On April 7, a joint advisory from six federal agencies confirmed what infrastructure security professionals have feared for years: an Iranian APT group has been actively disrupting programmable logic controllers across U.S. critical infrastructure. The targets include water systems, energy facilities, and government services.
The group is CyberAv3ngers, affiliated with Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command. They have been tracked under multiple names: Storm-0784, Bauxite, Hydro Kitten, UNC5691. The scope of their operation triggered a response from the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command. Six agencies co-authoring a single advisory is rare. It signals that the government considers this an active, ongoing operational threat to national security.
But the advisory itself is not the most important part of this story. The exposure data is.
3,891 PLCs, Half on Cellular Networks
Censys published a detailed analysis the day after the advisory dropped. Their scan identified 5,219 internet-exposed hosts globally that respond to EtherNet/IP on port 44818 and self-identify as Rockwell Automation/Allen-Bradley devices. Of those, 3,891 are in the United States: 74.6% of the global total.
Here is where the story takes a turn that most coverage is missing.
Verizon Business (CELLCO-PART) hosts 2,564 of those exposed PLCs. That is 49.1% of the entire global exposure. AT&T Mobility accounts for another 693 (13.3%). Twenty-four hosts were found on SpaceX Starlink. As Censys researcher Kate Lake wrote, "These devices are almost certainly field-deployed in physical infrastructure (pump stations, substations, municipal facilities) with cellular modems as their sole internet path."
This is the real story. The industrial air gap, the foundational security assumption that kept operational technology safe for decades, was not breached by a sophisticated nation-state exploit. It was replaced by a SIM card. And nobody updated the security model.
The Cellular Modem Blind Spot
Traditional OT security relies on network segmentation. Keep the PLCs on an isolated network, monitor the chokepoints, and control access at the boundary. That model works when the devices sit behind a firewall on a managed corporate network.
It does not work when the devices connect directly to the internet through a cellular modem.
Field-deployed PLCs on cellular networks exist outside the visibility of IT security teams. There is no corporate firewall between the device and the internet. No intrusion detection system monitoring the traffic. No network access control validating who connects. The cellular modem provides convenience for remote monitoring, but it also creates an unmanaged attack surface that bypasses every layer of defense the organization thinks it has in place.
Of those 3,891 exposed U.S. devices, 771 were co-located with VNC services, meaning direct human-machine interface access was also available. Another 292 were running Modbus, and 280 had Telnet exposed. These are not devices with one minor configuration oversight. These are devices with multiple services wide open to the internet, sitting on networks where nobody is watching.
No Zero-Day Required
The CyberAv3ngers did not need a vulnerability to exploit. According to the CISA advisory, they used Rockwell Automation's own Studio 5000 Logix Designer, the legitimate configuration software, to create accepted connections to victim PLCs. They extracted project files and manipulated HMI/SCADA display data using the same tools that authorized engineers use every day.
This is "living off the land" for operational technology. It follows the broader pattern of attackers weaponizing native platform features rather than developing custom malware. In IT security, we have spent years tracking how attackers abuse PowerShell, WMI, and other built-in Windows tools to avoid detection. The same pattern is now playing out in OT, but the implications are worse. When a PLC accepts a connection from its own vendor's configuration software, there is no alert to fire. The connection looks identical to a legitimate engineering session.
As Steve Povolny from Exabeam told CSO Online: "PLCs sit inside operational networks that were never designed with adversarial persistence in mind." His colleague Gabrielle Hempel put it more bluntly: "If an OT environment is reachable from the internet, that is an inherent design flaw."
The attackers also installed Dropbear SSH on port 22 for persistent access, and probed ports associated with Modbus (502) and Siemens S7 (102), suggesting their targeting extends beyond Rockwell devices. Some victims experienced operational disruption and financial losses.
14 Months of Undetected Operation
Censys did not just map the exposure. They reverse-engineered the attacker's infrastructure. The primary workstation, hostname DESKTOP-BOE5MUC, was hosted at AS214036 (ULTAHOST) across a range of IPs from 185.82.73.160 to 185.82.73.171. The CISA advisory listed seven of those IPs. Censys identified four more.
The infrastructure was active from January 2025 through March 2026: over 14 months of continuous operation. Twenty-two unique self-signed RDP certificates all mapped back to the same hostname, confirming a single multi-homed Windows host. On July 9, 2025, nine of those IPs stopped serving certificates within 10 seconds of each other, a restart event that proved the single-host architecture.
A staging box (WIN-U4IRECQ65UN) appeared briefly at a Romanian hosting provider from March 14 to 18, 2026, with EtherNet/IP testing over a 26-hour window. Then the actual attacks on U.S. infrastructure began.
Fourteen months. One workstation. No detection. That speaks to a complete absence of threat hunting against OT-targeting infrastructure. The certificates, the IP ranges, the hostname patterns were all visible in internet scan data the entire time.
A Remediation Model That Works (But Wasn't Applied)
The frustrating part is that we already know how to fix this. In October 2024, Censys identified nearly 400 web-based HMIs for U.S. water facilities exposed to the internet. Of those, 40 had no authentication at all, and 264 offered read-only access with no login required.
Censys shared the data with the EPA on October 8, 2024. Within nine days, 24% of the systems were secured. Within one month, 58% of read-only and unauthenticated systems were protected. By May 2025, fewer than 6% remained exposed. A 94% reduction in seven months, coordinated through EPA Regional offices and the software vendor.
That is a model that works. Identify exposure through internet scanning, share actionable data with the responsible agency, and coordinate remediation through existing regulatory channels. But it happened for water HMIs, not for PLCs. Nobody applied the same playbook to the 3,891 exposed Rockwell controllers before CyberAv3ngers found them.
The broader context makes this more alarming. A 2024 Censys report identified over 40,000 internet-connected ICS devices in the U.S., with nearly 50% of water system HMIs requiring no authentication. The Waterfall Threat Report 2026 found that nation-state and hacktivist OT attacks doubled in 2025 over 2024. And 70% of water utilities inspected by federal officials in 2024 were found violating basic cybersecurity standards, from default passwords to improper employee offboarding.
End-of-Life Firmware Running Critical Infrastructure
One more detail that deserves attention. The most prevalent exposed device in the Censys scan is the MicroLogix 1400, catalog prefix 1766-. The firmware versions most commonly found, C/21.02 and C/21.07, are end-of-sale with limited vendor support.
There is nothing to patch to. Even organizations that want to follow best practices and apply the latest firmware updates cannot do so for these devices. The vendor has moved on. The devices have not been replaced. And they are still controlling pumps, valves, and switches in water treatment plants and substations across the country.
This is the ICS equivalent of running Windows XP on your domain controller. Except the domain controller does not control the physical safety of a community's water supply.
The Continuing Pattern
This is not the first time Iranian state-affiliated hackers have targeted U.S. infrastructure. CyberAv3ngers previously compromised over 75 Unitronics PLC devices at water and wastewater facilities in November 2023. A related group, Handala, used Stryker's own Microsoft Intune management console to wipe approximately 80,000 devices, the same pattern of turning vendor tools into weapons.
I have been tracking Iran's cyber operations since the February 2026 strikes put every American enterprise on the battlefield. In the weeks that followed, I covered how Iranian proxy groups targeted hospitals and medical device environments with full tactical autonomy, and how Seedworm was confirmed inside a U.S. bank before the strikes even started. The pattern is clear: Iran's cyber capabilities are not theoretical; they are operational, persistent, and increasingly focused on physical infrastructure. This latest campaign is a direct escalation from data theft and disruption to targeting the controllers that manage physical processes in water treatment, energy distribution, and government facilities.
What Actually Needs to Change
The standard advice of "segment your OT networks" and "patch your devices" misses the structural problem. You cannot segment a device that connects to the internet through its own cellular modem, independent of your corporate network. You cannot patch firmware that the vendor no longer supports.
Three things need to happen:
Continuous internet exposure scanning for OT assets. The EPA/Censys water HMI remediation proved this works. Organizations running ICS need to know what is exposed, and they need to know it before an adversary does. Censys, Shodan, and similar tools make this data available. Use them.
Cellular-connected OT must be treated as internet-facing. Any PLC, RTU, or HMI connected through a cellular modem should be subject to the same security controls as a cloud-facing web server: authentication, encryption, access control, and monitoring. The convenience of cellular remote access does not exempt a device from basic security hygiene.
Coordinated disclosure and remediation at scale. The EPA model worked for water HMIs because there was a clear agency with authority, a vendor willing to cooperate, and actionable exposure data. That model needs to be extended to cover PLCs, RTUs, and other field-deployed OT devices across all critical infrastructure sectors. CISA's Binding Operational Directive 26-02 on edge devices is a step in the right direction, but it only covers federal agencies, and it explicitly excludes operational technology from its scope.
The air gap was the foundation of OT security for decades. It is gone. The cellular modem replaced it, and the security model never caught up. Iran found 3,891 reasons why that matters.
