5,219 Rockwell PLCs exposed online

Censys has warned that more than 5,000 Rockwell Automation/Allen-Bradley PLCs are currently exposed to the internet, as Iranian-affiliated APT actors actively target these devices across U.S. critical infrastructure.

The same operators were previously associated with a November 2023 campaign that compromised at least 75 Unitronics PLCs in U.S. water and wastewater facilities, demonstrating a continuing focus on OT systems.

On April 7, 2026, the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command released a joint advisory (AA26-097A) detailing ongoing exploitation of internet-facing Rockwell/Allen-Bradley PLCs by Iranian-affiliated APT actors linked to the IRGC Cyber Electronic Command, including the group tracked as CyberAv3ngers.

The current activity, observed since at least March 2026, relies on legitimate Rockwell tooling such as Studio 5000 Logix Designer to connect directly to exposed PLCs, modify project files, and manipulate HMI/SCADA display data without exploiting zero‑day vulnerabilities.

Confirmed targets include CompactLogix and Micro850 families, and agencies warn that concurrent probing of Modbus and Siemens S7 traffic suggests broader multi‑vendor targeting.

5,219 Rockwell/Allen-Bradley PLCs Exposed

Censys telemetry shows 5,219 internet-exposed hosts responding on EtherNet/IP (port 44818) and self-identifying as Rockwell Automation/Allen-Bradley devices, matching the attack surface in scope for AA26-097A.

Global distribution of internet-exposed Rockwell/Allen-Bradley PLC hosts (Source : Censys).
Global distribution of internet-exposed Rockwell/Allen-Bradley PLC hosts (Source : Censys).

The United States accounts for 74.6% of that exposure (3,891 hosts), reflecting Rockwell’s dominant footprint in North American industrial automation.

Outside the Anglosphere, Spain (110), Taiwan (78), and Italy (73) stand out, while Iceland’s 36 exposed devices are notable given its small population and heavy use of industrial control systems in geothermal energy.

The sectors most at risk include government services, water and wastewater systems, and energy—all common Rockwell PLC deployment environments.

ASN analysis reveals that nearly two‑thirds of exposed Rockwell PLCs sit on consumer and business cellular networks rather than industrial or datacenter providers.

Verizon Business (CELLCO-PART) alone hosts 2,564 exposed PLC endpoints (49.1% of the global total), while AT&T Mobility adds 693 more (13.3%).

Top 15 ASNs hosting internet-exposed Rockwell/Allen-Bradley PLCs (Source : Censys).
Top 15 ASNs hosting internet-exposed Rockwell/Allen-Bradley PLCs (Source : Censys).

This pattern strongly indicates that many controllers are field‑deployed assets (e.g., pump stations and remote municipal sites) reachable only through cellular modems directly connected to the public internet.

Censys also notes a cluster on SPACEX-STARLINK (24 hosts), highlighting growing exposure of satellite‑connected OT endpoints harder to monitor and patch.

Unauthenticated EtherNet/IP responses allow attackers to fingerprint PLC models, with the exposed population dominated by MicroLogix 1400 and CompactLogix devices. Many MicroLogix 1400 controllers run end‑of‑sale firmware builds (e.g., C/21.02 and C/21.07), creating a persistent pool of legacy, lightly supported devices.

Top 15 product strings among internet-exposed Rockwell/Allen-Bradley hosts (Source : Censys).
Top 15 product strings among internet-exposed Rockwell/Allen-Bradley hosts (Source : Censys).

Censys also observes co‑exposed services on the same hosts, including VNC (771 instances), Telnet (280), Modbus (292), and Red Lion Crimson services (256). These expand the attack surface by providing direct access to HMI workstations and legacy remote shells.

Operator Infrastructure Behind the Campaign

The CISA advisory includes eight IP indicators, but Censys infrastructure analysis refines this picture.

Seven IPs in the 185.82.73.x range resolve to a multi‑homed Windows engineering workstation in AS214036 (ULTAHOST), running full Rockwell toolchain and exposing RDP with a shared certificate for “DESKTOP-BOE5MUC”. Historical certificate analysis ties 11 IPs in the same /24 to this workstation, revealing four additional operator IPs not listed in the advisory but sharing identical activity patterns.

The eighth IOC (135.136.1.133 in AS9009/M247 Romania) acted as a short‑lived staging box provisioned for a single operation, matching the March attack window.

Agencies and researchers urge asset owners to immediately disconnect Rockwell PLCs from direct internet access and route remote connectivity through secured gateways (VPNs or jump hosts). Additional recommendations include:

  • Locking down or eliminating services like Telnet, VNC, and exposed web interfaces
  • Enforcing strong authentication on cellular/satellite links
  • Maintaining offline, tested backups of PLC configurations and HMI/SCADA projects

With thousands of Rockwell/Allen-Bradley PLCs still exposed and active Iranian-linked operations targeting them, this advisory underscores that this is not a theoretical risk but an ongoing OT threat with real-world operational and safety implications.

Related Articles

Back to top button