Iran-affiliated advanced persistent threat (APT) actors are actively targeting internet-exposed Programmable Logic Controllers (PLCs) across U.S. critical infrastructure. This ongoing campaign, detailed in a recent joint advisory, poses a direct risk to operational technology (OT) environments in sectors like energy and manufacturing. Immediate action is required to secure these foundational industrial control systems.
Iranian APTs Target Rockwell Automation PLCs
The primary threat stems from Iranian APT groups exploiting internet-facing Rockwell Automation Allen-Bradley PLCs, including ControlLogix and CompactLogix models. These devices are not designed for direct internet connectivity, and their exposure creates a direct pathway for attackers to disrupt physical industrial processes. The advisory, published on April 7, 2026, indicates active exploitation is underway, requiring an urgent defensive response. The recommended priority is to audit and immediately restrict public internet access to all Rockwell PLCs, ensuring they are only accessible through segmented, internal networks.
Supply Chain Threats: From Browsers to AI Agents
Beyond critical infrastructure, supply chain attacks present a broad and evolving risk. The Windows version of the Hola Browser has been compromised to deliver a cryptocurrency miner in a clear software supply chain attack. Organizations should block hola-browser.exe via application allowlisting and purge it from their environments. Simultaneously, research into agentic AI systems reveals new failure modes, from supply chain compromise to goal hijacking, underscoring the need for robust safeguards in emerging technologies. A specific code integration risk was also highlighted in Anthropic’s Claude Code GitHub Action, where a flaw allowed repository takeover via a malicious GitHub issue. Users must audit and update this action or disable it.
Prioritizing Defensive Actions in OT Environments
Given the severity of the PLC campaign, network architecture changes are non-negotiable. Security teams must implement strong segmentation between IT and OT networks using industrial firewalls like the Cisco ISA-3000 or Palo Alto Networks PA-400 series. Key ports to block include TCP/44818 (EtherNet/IP) and UDP/2222 from unauthorized sources. Furthermore, deploying application layer monitoring for Rockwell’s FactoryTalk Linx communications is critical to detect malicious program changes or firmware updates, providing a last line of defense even if perimeter controls are bypassed.
Organizations must move beyond detection to proactive hardening. The convergence of threats against software supply chains and physical industrial controls creates a complex risk landscape. A breach via a compromised browser or a vulnerable GitHub Action can serve as an initial foothold for attackers ultimately targeting more sensitive OT assets.
First, immediately audit for and disconnect all Rockwell Automation PLCs from the public internet. Second, implement network segmentation with industrial firewalls to control traffic to OT assets on ports TCP/44818 and UDP/2222. Third, review and update or disable the vulnerable anthropic/claude-code-action in GitHub repositories to prevent supply chain compromise.