The threat landscape for Operational Technology (OT) has shifted from disruptive defacements to destructive capability. The Iran-affiliated threat group CyberAv3ngers, operating under the IRGC Cyber-Electronic Command, has escalated operations against U.S. critical infrastructure. Following sanctions and a $10M bounty from the U.S. State Department, intelligence confirms they have moved beyond defacing water utility displays to actively deploying a custom ICS malware framework known as IOCONTROL.
This malware specifically targets Rockwell Automation ControlLogix and CompactLogix PLCs by exploiting CVE-2021-22681, a critical authentication bypass vulnerability. This is not a theoretical risk; active exploitation is ongoing in the wild. Defenders in water, energy, and manufacturing sectors must assume compromise and act immediately to identify exposure and patch vulnerable controllers.
Technical Analysis
The Vulnerability: CVE-2021-22681
- Affected Products: Rockwell Automation Logix controllers (ControlLogix, CompactLogix, GuardLogix, 1756-L8*, 5069-*, etc.).
- CVE Identifier: CVE-2021-22681
- CVSS Score: 10.0 (Critical)
- Firmware Versions Affected: V20.011 and earlier, V21.011 and earlier, V30.014 and earlier, V31.014 and earlier, V32.014 and earlier, V33.014 and earlier, V34.011 and earlier, V35.011 and earlier.
The Threat: IOCONTROL
CyberAv3ngers have developed IOCONTROL, a tailored ICS malware platform designed to interact with Rockwell controllers. Unlike standard IT ransomware, IOCONTROL allows the attackers to manipulate the physical logic of the industrial process—potentially disabling safety interlocks or disrupting machinery—by leveraging the underlying vulnerability.
Attack Chain
- Reconnaissance: Threat actors scan for exposed Rockwell Automation interfaces, specifically the Common Industrial Protocol (CIP) over Ethernet/IP (TCP/UDP 44818).
- Exploitation: The attackers utilize a script or tool that sends a specific CIP request to the controller. Due to the flaw in the firmware's authentication logic (CVE-2021-22681), the controller accepts the command without verifying user credentials.
- Payload Deployment: Once authenticated, the attackers deploy the IOCONTROL component, which issues instructions to the PLC to alter its operation or disrupt the communications between the PLC and the Human-Machine Interface (HMI).
- Impact: The operators lose visibility or control of the physical process, potentially leading to catastrophic equipment failure or unsafe environmental conditions.
Exploitation Status
- Status: Confirmed Active Exploitation (In-the-Wild).
- CISA KEV: Listed as a known exploited vulnerability.
- Attacker Motivation: Political (State-sponsored), specifically targeting entities with perceived ties to Israel or critical Western infrastructure.
Detection & Response
Given the niche nature of OT traffic, standard signature-based detection often fails here. Defenders must focus on network anomalies involving CIP traffic and endpoint behavior on engineering workstations hosting Rockwell software (Studio 5000, RSLogix).
Sigma Rules
---
title: Potential Rockwell Automation CIP Exploit Activity
id: 8a1f2c33-1d4e-4b5c-9a6b-7c8d9e0f1a2b
status: experimental
description: Detects network connections to the Common Industrial Protocol (CIP) port (TCP 44818) commonly used by Rockwell Automation PLCs. Unexpected connections to this port from non-engineering workstations may indicate active targeting of CVE-2021-22681 or IOCONTROL deployment.
references:
- https://www.tenable.com/blog/what-to-know-about-cyberav3ngers-the-irgc-linked-group-targeting-critical-infrastructure
author: Security Arsenal
date: 2024/02/20
tags:
- attack.initial_access
- attack.t1190
- cve-2021-22681
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 44818
filter_known_good:
SourceIP|cidr:
- '10.0.0.0/8' # Adjust to match your specific Engineering VLANs
- '192.168.10.0/24' # Example: Engineering Subnet
condition: selection and not filter_known_good
falsepositives:
- Legitimate PLC programming from unknown engineering workstations
level: high
---
title: Suspicious Rockwell Engineering Tool Child Process
id: 9b2e3d44-2e5f-5c6d-0b7c-8d9e0f1a2b3c
status: experimental
description: Detects suspicious child processes spawned by Rockwell Automation engineering tools (Studio 5000, RSLogix 5000). Attackers may abuse these tools to script interactions with PLCs or move laterally.
references:
- https://www.tenable.com/blog/what-to-know-about-cyberav3ngers-the-irgc-linked-group-targeting-critical-infrastructure
author: Security Arsenal
date: 2024/02/20
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
Image|contains:
- 'Studio 5000'
- 'RSLogix 5000'
- 'FactoryTalk'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: selection_parent and selection_child
falsepositives:
- Legitimate engineering automation scripts
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for CIP Protocol (Port 44818) anomalies
// Identify hosts communicating with Rockwell PLCs outside of expected engineering windows
DeviceNetworkEvents
| where RemotePort == 44818
| extend PLC_IP = RemoteIP, Source_Host = DeviceName
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by PLC_IP, Source_Host, InitiatingProcessFileName
| where Count > 10 // Filter out noise, adjust threshold based on traffic volume
| project-away Count
| order by LastSeen desc
Velociraptor VQL
-- Hunt for Rockwell Engineering Workstations to map attack surface
-- This identifies endpoints capable of managing the targeted PLCs
SELECT Name, Pid, Exe, CommandLine, Username
FROM pslist()
WHERE Name =~ 'Studio 5000.exe'
OR Name =~ 'RSLogix 5000.exe'
OR Name =~ 'FactoryTalk Services Platform.exe'
OR Name =~ 'RSLinx.exe'
Remediation Script
This PowerShell script scans a local subnet to identify devices listening on the Rockwell CIP port (44818). This helps asset owners identify unauthorized PLCs or exposed interfaces that need patching.
# Audit Script: Discover Rockwell Automation Devices on Local Subnet
# Usage: .\Get-RockwellAssets.ps1
# Note: Requires elevated permissions. Adjust subnet range as necessary.
param (
[string]$Subnet = (Get-NetIPAddress -AddressFamily IPv4 -Type Unicast | Where-Object { $_.IPAddress -notlike "127.*" -and $_.PrefixOrigin -eq "Dhcp" }).IPAddress -replace "\d+$", "0/24"
)
if (-not $Subnet) {
Write-Error "Could not determine local subnet. Please provide -Subnet parameter."
exit
}
Write-Host "[+] Scanning Subnet: $Subnet for Rockwell CIP Service (TCP 44818)..." -ForegroundColor Cyan
$base = $Subnet -replace "\.0/\d+$", "."
$range = 1..254
$openPorts = @()
foreach ($i in $range) {
$ip = "$base$i"
$tcp = New-Object System.Net.Sockets.TcpClient
$connect = $tcp.BeginConnect($ip, 44818, $null, $null)
$wait = $connect.AsyncWaitHandle.WaitOne(200, $false) # 200ms timeout
if ($wait) {
try {
$tcp.EndConnect($connect) | Out-Null
if ($tcp.Connected) {
Write-Host "[!] Found CIP Service: $ip" -ForegroundColor Yellow
$openPorts += $ip
}
} catch {
# Connection failed but port was filtered/closed
}
}
$tcp.Close()
}
if ($openPorts.Count -eq 0) {
Write-Host "[-] No Rockwell CIP services found on standard port." -ForegroundColor Green
} else {
Write-Host "[+] Scan Complete. Verify if identified IPs are authorized Rockwell controllers." -ForegroundColor Cyan
$openPorts
}
Remediation
- Apply Firmware Patches Immediately:
Update all Rockwell Automation Logix controllers to the latest available firmware that addresses CVE-2021-22681. For affected versions (V20-V35), upgrade to the specific patched minor versions (e.g., V20.013, V21.013, V30.015, V31.015, V32.015, V33.015, V34.012, V35.012) or migrate to a non-vulnerable major version (V36+).
* **Vendor Advisory:** [Rockwell Automation Security Advisory (Advisory Number: 2021-1103)](https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.2021-1103.html)
2. Enforce Network Segmentation (Purdue Model Compliance): Ensure PLCs reside in a strictly demilitarized zone (DMZ) with no direct routing from the corporate IT network or the internet. All access must traverse a controlled DMZ using Jump Hosts or Terminal Services with Multi-Factor Authentication (MFA).
-
Restrict CIP Access (TCP/UDP 44818): Configure firewall rules to permit TCP/UDP 44818 only from known Engineering Workstation IPs and Historian servers to specific PLC IP addresses. Block all other inbound traffic to this port.
-
Disable Unused Services: Verify that the "CIP Security" feature is enabled and configured on the controllers (where supported) to enforce encryption and authentication for EtherNet/IP communications, preventing unauthenticated exploitation attempts.
-
Review Accounts: Audit all local and remote accounts on Rockwell controllers. Remove any non-standard users and rotate passwords for administrative accounts, as prior credential access may have occurred.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.