CyberAv3ngers is intensifying its attacks on US water and energy utilities. The group is an Iranian advanced persistent threat (APT) with ties to the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).

In its latest campaign, CyberAv3ngers have been observed targeting internet-facing programmable logic controllers (PLCs) from Rockwell Automation. These attacks have been linked to the exploitation of CVE-2021-22681 , a critical authentication bypass vulnerability in Rockwell’s Logix ecosystem that enables unauthorized access to the PLCs, facilitating interactions with engineering software and device configuration modification. In multiple incidents, the threat actors successfully manipulated human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays to depict false system information, leading to disruptions and financial loss.

This activity has not been limited to isolated intrusions and appears to be expanding in scope. Reconnaissance scanning has been observed by the NJCCIC, indicating ongoing efforts to identify additional vulnerable devices. Yet despite repeated warnings, over 5,200 Rockwell PLC hosts remain exposed on the web, creating a broad attack surface. Notably, 74.6 percent of affected systems are located in the US. The widespread use of these PLCs, combined with the potential targeting of other operational technology (OT) devices across critical infrastructure, increases the number of targets and the likelihood that similar attacks will be replicated.

Additionally, industrial control systems (ICS) exploitation may no longer be limited to highly capable threat actors. Other threat groups can reproduce the techniques used by CyberAv3ngers, leveraging AI-assisted tools to adopt similar methods quickly. As capabilities expand, disruptive incidents across critical infrastructure will likely increase. Organizations are advised to remove PLCs from the public internet, implement strong access controls, and segment IT and OT networks, as these measures limit the impact of ICS attack methods. Where feasible, apply vendor updates and monitor for unauthorized access and changes to PLC logic or device configurations.

Further details and recommended mitigations are available in the associated joint cybersecurity advisory.