Several US government agencies on Monday issued a fresh warning over Iranian threat actors targeting critical infrastructure, and researchers caution that many instances of these hackers’ preferred targets remain exposed on the internet.
The Department of Homeland Security warned on June 22 that Iran is likely to retaliate — both in the real world and in cyberspace — after the United States conducted air strikes on three important nuclear sites in Iran.
Iranian and pro-Iran threat actors could conduct a wide range of attacks, including ransomware attacks, DDoS attacks, phishing, brute force attacks, and espionage. However, one primary concern is related to Iran’s attacks on industrial control systems (ICS) and other operational technology (OT).
A new fact sheet published on Monday by CISA, the FBI, the NSA and the Department of Defense Cyber Crime Center (DC3) warns of potential attacks targeting US networks and entities of interest, such as defense industrial base organizations, “particularly those possessing holdings or relationships with Israeli research and defense firms”.
The document reminds organizations of the threat posed by Iranian hackers to ICS/OT. Threat actors posing as hacktivists calling themselves Cyber Av3ngers are known for targeting Unitronics Vision programmable logic controllers (PLCs) at water facilities.
However, according to the government, the same campaign targeted the energy, food and beverage manufacturing, and healthcare sectors as well.
Threat intelligence and attack surface management company Censys has made a list of some of the ICS products commonly targeted by Iranian hackers and scanned the internet to determine how widespread they are and whether their owners and operators have taken steps to secure them in recent months.
In addition to the Unitronics PLCs that Cyber Av3ngers targeted using default credentials, Censys’ analysis focused on Orpak SiteOmat fuel station automation software, which the hackers targeted via default credentials in October 2023, Red Lion devices, which have been targeted by the IOCONTROL IoT/OT malware developed by the hackers, and the Tridium Niagara framework.
While there is no evidence that Iranian threat groups have targeted Tridium Niagara in their attacks, OpenAI reported in October 2024 that Iranian hackers had used ChatGPT to obtain information on the framework used for building automation and control products, including default passwords.
Censys discovered hundreds or thousands of such systems directly exposed to the internet and potentially vulnerable to attacks. An analysis of the numbers seen in January 2025 compared to June 2025 showed that for most of them the number of exposed systems has increased between 4% and 9% over the past six months. The exception is Orpak SiteOmat, for which exposure dropped by nearly 25%.
The country where the highest number of the exposed Unitronics devices are located is Australia, closely followed by the United States. For the rest of the analyzed products, the highest numbers are located in the US.
In many cases Iran’s attacks on ICS systems are unsophisticated, targeting internet-exposed systems that are left completely unprotected or are protected by a weak default password.
Censys urged manufacturers to avoid shipping devices or software with default passwords, and to provide guidance to customers on avoiding direct exposure to the internet.
“At this time, we have not seen indications of a coordinated campaign of malicious cyber activity in the US that can be attributed to Iran,” CISA said. “However, CISA urges owners and operators of critical infrastructure organizations and other potentially targeted entities to review this fact sheet to learn more about the Iranian state-backed cyber threat and actionable mitigations to harden cyber defenses.”
Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
October 27-30, 2025 | Atlanta
www.icscybersecurityconference.com
Related: Siemens Notifies Customers of Microsoft Defender Antivirus Issue
Related: Misconfigured HMIs Expose US Water Systems to Anyone With a Browser
