CyberAv3ngers Targeting the U.S. Water Utilities and ICS

Published Date: April 14, 2026
Category: ShadowOpsIntel
Share:

CyberAv3ngers is an IRGC-linked Iranian state-sponsored threat group conducting coordinated cyber operations against U.S. critical infrastructure, particularly water utilities and industrial control systems (ICS). The group has evolved from basic defacements (2023) to custom ICS malware (IOCONTROL) and active exploitation of Rockwell PLC vulnerabilities (2026), resulting in confirmed operational disruptions and financial losses across multiple sectors

Severity: High

Threat Actor Profile

Group: CyberAv3ngers (also tracked as Storm-0784, Bauxite/Dragos, Hydro Kitten, UNC5691/Mandiant, MITRE G1027)

The group operates as a persona for Iran’s IRGC Cyber-Electronic Command (IRGC-CEC) and has been active since at least 2020. Despite initially presenting as a hacktivist collective with anti-Israel ideology, investigations established that its funding, tooling, and operational sophistication far exceeded typical hacktivist capabilities it is a state-sponsored actor.

In February 2024, the U.S. Treasury sanctioned six IRGC-CEC officials for directing CyberAv3ngers operations, including Hamid Reza Lashgarian (head of IRGC-CEC), and the State Department offered up to $10 million for information on the group’s “Mr. Soul” persona.

Operational Evolution (2020–2026)

  • Phase 1 (2020–2022): Focused on propagandistic claims of Israeli infrastructure disruption with no technical evidence.
  • Phase 2 (Oct 2023–Jan 2024): Compromised at least 75 Unitronics Vision Series PLCs across the U.S., UK, Israel, and Ireland by exploiting default credentials on internet-exposed devices.
  • Phase 3 (2024–2025): Deployed IOCONTROL, a custom Linux-based malware platform targeting IoT/OT devices (IP cameras, fuel management systems, routers) using MQTT over TLS to blend with legitimate traffic.
  • Phase 4 (March 2026–Present): Active exploitation of CVE-2021-22681, a critical authentication bypass (CVSS 9.8) in Rockwell Automation Logix controllers.

Current Campaign & Technical Analysis

  • Targeted Sectors: U.S. Water and Wastewater Systems (WWS), Energy, and Government Services.
  • Primary Vulnerability: CVE-2021-22681. This flaw involves an insufficiently protected cryptographic key, allowing unauthenticated attackers to impersonate Rockwell engineering software (Studio 5000 Logix Designer) and modify PLC logic or HMI displays.
  • Attack Surface: As of April 2026, approximately 5,219 internet-exposed Rockwell hosts were identified globally, with the United States accounting for 74.6% (3,891 hosts).
  • Critical Risk Factor: Many exposed PLCs are field-deployed via cellular modems (Verizon, AT&T), which often bypass traditional security monitoring and allow direct internet reachability.

Advanced Ttps

  • AI Integration: The group has utilized ChatGPT for reconnaissance on ICS targets and debugging exploit code.
  • Infrastructure: Usage of leased overseas virtual private servers (VPS) and Bitcoin for administrative overhead.
  • Swarm Effect: The group’s ICS exploitation playbook has proliferated to over 60 pro-Iranian hacktivist groups, creating a distributed threat surface with no single point of failure.

Recommendations

  1. No patch exists for CVE-2021-22681; any internet-accessible Rockwell Logix controller is exploitable without authentication. Disconnect PLCs from the public internet. If remote access is operationally necessary, deploy a secure gateway with multifactor authentication.
  2. Set PLC physical mode switches to the “Run” position. This prevents remote actors from modifying PLC logic or configurations even if they gain network access.
  3. Verify that all Unitronics Vision Series PLCs have had their default passwords changed according to the manufacturer’s guidance (VisiLogic version 9.9.00 or later).
  4. Create and maintain offline backups of all PLC logic and configurations on secured physical media. Regularly test restore procedures to ensure operational resilience in the event of a compromise.
  5. Strictly isolate OT network segments from the IT environment to prevent lateral movement from common entry points like email or employee workstations.
  6. Configure security monitoring tools to alert on MQTT over TLS (port 8883) and DNS-over-HTTPS traffic originating from OT segments, as these are indicators of the IOCONTROL malware.
  7. Block or query logs for inbound traffic on TCP 44818, 2222, 102, 502, and 22 from all IOC IPs.

IOCS

https://www.virustotal.com/gui/collection/7b2a8198bf206515a8d26f151d4e8c9451030545b5ba88ac308c65d865ca0cdf/iocs

Source:

  • https://censys.com/blog/iranian-affiliated-apt-targeting-rockwell-allen-bradley-plcs/
  • https://www.tenable.com/blog/what-to-know-about-cyberav3ngers-the-irgc-linked-group-targeting-critical-infrastructure
  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
  • https://www.cisa.gov/sites/default/files/2023-12/aa23-335a-irgc-affiliated-cyber-actors-exploit-plcs-in-multiple-sectors-1.pdf

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert