Over 5,000 industrial control devices ( 3900 in US) sitting on the open internet are now confirmed targets of an active Iranian cyber campaign. A joint advisory issued by the FBI, CISA, NSA, the EPA, the Department of Energy, and US Cyber Command formally confirmed that affiliated threat actors — operating under the IRGC Cyber Electronic Command and tracked variously as CyberAv3ngers, Storm-0784, and the Shahid Kaveh Group are actively exploiting internet-exposed Rockwell Automation Allen-Bradley programmable logic controllers (PLCs), specifically CompactLogix and Micro850 devices, across water, energy, and government infrastructure sectors.
The actors didn’t need a zero-day exploit, they used Rockwell’s own Studio 5000 Logix Designer software to connect directly to exposed devices, tamper with project files, and manipulate what operators see on their SCADA and HMI displays — essentially feeding false process data to the people running physical infrastructure.
Censys, an internet monitoring firm, which scanned for exposed devices following the advisory, found that three-quarters of the global exposure sits in the US, with most devices reachable through cellular modems deployed in remote field locations — pump stations, substations, municipal facilities. Some are connected via Starlink, making them even harder to monitor and patch.
The attack surface goes beyond PLCs themselves. Censys flagged 771 VNC instances, 280 Telnet services, and 292 Modbus endpoints also exposed — each an additional entry point.
Real operational disruption and financial losses have already occurred, advisory and remediation is taking place with PLCs being taken off the public internet, enforcing MFA on remote access, and disabling legacy protocols with no business case for internet exposure.
