Iran-Linked CyberAv3ngers Sets Sights on Water Utilities and Industrial Controllers

What happened

An Iran-linked threat group known as CyberAv3ngers is being tied to active attacks against internet-facing industrial controllers in the United States. A joint advisory issued on April 7 by the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command said Iranian-affiliated actors are exploiting programmable logic controllers across water and wastewater systems, energy infrastructure, and government facilities. The advisory said the activity has already caused operational disruption and financial losses at multiple U.S. organizations. The group has also been linked to earlier attacks involving Unitronics Vision Series PLCs and, more recently, to efforts targeting Rockwell Automation Logix controllers through CVE-2021-22681, an authentication bypass flaw for which no software patch exists. 

Who is affected

The direct exposure affects organizations running internet-accessible industrial controllers, particularly water and wastewater utilities, energy operators, and government facilities. The reporting also points to risk for environments using Rockwell Automation Logix controllers and Unitronics PLCs that remain exposed to the public internet or rely on weak access protections. 

Why CISOs should care

This matters because the activity is affecting operational technology rather than only business IT systems. The advisory and supporting reporting say the attacks have already caused real disruption and financial harm, while the targeted devices sit in environments tied directly to essential services and industrial operations. The absence of a patch for CVE-2021-22681 also means affected organizations may need to rely on network architecture and access control measures rather than routine software remediation. 

3 practical actions

1. Disconnect exposed PLCs: Remove Rockwell Automation Logix and Unitronics PLCs from direct internet exposure wherever possible. 
2. Strengthen OT segmentation: Isolate engineering workstations and segment controller networks because architectural separation is one of the primary defenses where no patch is available. 
3. Monitor for suspicious OT traffic: Alert on MQTT over TLS traffic on port 8883 and DNS-over-HTTPS activity from OT segments, and ingest indicators from advisory AA26-097A into security tools. 

For more news about security developments affecting industrial and critical infrastructure environments, click Cybersecurity to read more.