CyberAv3ngers Breached 75+ US Water & Energy PLCs — And They're Still Inside

CyberAv3ngers is a state-directed threat actor assigned to Iran's IRGC Cyber-Electronic Command (IRGC-CEC) — the military unit responsible for Iran's offensive cyber operations. The group occupies a unique operational niche: it combines genuine infrastructure attacks with an aggressive Telegram-based propaganda campaign, regularly claiming attacks it did not conduct and recycling previously stolen data to inflate its perceived operational tempo. Separating confirmed activity from propaganda is therefore central to accurate threat assessment.

Tracking designations across major intelligence vendors: Storm-0784 (Microsoft), Bauxite (Dragos), Hydro Kitten (various), UNC5691 (Mandiant), MITRE ATT&CK G1027. The group's hacktivist persona predates its confirmed technical capability, and the October 2023 claim of disrupting Israel's Dorad power station was determined to be fabricated — recycled imagery from unrelated industrial incidents. CyberAv3ngers' confirmed operations, however, are substantive and technically advanced.

In February 2024, the U.S. Treasury Department sanctioned six named IRGC-CEC officials with direct operational responsibility for CyberAv3ngers' campaigns against U.S. water infrastructure. The State Department simultaneously announced a $10 million Rewards for Justice bounty — the same tier reserved for major ransomware operators and Tier-1 nation-state hackers. The IRGC is designated as a foreign terrorist organization by the United States and Canada. No extraditions have occurred; all six officials remain operational in Iran under the protection of the Iranian state.

CyberAv3ngers' attack playbook spans the complete ICS kill chain from initial internet access to physical process manipulation, mapped across both MITRE ATT&CK Enterprise and ATT&CK for ICS frameworks.

**Initial access (T1190 / T0883):** Internet-exposed PLCs and HMIs are compromised via CVE-2021-22681's cryptographic key bypass and through default or weak credential exploitation on Unitronics devices. Consumer remote access tools — TeamViewer and AnyDesk — are used as supplementary access vectors (T1133), exploiting the operational tolerance for these tools in OT environments where IT-grade secure access infrastructure is often absent.

**Persistence and C2 (T1543 / T1095 / T1568.002):** IOCONTROL achieves systemd-based boot persistence on Linux ICS devices (T1543.002). C2 communications use MQTT over TLS on port 8883 — a standard IoT telemetry port that commonly traverses OT firewall rules unopposed (T1095). Domain resolution for C2 infrastructure uses DNS-over-HTTPS through Cloudflare and Google resolvers, bypassing DNS inspection tools and SIEM DNS logging (T1568.002).

**Impact (T0831 / T0836 / T0826):** The group has demonstrated capability to modify PLC project files via Rockwell's Studio 5000 Logix Designer, alter process control parameters on water dosing equipment, and manipulate HMI displays to hide malicious changes from plant operators — directly undermining operational awareness and safety system effectiveness. The Municipal Water Authority of Aliquippa confirmed direct control of dosing equipment was achievable before the group's access was detected and severed.

For additional context on how nation-state actors increasingly chain ICS and supply chain vectors, see the [North Korea 1,700-package supply chain attack](/blog/north-korea-supply-chain-1700-packages) documented in early 2026.

IOCONTROL is CyberAv3ngers' most sophisticated offensive capability — a custom Linux-based modular malware platform purpose-built for persistent, remotely-managed control across heterogeneous OT and IoT device fleets. First documented by Claroty's Team82 in December 2024, IOCONTROL represents a fundamental shift from the group's earlier ad-hoc default-credential exploitation: it provides centralised, encrypted command-and-control access across dozens of device families from a single infrastructure.

The malware is compiled for multiple CPU architectures (x86, ARM, MIPS), enabling native execution on a wide range of Linux-based devices. Confirmed affected vendors include D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics — covering routers, IP cameras, firewalls, fuel management systems, HMIs, and PLCs. Earlier variants were tracked as OrpraCab and QueueCat before Claroty established the unified IOCONTROL designation.

IOCONTROL's C2 architecture is engineered specifically to evade OT network monitoring. Communication uses MQTT over TLS on port 8883 — the same port used by legitimate OT sensor telemetry, making malicious traffic statistically indistinguishable from normal device heartbeats without deep packet inspection and TLS decryption. Configuration data is AES-256-CBC encrypted. C2 domain resolution uses DNS-over-HTTPS via Cloudflare (1.1.1.1) and Google (8.8.8.8) resolvers, bypassing any SIEM detection relying on standard UDP/TCP port 53 DNS logging.

Organisations without OT-specific network monitoring capable of decrypting MQTT/TLS and DNS-over-HTTPS traffic may have IOCONTROL present and actively beaconing without generating a single detection alert.

CyberAv3ngers' evolution across three operational phases illustrates how a nation-state actor systematically develops OT intrusion capability — and why the April 2026 CISA advisory characterises the threat as actively escalating, not static.

**Phase 1 (October 2023–January 2024):** The Unitronics PLC campaign. CyberAv3ngers scanned for internet-accessible Unitronics Vision series PLCs using default credentials (admin / 1111) and compromised at least 75 devices across water/wastewater, food/beverage, healthcare, and energy sectors. The Municipal Water Authority of Aliquippa, Pennsylvania was the most publicly documented victim: attackers accessed the Unitronics controller managing a booster station. An Irish water utility suffered a multi-day service outage in the same campaign wave.

**Phase 2 (Mid-2024):** IOCONTROL deployment. CyberAv3ngers transitioned from opportunistic scanning to persistent, centrally-managed access via IOCONTROL. The malware's multi-vendor, multi-architecture design expanded the group's reach beyond Unitronics devices to routers, cameras, fuel management systems, and HMIs across heterogeneous OT estates. Campaign scope expanded internationally.

**Phase 3 (March 2026–Present):** CVE-2021-22681 exploitation. Following Operation Epic Fury, CyberAv3ngers escalated to targeting Rockwell Automation Logix controllers — America's most widely deployed industrial control platform — via a CVSS 9.8 authentication bypass with no available patch. Six U.S. agencies confirmed operational disruption in their April 7 joint advisory.

The April 7 joint advisory identifies three primary target sectors: Water and Wastewater Systems, Energy, and Government Services and Facilities. These are not random targets — they are the sectors with the highest density of internet-exposed ICS devices and the most direct potential for geopolitical pressure on the U.S. government.

Water and wastewater utilities remain the highest-risk sector. The majority of U.S. water utilities operate with minimal cybersecurity resources, OT networks built before remote access was a threat consideration, and PLCs internet-connected for operational convenience without compensating controls. As of early 2026, Shodan indexes thousands of Rockwell Automation and Unitronics devices with direct public IP addresses across the United States.

The scale of the threat extends beyond CyberAv3ngers as a single actor. Researchers analysing the group's Telegram communications and published exploit documentation have estimated approximately 60 affiliated or copycat groups adopted CyberAv3ngers' Unitronics exploitation playbook after it was openly shared. The tool sets — scanning configurations, default-credential lists, and step-by-step guides — have propagated across hacktivist networks linked to Iran, Hezbollah, and sympathiser communities across multiple continents. The joint advisory describes this as a 'swarm effect': a single methodology enabling distributed, difficult-to-attribute attacks against the same infrastructure class at scale.

Organisations running the AI-augmented reconnaissance techniques documented in the [HONESTCUE APT AI malware operations](/blog/honestcue-ai-malware-gemini-apt-live-operations) analysis should note that CyberAv3ngers is confirmed to have used ChatGPT for OT reconnaissance — mapping device types, firmware versions, and sector-specific attack methodologies.

Effective defence requires simultaneous action on three timescales: immediate threat hunting for active compromise indicators, short-term network hardening to remove the attack vectors, and long-term OT security program maturation.

**Immediate hunting (within 24 hours):** Ingest the STIX-formatted IOCs from CISA AA26-097A into your SIEM, IDS, and OT monitoring platform. Alert immediately on MQTT/TLS traffic on port 8883 from any OT segment host to an external IP. Audit all Rockwell Automation Logix PLCs for unexpected project file modifications by comparing current configurations against known-good offline backups. Search for IOCONTROL's systemd persistence entries on all Linux-based OT devices. Check Studio 5000 server logs for unexpected source IPs on TCP port 44818.

**Short-term hardening (within one week):** Remove all Logix PLCs from direct internet accessibility — no Rockwell controller should have a public IP or be reachable outside an authenticated VPN or secure access gateway. Set all PLC mode switches to 'Run' to prevent unauthorised project file uploads. Deploy OT-specific monitoring capable of decrypting and inspecting MQTT/TLS and DNS-over-HTTPS traffic. Replace consumer remote access tools (TeamViewer, AnyDesk) with enterprise solutions enforcing MFA and session recording. Change all default credentials on Unitronics and other internet-accessible ICS devices immediately.

**Configuration verification:** Use Rockwell's FactoryTalk AssetCentre or equivalent OT asset management tooling to generate and store golden-image backups of all PLC project files. Any deviation from the golden image is a high-confidence compromise indicator requiring immediate investigation.

CyberAv3ngers — Iran's IRGC-linked APT — has confirmed operational access inside U.S. water, energy, and government ICS networks via CVE-2021-22681, a CVSS 9.8 Rockwell Automation authentication bypass with no available patch. The April 7, 2026 six-agency advisory documents real operational disruption and financial loss. Every organisation running internet-exposed Rockwell Logix PLCs, Unitronics devices, or Linux-based OT equipment should treat this as an active incident: disconnect PLCs from the internet, ingest CISA AA26-097A IOCs, and hunt for IOCONTROL's MQTT and DNS-over-HTTPS indicators in OT network telemetry today.