Iranian hackers are targeting US energy, water sectors, federal agencies warn

Federal cyber and law enforcement agencies warned that Iranian-linked hackers are exploiting programmable logic controllers to target U.S. energy, water and government services sectors.

Acting CISA Director Nick Andersen told reporters last month that CISA had “not seen a rise in threat actor activity” linked to Iran since the war began, but that the agency was working with industry to track the threat. | Andrew Harnik/Getty Images

Iranian hackers are exploiting cyber vulnerabilities in key software systems at U.S. water and energy providers, according to a new advisory released by the Cybersecurity and Infrastructure Security Agency on Tuesday.

The guidance warns that Iran-linked hackers are targeting internet-connected programmable logic controllers. These are industrial computers used to control and run critical infrastructure networks across the nation.

The advisory was jointly produced by CISA, the National Security Agency, the Federal Bureau of Investigation, U.S. Cyber Command, the Department of Energy, the Environmental Protection Agency and the Cyber National Mission Force.

Programmable logic controllers developed by software manufacturer Rockwell Automation/Allen-Bradley are actively being exploited, and PLCs from other companies are potentially being targeted as well, according to the advisory.

The agencies advised all U.S. organizations to remove the control software from direct internet exposure and check available logs for “suspicious traffic.” If an organization uses Rockwell Automation devices, the agencies recommend contacting the company if the organization may have been targeted.

The advisory does not specify which Iranian hacking group is behind the attacks, only noting that “Iranian-affiliated advanced persistent threat actors” were targeting U.S. critical infrastructure organizations with the intent to “cause disruptive effects.”

The agencies noted that the attacks bear a resemblance to cyberattacks in 2023 carried out by the Iranian hacking group CyberAv3ngers.

The group, affiliated with Iran’s Islamic Revolutionary Guard Corps, hacked into and defaced Israeli-made digital control panels at multiple U.S. water treatment facilities in Pennsylvania. These incidents occurred shortly after the Oct. 7, 2023, attack on Israel by Hamas militants and after subsequent strikes by Israeli forces in the Gaza Strip.

The advisory noted that the attacks were likely due to the ongoing U.S.-Israeli war on Iran, stating that “Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities.”

Kimberly Mielcarek — vice president of the North American Electric Reliability Corporation, which runs the Electricity Information Sharing and Analysis Center — said on Tuesday that the organization sent an “all-points bulletin” to energy sector members about the threat, encouraging “industry vigilance.”

“Our Watch Operations team is actively monitoring the grid, while we continue to coordinate closely with the Department of Energy, the Electricity Subsector Coordinating Council, and our federal and provincial partners,” Mielcarek said.

One industry source with knowledge of the incidents, granted anonymity to discuss non-public details, said the companies had been given a heads-up by two federal agencies in advance of the advisory going out. They noted the Department of Energy was involved in responding to the breaches.

“Protecting America’s critical energy infrastructure is a top priority for the U.S. Department of Energy,” a spokesperson for DOE told POLITICO in a statement, adding that the department worked closely with the other federal agencies on “critical recommendations to U.S. organizations on how to implement specific mitigations to improve their cybersecurity posture against cyber actors.”

The exact targets of the attack were not immediately clear.

CISA added a major vulnerability in Rockwell industrial control systems to its catalog of known vulnerabilities in early March, an exploit that specifically impacts PLCs.

Ed Moreland, vice president of government affairs and corporate communications at Rockwell Automation, said in a statement that the company “takes seriously the security of its products and solutions and has been closely coordinating with government agencies” on the advisory.

Acting CISA Director Nick Andersen told reporters last month that CISA had “not seen a rise in threat actor activity” linked to Iran since the war began, but that the agency was working with industry to track the threat.

politico.com