CyberAv3ngers: The IRGC Unit Operating Inside US Water and Energy Infrastructure Right Now

CyberAv3ngers is a state-directed cyber threat group operated by the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), Iran's military cyber arm. Despite presenting publicly as a hacktivist collective motivated by anti-Israel ideology, CISA, the US Treasury Department, and Mandiant have all confirmed that named IRGC military officers direct its operations. The group is not an independent activist network. It is a formally commanded military unit.

The group is tracked across the security industry under multiple designations: Storm-0784 by Microsoft, Bauxite by Dragos, Hydro Kitten and UNC5691 by Mandiant, and G1027 by MITRE ATT&CK. This naming fragmentation reflects the group's deliberate operational security practices. It uses separate infrastructure and personas for different target categories, making cross-vendor attribution harder.

In February 2024, the US Treasury Department's Office of Foreign Assets Control sanctioned six named IRGC-CEC officials for directing CyberAv3ngers operations: Hamid Reza Lashgarian, the head of IRGC-CEC and an IRGC-Qods Force commander; Hamid Homayunfal; Mahdi Lashgarian; Milad Mansuri; Mohammad Amin Saberian; and Mohammad Bagher Shirinkar. The sanctions confirm that this is a formally structured military operation with identified command officers, not a loosely affiliated hacktivist collective.

Active since at least 2020, CyberAv3ngers spent its early years conducting DDoS campaigns and defacements against Israeli targets. By late 2023, the group pivoted to targeting operational technology assets, an escalation analysts attribute to deliberate capability building rather than opportunism. The CyberAv3ngers IRGC critical infrastructure attack pattern has continued to mature through 2026, with the group now demonstrating the ability to alter physical process control logic while keeping operators blind to the change.

The CyberAv3ngers attack chain against Rockwell Automation PLCs follows a multi-stage process that begins with network reconnaissance and ends with manipulation of physical process control logic, all while feeding operators false readings on their SCADA displays.

Initial access relies on CVE-2021-22681 (CVSS 9.8), a critical authentication bypass affecting Rockwell Automation Studio 5000 Logix Designer and multiple Logix controller families including ControlLogix, CompactLogix, FlexLogix, DriveLogix, and SoftLogix. The vulnerability allows any attacker who intercepts a single EtherNet/IP session cryptographic key to authenticate to an affected PLC without valid credentials. Combined with the 5,219 internet-facing Rockwell devices identified by Censys, the access problem is solved by default misconfiguration, not novel exploitation.

Once connected, actors use Rockwell Automation's own engineering software, Studio 5000 Logix Designer, to extract and modify PLC project files. These files define how the controller manages physical equipment: pump speeds, valve positions, chemical dosing rates, and flow sensor thresholds. After modification, the altered project files are re-deployed to the PLC. The HMI and SCADA display layer is then separately manipulated to show operators normal readings while the adversarial logic runs beneath.

For persistence, CyberAv3ngers deploys Dropbear SSH software on port 22 of the compromised PLC endpoint, establishing a covert command-and-control channel. Ongoing communication leverages EtherNet/IP on ports 44818 and 2222, Modbus TCP on port 502, and in confirmed variants, MQTT over TLS on port 8883. The combination of a stealthy C2 channel, falsified display data, and modified control logic makes detection through operator observation alone impossible.

This technique, silently modifying control logic while masking the change from operators, is what distinguishes CyberAv3ngers from simpler hacktivist-grade disruption. It is the same class of capability previously associated only with Sandworm's attacks on Ukrainian electrical infrastructure.

On February 28, 2026, the United States and Israel launched Operation Epic Fury, a coordinated military campaign targeting Iranian nuclear facilities, IRGC leadership, and government infrastructure. US Cyber Command operated as first mover, with cyber operations preceding kinetic strikes. Israel simultaneously executed what analysts described as the largest cyberattack in history, collapsing Iran's internet connectivity to between 1 and 4 percent of normal levels.

CyberAv3ngers doubled its operational tempo within 72 hours of the first strikes, escalating attacks across all documented victim sectors simultaneously. This surge was not coincidental. Iranian state doctrine explicitly treats cyberattacks on critical infrastructure as an instrument of retaliation below the kinetic threshold, designed to impose costs on adversary societies without triggering direct military escalation.

"Iranian threat actor groups are actively conducting or preparing retaliatory cyber operations across all sectors documented in prior CISA advisories," reads joint advisory AA26-097A. "Organizations operating internet-exposed industrial control systems must treat this advisory as requiring immediate action, not scheduled remediation."

The April 7 advisory was joint-signed by six federal agencies: the FBI, CISA, NSA, EPA, Department of Energy, and US Cyber Command. Six-agency joint advisories are exceptionally rare and signal a confirmed, active, government-wide threat rather than a precautionary warning.

Beyond CyberAv3ngers, intelligence assessments confirm that APT34, APT35, APT42, MuddyWater, and Agrius are also conducting or preparing retaliatory operations following Operation Epic Fury. The threat to US critical infrastructure in this period is not a single-actor campaign. It is a coordinated multi-group response by Iran's entire cyber apparatus. Stay current on the latest CISA KEV additions through the weekly threat roundup covering Ivanti EPMM and other actively exploited vulnerabilities.

CyberAv3ngers prioritizes three critical infrastructure sectors in its 2026 campaign: water and wastewater systems, energy generation and fuel distribution, and government facilities. These sectors were selected for their potential to cause visible service disruption and public anxiety, consistent with a strategy of imposing psychological costs alongside physical ones.

The targeting footprint extends internationally. Prior confirmed victims include the Municipal Water Authority of Aliquippa, Pennsylvania, where a CyberAv3ngers-compromised PLC was reachable from the open internet with no authentication gateway. A separate 2023 campaign disrupted water service to County Mayo, Ireland, for multiple days after the group compromised a treatment station. In 2026, confirmed victims experienced operational disruption and financial loss across all three target sectors.

The device exposure problem is structural. Of the 5,219 globally exposed Rockwell Automation/Allen-Bradley hosts identified by Censys, 74.6 percent are in the United States. Targeted device types include CompactLogix and Micro850 PLC families, both widely deployed in water treatment, chemical injection, and energy distribution applications. The Micro850 is common in smaller municipal water utilities that lack dedicated OT security teams, making them disproportionately vulnerable.

The group does not exclusively target large utilities. Small and medium municipal water systems, rural electric cooperatives, and government HVAC control systems have all appeared in the victim profile. Any organization running internet-reachable Rockwell Automation PLCs without authentication enforcement should treat itself as a current target.

Critical infrastructure operators should note that isolation does not guarantee safety if engineering workstations connect to both corporate and OT networks. The same IT/OT segmentation discipline that protects against ransomware operators targeting OT environments applies directly to CyberAv3ngers.

CyberAv3ngers maps across multiple MITRE ATT&CK for ICS techniques. The group's documented TTP chain begins with external reconnaissance targeting internet-exposed EtherNet/IP services (T1590, Gather Victim Network Information) and moves to exploitation of public-facing ICS interfaces (T0819, Exploit Public-Facing Application).

Initial access is established through the CVE-2021-22681 session key interception technique, which maps to T1078 (Valid Accounts) and its ICS equivalent T0859. Persistence is maintained by deploying Dropbear SSH to OT endpoints (T1133, External Remote Services) and by modifying PLC project files to ensure malicious logic survives controller restarts (T0889, Modify Program).

Lateral movement within OT environments follows native communication protocols: EtherNet/IP for Logix controller communication and Modbus TCP for legacy devices (T0885, Commonly Used Port in ICS context). The primary impact techniques are data manipulation and confirmed modification of HMI display values to mask adversarial control logic from operators (T0832, Manipulation of View; T0831, Manipulation of Control).

The combination of T0832 and T0889, display manipulation paired with control logic modification, is what makes CyberAv3ngers technically distinct from most ICS threat actors. Many groups can disrupt operations through destructive wiper deployment or denial-of-service. CyberAv3ngers demonstrates sustained undetected modification while keeping operators blind, a level of OT tradecraft previously associated only with Sandworm's attacks on Ukrainian power grids rather than a group that originated as a hacktivist persona four years ago.

This capability escalation from hacktivist defacement to ICS manipulation in under four years should inform every OT security team's threat model for state-affiliated actors operating at the lower end of formal military hierarchy.

CISA advisory AA26-097A provides the authoritative IOC list for this campaign. Every organization operating Rockwell Automation PLCs should ingest those indicators into SIEM and firewall platforms without delay. The behavioral and network signatures below represent what defenders can detect and act on immediately.

Network-layer indicators: CyberAv3ngers communicates with targeted PLCs via EtherNet/IP on TCP ports 44818 and 2222, Modbus TCP on port 502, and SSH on port 22. Any SSH connection to a PLC or OT endpoint that should not have SSH enabled is a high-confidence indicator of compromise. MQTT over TLS on port 8883 from OT network segments is an additional C2 channel indicator confirmed in assessed campaign variants.

Host-level indicators: The presence of the Dropbear SSH binary on any PLC or OT controller constitutes a confirmed compromise indicator. Studio 5000 Logix Designer connections from unfamiliar or overseas IP address ranges, particularly during off-hours, warrant immediate investigation. Unexpected modification timestamps on PLC project files stored in backup repositories are a retrospective indicator that control logic may have been altered without authorization.

The group uses overseas-based leased hosting infrastructure rather than direct Iranian IP space. Geo-blocking alone will not stop these connections because upstream providers span multiple jurisdictions. Detection must rely on behavioral analysis: connections from IPs that have never previously authenticated to these PLCs, connection volumes inconsistent with normal engineering activity, and SSH process spawning from PLC firmware contexts where SSH was never installed.

Cross-reference the full IOC list from CISA AA26-097A at https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a against firewall logs, Zeek and Suricata alerts, and network flow data for the period from March 1, 2026 to present.

The CyberAv3ngers IRGC critical infrastructure attack succeeds primarily because of internet-exposed OT assets with no authentication enforcement, not because of sophisticated zero-day development. The largest exposure can be closed with configuration changes and network isolation before new tooling is required.

The steps below reflect CISA advisory AA26-097A recommendations, Dragos OT threat guidance, and network monitoring best practices for Rockwell Automation environments. The advisory was issued six weeks ago. Federal agency remediation deadlines have already passed. Private sector operators should treat these steps as overdue, not pending.