SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

On April 7, 2026, the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command jointly confirmed what had been feared since Iran's 2023 infiltration of American municipal water systems: Iranian hackers linked to the IRGC are actively inside U.S. critical infrastructure, they are capable of disrupting physical operations, and they are escalating. Joint advisory AA26-097A documented confirmed operational disruption and financial losses at multiple U.S. water, energy, and government facilities, the most consequential public acknowledgment of Iranian OT intrusion capability ever issued by U.S. authorities.

The threat actor at the centre of the advisory is CyberAv3ngers, a state-directed unit operating under Iran's IRGC Cyber-Electronic Command. Over three operational phases since 2023, the group has systematically escalated its capabilities: from exploiting default credentials on Unitronics PLCs, to deploying the custom IOCONTROL ICS malware platform across dozens of device families, to now actively exploiting CVE-2021-22681, a CVSS 9.8 authentication bypass in Rockwell Automation's Logix controller ecosystem for which no patch exists and no complete technical workaround has been issued.

The geopolitical trigger is explicit in the advisory: Iran's escalation is a direct response to Operation Epic Fury, the coordinated U.S.-Israel strikes on February 28, 2026 targeting Iranian nuclear facilities and military leadership. CyberAv3ngers is Iran's retaliatory instrument, and water treatment capacity, power generation, and government services are its declared targets.

This is not a theoretical threat. Operational disruption has been confirmed. The only question for security teams is whether CyberAv3ngers' TTPs appear anywhere in your OT telemetry, and what you do next.

CyberAv3ngers: IRGC-CEC Attribution, Aliases, and the $10M Bounty

CyberAv3ngers is a state-directed threat actor assigned to Iran's IRGC Cyber-Electronic Command (IRGC-CEC), the military unit responsible for Iran's offensive cyber operations. The group occupies a unique operational niche: it combines genuine infrastructure attacks with an aggressive Telegram-based propaganda campaign, regularly claiming attacks it did not conduct and recycling previously stolen data to inflate its perceived operational tempo. Separating confirmed activity from propaganda is therefore central to accurate threat assessment.

Tracking designations across major intelligence vendors: Storm-0784 (Microsoft), Bauxite (Dragos), Hydro Kitten (various), UNC5691 (Mandiant), MITRE ATT&CK G1027. The group's hacktivist persona predates its confirmed technical capability, and the October 2023 claim of disrupting Israel's Dorad power station was determined to be fabricated, recycled imagery from unrelated industrial incidents. CyberAv3ngers' confirmed operations, however, are substantive and technically advanced.

In February 2024, the U.S. Treasury Department sanctioned six named IRGC-CEC officials with direct operational responsibility for CyberAv3ngers' campaigns against U.S. water infrastructure. The State Department simultaneously announced a $10 million Rewards for Justice bounty, the same tier reserved for major ransomware operators and Tier-1 nation-state hackers. The IRGC is designated as a foreign terrorist organization by the United States and Canada. No extraditions have occurred; all six officials remain operational in Iran under the protection of the Iranian state.

CyberAv3ngers TTPs Mapped to MITRE ATT&CK for ICS

CyberAv3ngers' attack playbook spans the complete ICS kill chain from initial internet access to physical process manipulation, mapped across both MITRE ATT&CK Enterprise and ATT&CK for ICS frameworks.

Initial access (T1190 / T0883): Internet-exposed PLCs and HMIs are compromised via CVE-2021-22681's cryptographic key bypass and through default or weak credential exploitation on Unitronics devices. Consumer remote access tools, TeamViewer and AnyDesk, are used as supplementary access vectors (T1133), exploiting the operational tolerance for these tools in OT environments where IT-grade secure access infrastructure is often absent.

Persistence and C2 (T1543 / T1095 / T1568.002): IOCONTROL achieves systemd-based boot persistence on Linux ICS devices (T1543.002). C2 communications use MQTT over TLS on port 8883, a standard IoT telemetry port that commonly traverses OT firewall rules unopposed (T1095). Domain resolution for C2 infrastructure uses DNS-over-HTTPS through Cloudflare and Google resolvers, bypassing DNS inspection tools and SIEM DNS logging (T1568.002).

Impact (T0831 / T0836 / T0826): The group has demonstrated capability to modify PLC project files via Rockwell's Studio 5000 Logix Designer, alter process control parameters on water dosing equipment, and manipulate HMI displays to hide malicious changes from plant operators, directly undermining operational awareness and safety system effectiveness. The Municipal Water Authority of Aliquippa confirmed direct control of dosing equipment was achievable before the group's access was detected and severed.

For additional context on how nation-state actors increasingly chain ICS and supply chain vectors, see the North Korea 1,700-package supply chain attack documented in early 2026.

Iranian-affiliated cyber actors are exploiting internet-accessible Rockwell Automation PLCs using a critical authentication bypass vulnerability. Multiple U.S. organizations have confirmed operational disruption and financial losses.

CISA Joint Advisory AA26-097A, April 7, 2026
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

IOCONTROL: The Custom ICS Malware Platform Weaponizing Your OT Network

IOCONTROL is CyberAv3ngers' most sophisticated offensive capability, a custom Linux-based modular malware platform purpose-built for persistent, remotely-managed control across heterogeneous OT and IoT device fleets. First documented by Claroty's Team82 in December 2024, IOCONTROL represents a fundamental shift from the group's earlier ad-hoc default-credential exploitation: it provides centralised, encrypted command-and-control access across dozens of device families from a single infrastructure.

The malware is compiled for multiple CPU architectures (x86, ARM, MIPS), enabling native execution on a wide range of Linux-based devices. Confirmed affected vendors include D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics, covering routers, IP cameras, firewalls, fuel management systems, HMIs, and PLCs. Earlier variants were tracked as OrpraCab and QueueCat before Claroty established the unified IOCONTROL designation.

IOCONTROL's C2 architecture is engineered specifically to evade OT network monitoring. Communication uses MQTT over TLS on port 8883, the same port used by legitimate OT sensor telemetry, making malicious traffic statistically indistinguishable from normal device heartbeats without deep packet inspection and TLS decryption. Configuration data is AES-256-CBC encrypted. C2 domain resolution uses DNS-over-HTTPS via Cloudflare (1.1.1.1) and Google (8.8.8.8) resolvers, bypassing any SIEM detection relying on standard UDP/TCP port 53 DNS logging.

Organisations without OT-specific network monitoring capable of decrypting MQTT/TLS and DNS-over-HTTPS traffic may have IOCONTROL present and actively beaconing without generating a single detection alert.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Three Phases of Escalation: How CyberAv3ngers Built a Critical Infrastructure Capability

CyberAv3ngers' evolution across three operational phases illustrates how a nation-state actor systematically develops OT intrusion capability, and why the April 2026 CISA advisory characterises the threat as actively escalating, not static.

Phase 1 (October 2023–January 2024): The Unitronics PLC campaign. CyberAv3ngers scanned for internet-accessible Unitronics Vision series PLCs using default credentials (admin / 1111) and compromised at least 75 devices across water/wastewater, food/beverage, healthcare, and energy sectors. The Municipal Water Authority of Aliquippa, Pennsylvania was the most publicly documented victim: attackers accessed the Unitronics controller managing a booster station. An Irish water utility suffered a multi-day service outage in the same campaign wave.

Phase 2 (Mid-2024): IOCONTROL deployment. CyberAv3ngers transitioned from opportunistic scanning to persistent, centrally-managed access via IOCONTROL. The malware's multi-vendor, multi-architecture design expanded the group's reach beyond Unitronics devices to routers, cameras, fuel management systems, and HMIs across heterogeneous OT estates. Campaign scope expanded internationally.

Phase 3 (March 2026–Present): CVE-2021-22681 exploitation. Following Operation Epic Fury, CyberAv3ngers escalated to targeting Rockwell Automation Logix controllers, America's most widely deployed industrial control platform, via a CVSS 9.8 authentication bypass with no available patch. Six U.S. agencies confirmed operational disruption in their April 7 joint advisory.

1

PLC Discovery via Internet Scanning

CyberAv3ngers scans Shodan, FOFA, and Censys for internet-exposed Rockwell Automation Logix PLCs on TCP port 44818 and Unitronics devices on port 2222. Devices with public IP exposure are queued for exploitation.

2

Unauthenticated Access via CVE-2021-22681

The CVSS 9.8 cryptographic key bypass allows an attacker with network reach to authenticate as an authorised engineering workstation running Studio 5000 Logix Designer, without valid credentials and without prior host compromise.

3

PLC Project File Modification

Using a compatible Rockwell engineering tool, the attacker reads the PLC project file and modifies process control logic, setpoints, or alarm thresholds. Modified logic is uploaded to the controller and takes effect immediately.

4

IOCONTROL Deployment for Persistent Access

On adjacent Linux-based HMIs or network devices, IOCONTROL is deployed with systemd boot persistence. MQTT/TLS C2 on port 8883 and DNS-over-HTTPS establish a covert long-term foothold invisible to standard OT monitoring tools.

5

HMI Manipulation to Conceal Operator Awareness

HMI display values are manipulated to show normal process readings while underlying PLC logic has been altered, preventing operators from detecting tampered control parameters until physical process anomalies become apparent.

Who Is at Risk in 2026: Sectors, Scale, and the 60-Group Swarm Effect

The April 7 joint advisory identifies three primary target sectors: Water and Wastewater Systems, Energy, and Government Services and Facilities. These are not random targets, they are the sectors with the highest density of internet-exposed ICS devices and the most direct potential for geopolitical pressure on the U.S. government.

Water and wastewater utilities remain the highest-risk sector. The majority of U.S. water utilities operate with minimal cybersecurity resources, OT networks built before remote access was a threat consideration, and PLCs internet-connected for operational convenience without compensating controls. As of early 2026, Shodan indexes thousands of Rockwell Automation and Unitronics devices with direct public IP addresses across the United States.

The scale of the threat extends beyond CyberAv3ngers as a single actor. Researchers analysing the group's Telegram communications and published exploit documentation have estimated approximately 60 affiliated or copycat groups adopted CyberAv3ngers' Unitronics exploitation playbook after it was openly shared. The tool sets, scanning configurations, default-credential lists, and step-by-step guides, have propagated across hacktivist networks linked to Iran, Hezbollah, and sympathiser communities across multiple continents. The joint advisory describes this as a 'swarm effect': a single methodology enabling distributed, difficult-to-attribute attacks against the same infrastructure class at scale.

Organisations running the AI-augmented reconnaissance techniques documented in the HONESTCUE APT AI malware operations analysis should note that CyberAv3ngers is confirmed to have used ChatGPT for OT reconnaissance, mapping device types, firmware versions, and sector-specific attack methodologies.

Detecting and Ejecting CyberAv3ngers: OT Hunting and Remediation Guidance

Effective defence requires simultaneous action on three timescales: immediate threat hunting for active compromise indicators, short-term network hardening to remove the attack vectors, and long-term OT security program maturation.

Immediate hunting (within 24 hours): Ingest the STIX-formatted IOCs from CISA AA26-097A into your SIEM, IDS, and OT monitoring platform. Alert immediately on MQTT/TLS traffic on port 8883 from any OT segment host to an external IP. Audit all Rockwell Automation Logix PLCs for unexpected project file modifications by comparing current configurations against known-good offline backups. Search for IOCONTROL's systemd persistence entries on all Linux-based OT devices. Check Studio 5000 server logs for unexpected source IPs on TCP port 44818.

Short-term hardening (within one week): Remove all Logix PLCs from direct internet accessibility, no Rockwell controller should have a public IP or be reachable outside an authenticated VPN or secure access gateway. Set all PLC mode switches to 'Run' to prevent unauthorised project file uploads. Deploy OT-specific monitoring capable of decrypting and inspecting MQTT/TLS and DNS-over-HTTPS traffic. Replace consumer remote access tools (TeamViewer, AnyDesk) with enterprise solutions enforcing MFA and session recording. Change all default credentials on Unitronics and other internet-accessible ICS devices immediately.

Configuration verification: Use Rockwell's FactoryTalk AssetCentre or equivalent OT asset management tooling to generate and store golden-image backups of all PLC project files. Any deviation from the golden image is a high-confidence compromise indicator requiring immediate investigation.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CyberAv3ngers, Iran's IRGC-linked APT, has confirmed operational access inside U.S. water, energy, and government ICS networks via CVE-2021-22681, a CVSS 9.8 Rockwell Automation authentication bypass with no available patch. The April 7, 2026 six-agency advisory documents real operational disruption and financial loss. Every organisation running internet-exposed Rockwell Logix PLCs, Unitronics devices, or Linux-based OT equipment should treat this as an active incident: disconnect PLCs from the internet, ingest CISA AA26-097A IOCs, and hunt for IOCONTROL's MQTT and DNS-over-HTTPS indicators in OT network telemetry today.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

Who is CyberAv3ngers?

CyberAv3ngers is a state-directed threat actor assigned to Iran's IRGC Cyber-Electronic Command (IRGC-CEC). Also tracked as Storm-0784 (Microsoft), Bauxite (Dragos), Hydro Kitten, UNC5691 (Mandiant), and MITRE ATT&CK G1027. The group targets critical infrastructure PLCs and ICS devices with confirmed physical disruption capability. Six IRGC-CEC officials were sanctioned by the U.S. Treasury in February 2024; the State Department offers a $10 million reward for information on the group.

What TTPs does CyberAv3ngers use?

CyberAv3ngers employs T1190 (public-facing application exploitation via CVE-2021-22681 and default credentials), T1133 (TeamViewer/AnyDesk for external remote access), T1543 (IOCONTROL systemd persistence on Linux ICS devices), T1095 (MQTT over TLS port 8883 for C2), T1568.002 (DNS-over-HTTPS to evade DNS logging), T0836 (PLC project file modification), and T0831 (HMI manipulation to conceal operator visibility into attack-altered process parameters).

Which sectors does CyberAv3ngers target?

CyberAv3ngers primarily targets U.S. water and wastewater utilities, energy infrastructure, and government facilities including municipalities. The April 2026 CISA joint advisory confirmed active attacks across all three sectors. Secondary targets include healthcare, food and beverage, and any organisation running internet-exposed Rockwell Automation Logix controllers, Unitronics PLCs, or Linux-based ICS and IoT devices supported by the IOCONTROL malware platform.

How do I detect CyberAv3ngers activity?

Ingest IOCs from CISA AA26-097A into your SIEM, IDS, and firewall. Alert on MQTT traffic (port 8883) from OT segments to external IP addresses, legitimate OT devices should not initiate outbound MQTT to public internet. Alert on DNS-over-HTTPS queries from ICS networks. Monitor ports 44818, 2222, 102, and 502 for unexpected scanning or connection activity. Audit internet-exposed Rockwell Logix devices for unauthorised Studio 5000 project file modifications, and hunt for IOCONTROL's systemd persistence entries on all Linux-based OT devices.

Has CyberAv3ngers been indicted or sanctioned?

Sanctioned, not indicted. In February 2024, the U.S. Treasury Department sanctioned six named IRGC-CEC officials directly responsible for CyberAv3ngers operations, including the Aliquippa water utility compromise. The State Department simultaneously announced a $10 million Rewards for Justice bounty. The IRGC itself is designated a foreign terrorist organisation by the U.S. and Canada. No criminal indictments have been filed; all six officials remain operational in Iran.

What is CVE-2021-22681 and will Rockwell Automation patch it?

CVE-2021-22681 (CVSS 9.8) is an authentication bypass in Rockwell Automation's Logix controller family, CompactLogix, ControlLogix, GuardLogix, DriveLogix, and SoftLogix. The flaw stems from an insufficiently protected cryptographic key used to verify communications between Studio 5000 Logix Designer and Logix PLCs. Rockwell Automation has confirmed no patch will be issued; the vulnerability is architectural. Mitigation requires network-level controls: disconnect Logix PLCs from the internet and deploy a secure access gateway with MFA.

What is IOCONTROL malware and how does it work?

IOCONTROL is a custom Linux-based modular ICS malware platform deployed by CyberAv3ngers since mid-2024. It runs across routers, HMIs, IP cameras, firewalls, and PLCs from vendors including D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics. Core capabilities include OS command execution, port scanning, and persistence via systemd. It communicates via MQTT over TLS on port 8883 and uses DNS-over-HTTPS to resolve C2 domains, both designed to evade standard OT network monitoring tools.

How did CyberAv3ngers get inside US water treatment systems?

In the 2023–2024 campaign, CyberAv3ngers exploited internet-exposed Unitronics PLCs using factory-default passwords on devices water utilities had left publicly accessible. The 2026 campaign escalated to CVE-2021-22681, exploiting a cryptographic flaw in Rockwell Automation controllers that allows unauthenticated access from any internet-reachable endpoint. In both cases the root cause is identical: critical OT equipment directly exposed to the public internet with inadequate authentication controls.

Sources & references

  1. CISA Joint Advisory AA26-097A, Iranian-Affiliated Cyber Actors Exploit PLCs Across US Critical Infrastructure
  2. Tenable, CyberAv3ngers: FAQ About Iran-Linked Threat Group Targeting U.S. Critical Infrastructure
  3. Security Affairs, U.S. agencies alert: Iran-linked actors target critical infrastructure PLCs
  4. WebProNews, Inside CyberAv3ngers: How Iran's IRGC-Linked Hackers Burrowed Into American Oil, Gas, and Water Systems
  5. CybersecurityNews, Iran-Linked CyberAv3ngers Sets Sights on Water Utilities and Industrial Controllers
  6. State of Surveillance, Iran Is Already Inside U.S. Water and Energy Systems
  7. Intruvent EDGE, CISA Confirms Iranian Disruption of US Critical Infrastructure
  8. CISA Advisory AA23-335A, IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.