated industrial firewalls, network proxies, or secure remote access solutions that strictly control which source IP addresses and authenticated users can initiate connections to industrial control systems. Remote engineering access should be provided exclusively through VPN tunnels or jump hosts that enforce multi-factor authentication and session logging rather than exposing PLCs directly to the internet.
All installations of Rockwell Automation Studio 5000 Logix Designer and RSLogix 5000 must be updated to remediate the CIP Security authentication bypass vulnerability. Organizations should consult Rockwell Automation Security Advisory PN1550 for device-specific patching guidance and minimum version requirements that address CVE-2021-22681. Patching must be prioritized with critical urgency given active exploitation by CyberAv3ngers and the vulnerability’s inclusion in CISA’s Known Exploited Vulnerabilities catalog, which mandates remediation for federal civilian executive branch agencies and strongly recommends remediation for all critical infrastructure operators.
Organizations should enable physical and software-based write-protection mechanisms on CompactLogix and Micro850 controllers to prevent unauthorized modification of PLC project files. Many Rockwell Automation controllers feature key-switch settings that can be configured to prevent remote logic changes, requiring physical access to the controller to modify programming. Network access control lists should be configured to ensure that only explicitly authorized engineering workstations can push logic changes to PLCs, with these restrictions enforced through both network-level firewall rules and controller-level CIP Security configurations implementing least-privilege access principles.
Security teams must conduct immediate threat hunting operations across operational technology networks and IT systems with OT connectivity to identify indicators of CyberAv3ngers compromise. Specific hunt criteria should include Dropbear SSH binaries or processes listening on TCP port 22, PowerShell scripts named “reset.ps1” consistent with CyberAv3ngers tooling, JavaScript execution activity on systems that do not normally run scripts, outbound network connections to known CyberAv3ngers command-and-control IP addresses, and connections to Ethereum RPC nodes or smart contract addresses associated with ChainShell malware infrastructure. Organizations should review process creation logs, PowerShell execution transcripts, and network connection logs for the past 90 days to identify historical compromise indicators.
Organizations must establish integrity monitoring for HMI screen configurations and SCADA data display templates to detect unauthorized modifications indicative of display manipulation attacks. Baseline configurations should be documented for all operator interface screens, and automated alerting should be implemented for any changes to display tags, process variable bindings, alarm setpoints, or screen logic. Security teams should implement cross-referencing mechanisms that compare SCADA display data against raw sensor readings from field instruments to identify discrepancies where displayed values diverge from actual measured process conditions, which could indicate active display manipulation by threat actors.
T1190: Exploit Public-Facing Application
T1078: Valid Accounts
T1059: Command and Scripting Interpreter
T1133: External Remote Services
T1102: Web Service
T1571: Non-Standard Port
T1005: Data from Local System
T1565: Data Manipulation
T1489: Service Stop
Filename: reset.ps1
IPv4 Addresses:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1550.html
Get through updates and upcoming events, and more directly in your inbox