Back to Intelligence

AA26-097A: Iranian APT Targeting Rockwell Automation PLCs – Detection and Hardening

SA
Security Arsenal Team
April 7, 2026
5 min read

On April 7, 2026, CISA released advisory AA26-097A detailing active exploitation by Iranian-affiliated APT actors targeting U.S. critical infrastructure. The threat is focused on internet-facing Operational Technology (OT), specifically Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs).

This is not theoretical; the attackers are successfully interacting with project files and manipulating data on Human Machine Interface (HMI) and SCADA displays, causing genuine operational disruption and financial loss. Defenders must assume that exposed OT assets are actively being scanned and compromised. Immediate isolation of internet-facing PLCs and rigorous monitoring of engineering workstations is required to maintain operational continuity.

Technical Analysis

  • Affected Products: Rockwell Automation/Allen-Bradley PLCs (specifically internet-facing devices).
  • Vulnerability/Method: The campaign leverages "security issue activity" targeting OT devices. The attack chain involves malicious interaction with project files (logic files) and the manipulation of data packets sent to HMIs and SCADA systems. This suggests the actors are either exploiting authentication bypasses on exposed CIP (Common Industrial Protocol) services or utilizing stolen credentials to upload altered logic.
  • Impact: Successful manipulation allows attackers to alter PLC logic, spoof HMI readings to hide physical changes, and disrupt industrial processes.
  • Exploitation Status: Confirmed Active Exploitation. CISA has validated disruptions across several critical infrastructure sectors.

Detection & Response

Sigma Rules

The following Sigma rules target the engineering workstation environment where project files are managed and uploaded.

YAML
---
title: Suspicious Modification of Rockwell Project Files
id: aa26-097a-plc-mod-001
status: experimental
description: Detects modifications to Rockwell Automation project files (.ACD, .L5X) which may indicate an attacker altering PLC logic prior to upload.
references:
 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
author: Security Arsenal
date: 2026/04/07
tags:
 - attack.impact
 - attack.t0885  (Data Manipulation)
logsource:
 category: file_change
 product: windows
detection:
  selection:
   TargetFilename|endswith:
    - '.acd'
    - '.l5x'
  filter_legit:
   Image|contains:
    - '\Studio 5000\'
    - '\RSLogix'
falsepositives:
 - Legitimate engineering work and logic updates
level: high
---
title: Unusual Network Connections from Engineering Workstations
id: aa26-097a-c2-001
status: experimental
description: Detects outbound connections from Rockwell engineering tools to non-local network ranges, potentially indicating C2 or unauthorized remote access.
references:
 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
author: Security Arsenal
date: 2026/04/07
tags:
 - attack.command_and_control
 - attack.t1071
logsource:
 category: network_connection
 product: windows
detection:
  selection_img:
   Image|endswith:
    - '\Studio5000.exe'
    - '\RSLogix5000.exe'
    - '\RSLinx.exe'
  selection_net:
   DestinationPort:
    - 44818
    - 2222
   Initiated: 'true'
  filter_private:
   DestinationIp|cidr:
    - '10.0.0.0/8'
    - '172.16.0.0/12'
    - '192.168.0.0/16'
    - '127.0.0.0/8'
condition: selection_img and selection_net and not filter_private
falsepositives:
 - Legitimate remote PLC access by authorized engineers
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for external CIP traffic targeting the OT environment. It assumes network logs are ingested via Syslog/CEF or DeviceNetworkEvents.

KQL — Microsoft Sentinel / Defender
// Hunt for external connections to Rockwell CIP Ports (44818)
let OT_IoT_Ranges = dynamic(["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]);
DeviceNetworkEvents
| where RemotePort in (44818, 2222) // CIP/EtherNet/IP ports
| extend IsInternalIP = ipv4_is_in_any_range(RemoteIP, OT_IoT_Ranges)
| where IsInternalIP == false
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, ActionType
| summarize count() by DeviceName, RemoteIP, RemotePort
| order by count_ desc

Velociraptor VQL

This artifact hunts for the existence of recently modified Rockwell project files on engineering workstations.

VQL — Velociraptor
-- Hunt for recently modified Rockwell Project Files
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs='\\**\\*.acd', root='C:\\')
WHERE Mtime > now() - 7d
  OR Mode =~ 'w'

SELECT FullPath, Mtime, Size, Mode
FROM glob(globs='\\**\\*.l5x', root='C:\\')
WHERE Mtime > now() - 7d
  OR Mode =~ 'w'

Remediation Script (PowerShell)

This script audits the local firewall for inbound rules allowing the Rockwell CIP port (44818) and recommends disabling public exposure.

PowerShell
# Audit for inbound CIP (Common Industrial Protocol) Traffic
# Rockwell Automation typically uses TCP/44818

Write-Host "Auditing Firewall Rules for TCP/44818 (Rockwell CIP)..." -ForegroundColor Cyan

$rules = Get-NetFirewallRule | Where-Object {$_.Enabled -eq 'True' -and $_.Direction -eq 'Inbound'}

foreach ($rule in $rules) {
    $filter = $rule | Get-NetFirewallPortFilter
    if ($filter.LocalPort -eq 44818) {
        $addressFilter = $rule | Get-NetFirewallAddressFilter
        $profile = $rule | Get-NetFirewallProfile
        
        Write-Host "[WARNING] Rule Found: $($rule.DisplayName)" -ForegroundColor Yellow
        Write-Host "   Profile: $($profile.Profile)"
        Write-Host "   Action: $($rule.Action)"
        Write-Host "   RemoteIP: $($addressFilter.RemoteAddress)"
        
        if ($profile.Profile -eq 'Any' -or $profile.Profile -eq 'Public') {
            Write-Host "   [ALERT] This rule allows traffic on Public/Any profiles. Consider restricting to Domain/Private or specific IPs." -ForegroundColor Red
        }
    }
}

Write-Host "Audit Complete." -ForegroundColor Green
Write-Host "Recommendation: Ensure PLCs are NOT internet-facing. Implement VPNs/Jump Hosts for remote access." -ForegroundColor White

Remediation

  1. Isolate OT Assets: Immediately disconnect PLCs and HMIs from the public internet. Ensure these devices are behind firewalls with strict deny-by-default policies.
  2. Restrict CIP Traffic: Limit inbound and outbound traffic on TCP ports 44818 (CIP) and 2222 (EtherNet/IP) to only known, required engineering workstations and subnets.
  3. Enforce Authentication: Change default passwords on PLCs and HMIs. Implement complex, unique credentials for all OT assets.
  4. Project File Integrity: Enable change management controls for project files. Any logic modification should require digital signatures or dual-approval workflows within the engineering software.
  5. Review Vendor Advisory: Review Rockwell Automation Security Advisory for specific firmware updates addressing unauthorized access.
  6. Monitor for Spoofing: Implement anomaly detection on HMI/SCADA data to identify discrepancies between the physical process state and the displayed state (spoofing detection).

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

socmdrmanaged-socdetectioniranian-aptics-otrockwell-automationplc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action