· 10 min read
When the Lights Lie: How Iran Hacked America's Industrial Heartland — and Why Every Connected Product Needs a TARA
On April 7, 2026, six U.S. federal agencies published a joint emergency advisory: Iranian government hackers had broken into oil, gas, and water infrastructure, manipulated control systems, and falsified the readings operators were watching on their screens. Every step was a known, documented, predictable threat.
April 2026 — OmniTrust Certify
On April 7, 2026, six U.S. federal agencies did something unusual: they published a joint emergency advisory on the same day, under the same document number — AA26-097A — signed by the FBI, CISA, NSA, EPA, the Department of Energy, and U.S. Cyber Command. The message was blunt. Iranian government hackers had broken into oil, gas, and water infrastructure across the United States, manipulated the control systems running physical equipment, and caused real operational disruption and financial loss. In some facilities, the readouts operators were watching on their screens were simply wrong — the attackers had altered them. The machines were lying.
This was not a theoretical attack. It was not a proof of concept or a red team exercise. It happened. And when you look at exactly how it happened, a single uncomfortable truth surfaces: every step of this attack was a known, documented, predictable threat. The kind of threat a Threat Analysis and Risk Assessment — a TARA — is specifically designed to surface before an adversary does.
The Threat Actor: CyberAv3ngers
The group behind the 2026 campaign is CyberAv3ngers, a cyber persona operated by Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). They are tracked across the industry under multiple aliases — Storm-0784 (Microsoft), Bauxite (Dragos), UNC5691 (Mandiant) — and six of their senior officials were sanctioned by the U.S. Treasury in February 2024. The State Department put a $10 million bounty on information about their leadership.
This group did not appear in 2026. They have been systematically escalating their capabilities for years:
2020–2022 — Propaganda phase. Claims of disruptions in Israel, mostly fabricated. Psychological operations, manufactured imagery, influence campaigns designed to create fear disproportionate to their actual technical reach.
October 2023 — Default credential exploitation. The group exploited factory-default passwords on approximately 75 Unitronics Vision Series PLCs across U.S. and Irish water utilities. The Municipal Water Authority of Aliquippa, Pennsylvania became the most visible victim. Irish water facilities experienced multi-day service disruptions. The attack required essentially no technical sophistication — the credentials were never changed from the manufacturer defaults.
Mid-2024 — Custom ICS malware. CyberAv3ngers deployed IOCONTROL, a modular Linux-based cyberweapon targeting IoT and OT devices simultaneously. IOCONTROL communicated over MQTT via TLS on port 8883, used DNS-over-HTTPS to evade detection, stored AES-256-CBC encrypted configurations, and persisted through systemd boot scripts. It targeted D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics devices. CISA described it as “a cyberweapon used by a nation-state to attack civilian critical infrastructure.” OpenAI disclosed in October 2024 that the group had been using ChatGPT to assist with target reconnaissance and code debugging — AI-accelerated threat operations.
March 2026 — Authentication bypass at scale. The current campaign shifted from Israeli-made PLCs to the dominant U.S. industrial platform: Rockwell Automation / Allen-Bradley, deployed in tens of thousands of facilities across the country.
The Vulnerability: CVE-2021-22681
The technical entry point was CVE-2021-22681, a critical authentication bypass vulnerability in Rockwell Automation’s Studio 5000 Logix Designer engineering software and its family of Logix PLCs — CompactLogix, ControlLogix, GuardLogix, DriveLogix, FlexLogix, and SoftLogix.
CVSS score: 9.8 — Critical.
The flaw is architectural. Studio 5000 Logix Designer uses a cryptographic key to authenticate communications between the engineering workstation and the PLC. That key was insufficiently protected, meaning an attacker who could reach the PLC over the network could present themselves as an authorized engineering workstation — no credentials required.
The vulnerability was disclosed and “mitigated” in 2021. There is no patch. Rockwell issued guidance recommending defense-in-depth controls, but the underlying cryptographic design was never fixed. CISA added CVE-2021-22681 to its Known Exploited Vulnerabilities catalog in March 2026 and ordered all federal agencies to address it by March 26. The advisory confirming active exploitation was published twelve days later.
A Shodan search at time of publication showed nearly 6,000 internet-exposed Rockwell devices. An unknown number are affected by CVE-2021-22681.
The Attack: Step by Step
The attack chain was precise, patient, and in places invisible to defenders:
1. Reconnaissance. Attackers used Shodan and Censys — the same public tools any security researcher uses — to scan for internet-exposed Rockwell CompactLogix and Micro850 controllers. They scanned multiple OT ports: 44818 (EtherNet/IP), 2222 (OT configuration), 102 (Siemens S7), 22 (SSH), 502 (Modbus TCP). The scanning of Siemens S7 ports suggests the campaign scope extends beyond Rockwell hardware.
2. Initial access. Using CVE-2021-22681, attackers bypassed authentication on internet-facing PLCs. No credentials needed. They operated from leased, third-party hosted overseas infrastructure to mask their origin.
3. Execution — the critical move. Attackers used Rockwell’s own Studio 5000 Logix Designer software to connect to the victim’s PLC. This is the legitimate engineering tool used by authorized personnel every day. From the perspective of standard network monitoring, this connection looked identical to a scheduled maintenance session.
4. Persistence. They deployed Dropbear SSH on compromised endpoints — a lightweight SSH server that opened a persistent remote access channel on port 22.
5. Impact — the part operators saw, and didn’t see. Attackers extracted .ACD project files containing the PLC’s ladder logic and configuration. They altered data displayed on HMI and SCADA dashboards. Operators watching their screens saw false readings. In some cases this caused operational disruption. In others, financial loss. The physical consequences of operators acting on falsified sensor data — in a water treatment plant, an oil pipeline, a gas processing facility — could extend far beyond a screen.
“We have seen both state and non-state actors in Iran pose real risk and show willingness to hurt people through compromising these systems. I fully expect them to keep up the pressure and target those sites they can get access to.”
— Rob Lee, CEO, Dragos
The exploitation playbook did not stay contained. According to CloudSEK’s threat landscape assessment, 60+ hacktivist groups activated within hours of U.S. strikes on Iranian infrastructure in February 2026, many adopting variants of the CyberAv3ngers approach. The attack surface is not one group. It is a methodology now held by dozens.
What a TARA Would Have Found
This is where the story stops being about Iran and starts being about every manufacturer, utility, and infrastructure operator with a connected product.
OmniTrust Certify generates TARAs — structured Threat Analysis and Risk Assessments — for connected products. Below are three representative TARA line items that a Certify-generated assessment for a Rockwell-based industrial automation system would have produced, framed against what actually occurred.
TARA Item 1 — Internet-Exposed PLC with No Authentication Boundary
| Field | Detail |
|---|---|
| Asset | CompactLogix PLC — EtherNet/IP interface, port 44818, internet-facing |
| Threat Category | Spoofing / Tampering (STRIDE) |
| Threat Scenario | An unauthenticated remote actor exploits CVE-2021-22681 to present a valid engineering workstation identity to the PLC over the public internet, bypassing all access controls and establishing a trusted connection to controller logic. |
| CVE Reference | CVE-2021-22681 (CVSS 9.8) |
| Damage Scenario | Adversary gains full read/write access to ladder logic and project configuration with no audit trail distinguishable from authorized sessions. Physical process execution altered. |
| Attack Path | Public internet → EtherNet/IP port 44818 → CVE-2021-22681 authentication bypass → PLC project file access |
| Risk Level | Critical |
| Risk Treatment | Remove PLC from direct internet exposure. Place behind industrial DMZ with authenticated jump server. Implement allowlist of authorized engineering workstation IPs. Set physical mode switch to RUN to prevent remote logic modification. Monitor port 44818 for connections originating outside authorized subnet. |
What happened: This exact path was used. It was the initial access vector for the entire campaign.
TARA Item 2 — HMI/SCADA Display Manipulation via Stored Data Tampering
| Field | Detail |
|---|---|
| Asset | SCADA HMI Dashboard — operator workstation displaying real-time process telemetry |
| Threat Category | Tampering / Information Disclosure (STRIDE) |
| Threat Scenario | Following controller compromise, an actor modifies the values returned by the PLC to connected HMI displays, presenting false sensor readings to human operators while the underlying physical process operates in an unmonitored state. |
| Damage Scenario | Operators make control decisions based on falsified process data. In water treatment: incorrect chemical dosing, pump overpressure, treatment bypass. In oil/gas: false flow readings masking leaks or overpressure conditions. Outcome ranges from regulatory violation to physical damage to public safety incident. |
| Attack Path | Compromised PLC → modified output registers → HMI polling loop → false display values presented to operator |
| Risk Level | Critical |
| Risk Treatment | Implement independent process monitoring that does not rely on PLC-reported values. Cross-validate critical sensor readings against physical instrumentation. Deploy behavioral anomaly detection that flags divergence between PLC outputs and independent sensors. Establish baseline of normal HMI value ranges and alert on deviation. |
What happened: Attackers modified SCADA/HMI display data at multiple sites. Operators were watching falsified readings. This is the scenario that makes ICS attacks more dangerous than IT attacks — the physical world does not match the digital picture.
TARA Item 3 — Persistent Remote Access via Deployed SSH Backdoor
| Field | Detail |
|---|---|
| Asset | PLC endpoint / engineering workstation — network accessible |
| Threat Category | Elevation of Privilege / Persistence (STRIDE) |
| Threat Scenario | Following initial access, an actor deploys a lightweight SSH server (such as Dropbear) on a compromised OT endpoint, establishing a persistent, authenticated remote access channel that survives reboots and reconnects automatically to attacker-controlled infrastructure. |
| CVE Reference | N/A — living-off-the-land / tool deployment |
| Damage Scenario | Initial access converted to persistent foothold. Attacker retains access through patch cycles, network changes, and incident response efforts. Enables staged escalation — reconnaissance and access pre-positioned for future high-impact operation at a time of adversary choosing. |
| Attack Path | CVE-2021-22681 initial access → Dropbear SSH installed on endpoint → port 22 outbound to leased C2 infrastructure → persistent bidirectional shell |
| Risk Level | High |
| Risk Treatment | Enforce application allowlisting on OT endpoints — only explicitly authorized software may execute. Monitor for unexpected processes and outbound connections, particularly SSH from OT network segments. Segment OT from IT networks with default-deny egress policy. Conduct regular integrity verification of OT endpoint software baseline. |
What happened: Dropbear SSH was deployed across compromised systems. The FBI advisory specifically identified this as a persistence mechanism. Access that began in January 2025 was not fully terminated until March 2026.
The Industry Pattern
What makes this incident significant beyond the geopolitics is what it reveals about the structural state of OT cybersecurity.
CVE-2021-22681 was disclosed in 2021. It was never patched. Nearly 6,000 Rockwell devices remained internet-exposed at the time of the advisory. The CyberAv3ngers playbook — from default credentials in 2023 to authentication bypass in 2026 — worked because organizations operating connected industrial systems never systematically asked: if an adversary could reach this device, what could they do, and what would it cost us?
That is precisely the question a TARA answers.
The ICS attack surface is not hypothetical. It is measurable: 40,000+ internet-exposed ICS devices in the United States, 78,700+ Modbus TCP devices exposed globally, five-year documented dwell times in critical infrastructure environments. Volt Typhoon — China’s pre-positioned ICS threat — has been sitting in some victim environments for half a decade. FBI Director Kash Patel called it “the defining cyber threat of our generation.”
The connected products that run physical infrastructure — from water treatment to oil pipelines to medical devices — are not just software systems. They are safety-critical systems where data manipulation has physical consequences. A TARA frames that reality in structured, defensible, regulatory-aligned form before an adversary frames it for you on a CISA advisory.
Built for This Moment
OmniTrust Certify was built to make threat analysis like the three items above routine — not a post-incident exercise, but a pre-deployment requirement. Certify takes a product description, uploaded documentation, and architecture context, and produces a structured 10-section TARA grounded in STRIDE methodology, CVE and NVD references, Mermaid attack path diagrams, damage and impact analysis, and risk treatment recommendations — aligned to ISO 21434, IEC 62443, FDA Cybersecurity Guidance, CRA, and NIS2.
The attack on Rockwell Automation PLCs was predictable. The threat actor was known. The vulnerability was public. The attack surface was searchable on Shodan. What was missing was a structured process that asked the right questions before operations were disrupted and screens started lying.
That process has a name. It’s a TARA. And the time to run one is before the advisory drops.
OmniTrust Certify — AI-powered TARA generation for connected products. Learn more at omnitrust.ai
Sources
- CISA Advisory AA26-097A
- Tenable: What to Know About CyberAv3ngers
- Picus Security: CISA Alert AA26-097A
- The Record: FBI, Pentagon warn Iran hacking groups target OT
- SecurityWeek: Rockwell Vulnerability Allowing Remote ICS Hacking Exploited in Attacks
- CloudSEK: ICS/OT Targeting in the 2026 Iran-US Conflict
- NBC News: Iran hack breaks into US industrial systems
- CyberScoop: Iranian hackers cyberattacks US energy water infrastructure
- The Hacker News: Iran-Linked Hackers Disrupt US Critical Infrastructure
- HelpNetSecurity: CVE-2021-22681
