Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)
Unit 42’s updated threat brief tracks multiple Iran-linked campaigns tied to the 2026 regional conflict, including renewed OT/ICS targeting by CL-STA-1128 (Cyber Av3ngers/Storm-0784) against Rockwell Automation and Allen-Bradley environments. The report says the actor appears to have installed Rockwell FactoryTalk on VPS infrastructure to support exploitation, an assessment based on distinctive port combinations that matched FactoryTalk’s static service mappings, and notes internet-exposed Rockwell or Allen-Bradley SCADA/PLC assets on roughly 5,600 IPs globally. It also documents a separate March phishing cluster with 7,381 URLs across 1,881 hostnames using conflict-themed lures, telecom and airline impersonation, top-level-domain rotation, subdomain chaining, and fake payment or donation workflows for credential theft and fraud. While much of the piece is operational threat-intel rather than vulnerability research, it provides useful technical signal on current Iranian operator infrastructure, ICS targeting trends, and phishing tradecraft relevant to defenders monitoring critical infrastructure and regional targeting.