1. OVERVIEW
Iranian-affiliated APT actors are actively exploiting internet-facing OT devices, specifically Rockwell Automation/Allen-Bradley PLCs, across multiple U.S. critical infrastructure sectors. Confirmed activity has resulted in operational disruptions by manipulating PLC project files and falsifying HMI/SCADA display values, causing financial loss to victim organizations.
1.1 KEY TAKEAWAYS
- Augur predicted the 185.82.73[.]0/24 infrastructure cluster on September 27, 2024, over a year before CISA published the advisory.
- Iranian-affiliated PYROXENE represents an expansion of capabilities beyond CyberAv3ngers, indicating that Iran's OT-targeting ecosystem is growing.
- Exploitation requires no novel vulnerability. Actors use legitimate Rockwell tooling, putting any internet-exposed Allen-Bradley PLC at risk regardless of patch status.
- Exposure spans six countries. MENA traffic, led by the UAE, Oman, and Jordan, shows the highest volumes, with some activity still active as of April 2026. U.S. activity is more recent, concentrated in March 2026.
- Blocking individual IPs is insufficient; defenders must act on infrastructure clusters (CIDR, domain, ASN)
2. THREAT ACTOR
The campaign escalated following Operation Epic Fury on February 28, 2026, a coordinated U.S.-Israel military strike targeting Iran's nuclear facilities, military infrastructure, and leadership. A newly identified IRGC-backed group, designated PYROXENE has been attributed to this campaign, adding to Iran's established OT-targeting ecosystem. This activity is consistent with historical precedent, with the IRGC CEC-affiliated group CyberAv3ngers conducted a similar PLC-targeting campaign beginning in November 2023, compromising at least 75 Unitronics Vision Series PLC devices across U.S. water and wastewater facilities. This represents a shift from opportunistic disruption to more coordinated and scalable OT targeting.
For a full assessment of Iranian threat actor infrastructure, escalation timeline, and actor-level analysis leading into this campaign, see Augur's Iran 2026 Threat Posture Assessment at https://www.augursecurity.com/post/threat-research-iran-2026-threat-posture-assessment.
3. TARGETED SECTORS
Confirmed victim sectors include:
- U.S. Government Services
- Water and Wastewater Systems
- Energy
4. TACTICS, TECHNIQUES AND PROCEDURES
Actors scanned for and connected to internet-exposed Rockwell Automation PLCs using overseas-based IP addresses and leased third-party hosting infrastructure. Access was established using Rockwell's own Studio 5000 Logix Designer software to initiate legitimate protocol connections to exposed CompactLogix and Micro850 controllers. The primary weakness being exploited is direct internet exposure of OT devices, not a novel software vulnerability.
4.1 OBSERVED IMPACT ACTIONS
- Extraction of.ACD project files containing ladder logic and device configuration data
- Manipulation of values displayed on HMI/SCADA interfaces to deceive operators
4.2 RELEVANT CVE
CVE-2021-22681: Authentication bypass via insufficiently protected cryptographic key in Rockwell Studio 5000 Logix Designer and multiple Logix PLCs. Added to CISA's Known Exploited Vulnerabilities catalog in March 2026, confirming active exploitation.
5. CONTEXT
Broader Iranian cyber activity has intensified since late February 2026. Researchers at Symantec and Carbon Black identified backdoors installed on U.S. company networks as early as late February 2026. Iran-linked hacktivist group Handala claimed a March 11, 2026, attack on Stryker Corp., disrupting internal Microsoft systems. Iranian state-linked media published a list of major U.S. technology companies as potential targets, reportedly including Apple.
Federal response capacity is under strain. Approximately 60 percent of CISA's workforce was furloughed as of February 14, 2026, limiting the agency's ability to coordinate national cybersecurity defence amid heightened threats.
Augur's Iran 2026 Threat Posture Assessment tracks the broader escalation timeline from the June 2025 Israeli air campaign through the February 28 strikes, documenting a coordinated Electronic Operations Room stood up within 24 hours of the strikes and an estimated 60+ Iran-aligned hacktivist groups actively retaliating. The assessment also notes that core Iranian operators such as MuddyWater remain operational through stealthier persistence and infrastructure staging while affiliate groups generate the more visible disruption, see Augur's Iran 2026 Threat Posture Assessment at https://www.augursecurity.com/post/threat-research-iran-2026-threat-posture-assessment.
6. REGIONAL EXPOSURE
The 185.82.73[.]0/24 prefix was predicted by Augur and observed as early as January 2025, more than a year before the CISA advisory was published on April 7, 2026. The specific IPs named in the advisory (.162, .164, .165, .167, .168, .170, .171) were not directly observed traffic. However, traffic across the United States, UAE, Jordan, Egypt, Oman, and Saudi Arabia recorded activity from other IPs within this /24 during the period. Augur proactively blocked or mitigated traffic from this range across multiple customer environments ahead of any public disclosure, months before the first active IPs were reported by CISA, following our prediction of the range on September 27, 2024.
Activity across the 185.82.73.0/24 range was observed across six countries over a multi-month period, indicating sustained infrastructure usage rather than isolated activity.
6.1 TRAFFIC OBSERVED ON IP RANGE
For questions or additional analysis, contact: research@augursecurity.com
