Censys finds 5,219 devices exposed to attacks by Iranian APTs, majority in U.S.

Censys researchers found 5,219 exposed Rockwell PLCs online, mostly in the U.S., urging defenders to secure or disconnect them.

On April 7, 2026, U.S. agencies, including FBI, CISA, and NSA, warned of Iran-linked APTs exploiting internet-exposed Rockwell Automation PLCs.

Threat actors are carrying out cyberattacks targeting internet-connected operational technology (OT) across multiple critical infrastructure sectors. Iran-linked actors are believed to be behind the activity, aiming to cause disruption in areas such as government services, water systems, and energy.

The attacks involve manipulating project files and altering data shown on HMI and SCADA systems, leading in some cases to operational disruptions and financial losses. Authorities urged organizations to review indicators of compromise and apply mitigations to reduce risks. The campaign has been linked to groups like CyberAv3ngers, associated with Iran’s IRGC.

Organizations are advised to assess exposed devices, follow security guidance from vendors, disconnect systems from the internet where possible, and coordinate with authorities for incident response and mitigation support.

Censys researchers identified 5,219 exposed devices globally, 74.6% in the U.S., many on cellular networks. Analysis of indicators suggests multiple IPs tied to a single compromised engineering workstation, expanding the known attack surface beyond initial disclosures.

“Censys identifies 5,219 internet-exposed hosts globally responding to EtherNet/IP (port 44818) and self-identifying as Rockwell Automation/Allen-Bradley devices.” reads the report published by Censys. “Geographic distribution is heavily skewed toward the United States, which accounts for 74.6% of global exposure — consistent with Rockwell’s dominant market position in North American industrial automation.”

The researchers pointed out that the exposure of Rockwell Automation PLCs extends beyond the U.S., with notable concentrations in Spain, Taiwan, and Italy, while Iceland shows disproportionate exposure. According to Censys, many devices are connected via cellular networks, with providers like Verizon and AT&T accounting for a large share. This indicates field-deployed systems (e.g., utilities and substations) relying on cellular or even satellite links like Starlink, making monitoring and patching difficult.

Most exposed devices belong to MicroLogix and CompactLogix families, often running outdated firmware.

“EtherNet/IP identity responses expose device-level product strings, enabling granular fingerprinting of PLC model and firmware revision without authentication.” continyes the report. “The top 15 product strings are dominated by two families: MicroLogix 1400 (catalog prefix 1766-) and CompactLogix (1769-, 5069-), with one Micro820 (2080-) entry.”

Since device details can be identified remotely without authentication, attackers can easily scan, identify, and prioritize vulnerable systems, increasing risks for sectors like energy and water infrastructure.

Censys found that 5,219 exposed Rockwell Automation PLC hosts often run extra services beyond EtherNet/IP, increasing risk. Key exposures include VNC for remote HMI access, Telnet (cleartext legacy access), Modbus for OT communication, and Red Lion Crimson in mixed-vendor setups. These services expand attack paths and raise the risk to industrial systems.

The report also provides Indicators of Compromise (IOCs) and technical details about the operator infrastructure.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Rockwell PLCs)