Originally published on satyamrastogi.com
Nearly 4,000 internet-exposed Rockwell Automation PLCs identified in active Iranian reconnaissance campaigns. Analysis of OT attack surface, device enumeration tactics, and payload delivery mechanisms targeting U.S. critical infrastructure.
Rockwell Automation PLCs: 4,000 Exposed Devices & Iranian OT Targeting
Executive Summary
Iranian-linked cyberattack campaigns have identified approximately 4,000 internet-exposed Rockwell Automation programmable logic controllers (PLCs) across U.S. critical infrastructure networks. This discovery represents a significant tactical shift in Iranian offensive operations - moving from traditional IT-focused espionage toward direct targeting of operational technology (OT) systems that control physical processes in energy, water, manufacturing, and transportation sectors.
The scale of exposed devices indicates a mature reconnaissance and targeting infrastructure. Iranian threat actors are systematically mapping the OT attack surface, likely conducting vulnerability assessment and payload staging operations in preparation for destructive or disruptive attack campaigns.
Attack Vector Analysis
Device Enumeration & Service Discovery
Rockwell Automation PLCs expose several legacy protocols and management interfaces that enable remote identification:
- Ethernet/IP (EtherNet/IP) - Industrial protocol running on TCP 2222, UDP 2222
- Allen-Bradley FactoryTalk Services - Web interfaces on TCP 80, 443
- Modbus TCP - Legacy protocol on TCP 502
- SNMP - Device discovery and inventory enumeration on UDP 161
Threat actors employ standard reconnaissance techniques (MITRE ATT&CK T1589 - Gather Victim Identity Information) combined with industrial-specific tooling:
# Shodan queries for device fingerprinting
product:"Rockwell Automation" port:2222
Rockwell Automation EtherNet/IP
FactoryTalk Services Default Credentials
# NMAP service detection
nmap -p 2222,502,20000 --script=modbus-discover <target-range>
nmap -sU -p 161 --script=snmp-sysdescr <target-range>
Once devices are enumerated, attackers move to MITRE ATT&CK T1592 - Gather Victim Host Information via protocol-specific requests:
# EtherNet/IP identity request (low-level TCP handshake)
Send 0x65 (List Identity) command to TCP 2222
Response contains: device type, firmware version, serial number, product name
# Exposed information enables:
- Firmware version matching (CVE lookup)
- Default credential targeting
- Payload customization per device variant
Geopolitical Context
This campaign aligns with documented Iranian state-sponsored operations. Iranian cyberattacks maintain momentum despite ceasefires and diplomatic initiatives, suggesting sustained strategic objectives around critical infrastructure disruption and data collection. The targeting of PLCs specifically indicates preparation for destructive payloads rather than traditional espionage.
Technical Deep Dive
Device Vulnerability Landscape
Rockwell Automation PLCs face multiple attack vectors:
- CVE-2022-22822 (Allen-Bradley CompactLogix) - Remote Code Execution via EtherNet/IP
- CVE-2023-46206 (FactoryTalk) - Authentication bypass
- Legacy default credentials - Many deployed systems running unpatched firmware from 2015-2018
# Simplified CVE-2022-22822 reconnaissance pattern
import socket
def probe_compactlogix(target_ip, port=2222):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, port))
# EtherNet/IP encapsulation frame
command = b'\x65\x00' # List Identity request
encap_header = construct_eip_frame(command)
sock.send(encap_header)
response = sock.recv(4096)
# Parse firmware version from response
fw_version = extract_firmware_version(response)
if is_vulnerable(fw_version):
return True, fw_version
return False, fw_version
Supply Chain Implications
Like previous industrial supply chain compromises (GlassWorm Zig Dropper IDE supply chain targeting), this campaign exploits the asymmetric nature of OT patching cycles. Rockwell Automation devices often operate with 5-10 year firmware upgrade cycles, meaning vulnerabilities published in 2023 remain exploitable across 40%+ of deployed base.
Payload Delivery Mechanisms
Iranian threat actors historically employ multi-stage delivery:
- Stage 1 - Reconnaissance: Enumerate device firmware, network topology, connected systems
- Stage 2 - Credential Access: Attempt default credentials (MITRE ATT&CK T1110.4 - Credential Stuffing), harvest credentials from human-machine interfaces (HMIs)
- Stage 3 - Lateral Movement: Use Credential-Based Attacks for OT network traversal
- Stage 4 - Payload Execution: Deploy firmware implants or rogue logic programs
Detection Strategies
Network Detection
Outbound EtherNet/IP scanning from your environment:
Alert when:
- Internal hosts connect to TCP 2222 to external IPs
- Unusual EtherNet/IP session patterns (multiple List Identity requests)
- Protocol responses from non-Rockwell MAC vendors
Shodan/Censys fingerprint matching:
Implement continuous monitoring of your public IP ranges against industrial search engines. Any device fingerprint matching Rockwell Automation profiles should trigger immediate investigation.
Host-Level Detection
On PLC/HMI systems:
- Monitor local program/logic edits - PLCs should have static ladder logic between scheduled maintenance windows
- Alert on firmware upload attempts via FactoryTalk or engineering software
- Track unexpected EtherNet/IP traffic to systems outside documented network topology
- Monitor FactoryTalk user authentication logs for brute force patterns
MITRE ATT&CK Mapping
Iranian operations align with:
- T1046 - Network Service Discovery
- T1589 - Gather Victim Identity Information
- T1592 - Gather Victim Host Information
- T1200 - Hardware Addition (potential next phase)
- T1561 - Disk Wipe (historical destructive objective)
Mitigation & Hardening
Immediate Actions (0-30 Days)
Asset Inventory: Identify all Rockwell Automation PLCs in your environment. Cross-reference with Shodan/Censys to confirm internet exposure.
Network Segmentation: Remove all direct internet exposure for PLCs. Deploy DMZ architecture with explicit allow-lists only for required engineering access.
Credential Audit: Force password reset on all FactoryTalk Service accounts. Disable any default or shared credentials.
Medium-Term (30-90 Days)
Firmware Patching: Prioritize patching CompactLogix and ControlLogix devices running firmware versions prior to 2023. Reference NVD CVE Database for affected versions.
Network Monitoring: Deploy ICS-aware IDS (Suricata with ICS rulesets, Zeek with ICS protocols). Establish baseline EtherNet/IP traffic profiles.
Access Controls: Implement certificate-based authentication for FactoryTalk if available. Restrict engineering software access to specific VLANs and user groups.
Long-Term (90+ Days)
OT Architecture Review: Follow NIST Cybersecurity Framework guidelines for ICS segmentation. Implement air-gapped architectures for critical processes.
Incident Response Plan: Develop OT-specific IR playbooks for PLC compromise scenarios. Iranian operations historically escalate to destructive phases within weeks of initial compromise.
Key Takeaways
4,000 exposed PLCs represent the attack surface, not the target set. Iranian operators will likely focus reconnaissance on critical infrastructure sectors (CISA report coordination expected).
OT patching cycles create permanent exploit windows. Unlike IT systems patched monthly, industrial devices remain vulnerable 5+ years post-CVE publication.
Default credentials and legacy protocols remain exploitable. EtherNet/IP and Modbus lack native authentication - network location is your only defense.
This campaign signals preparation for destructive operations. Unlike espionage-focused APT groups, Iranian units typically precede disruptive attacks with weeks of active reconnaissance and staging.
Segmentation failure is the critical vulnerability. Organizations with internet-exposed PLCs likely lack adequate network demarcation between IT and OT systems, enabling lateral movement post-compromise.
Top comments (0)