Date: 04/08/2026
Severity: Critical
Summary
Iran-linked advanced persistent threat (APT) actors are exploiting internet-facing operational technology (OT) devices, including Rockwell/Allen-Bradley PLCs. Their actions have disrupted PLC operations across multiple U.S. critical infrastructure sectors. Attacks involve tampering with project files and altering data on HMI and SCADA systems. These manipulations have caused operational issues and financial losses. U.S. organizations should urgently review TTPs and IOCs to detect any past or ongoing compromises.
Indicators of Compromise (IOC) List
IP Address : | 135.136.1.133 185.82.73.162 185.82.73.164 185.82.73.165 185.82.73.167 185.82.73.168 185.82.73.170 185.82.73.171 178.162.227.180 185.162.235.206 |
Hash : | BA284A4B508A7ABD8070A427386E93E0
66AE21571FAEE1E258549078144325DC9DD60303
440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("185.82.73.171","185.82.73.165","185.82.73.168","185.82.73.167","185.82.73.162","135.136.1.133","185.82.73.164","185.82.73.170","178.162.227.180","185.162.235.206") or srcipaddress IN ("185.82.73.171","185.82.73.165","185.82.73.168","185.82.73.167","185.82.73.162","135.136.1.133","185.82.73.164","185.82.73.170","178.162.227.180","185.162.235.206") |
Detection Query 2 : | md5hash IN ("BA284A4B508A7ABD8070A427386E93E0")
|
Detection Query 3 : | sha1hash IN ("66AE21571FAEE1E258549078144325DC9DD60303")
|
Detection Query 4 : | sha256hash IN ("440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3")
|
Reference:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a