Iran restored internet access Thursday morning after a 47-day blackout. [1] Within hours, Palo Alto Networks' Unit 42 published a threat brief naming a new activity cluster, CL-STA-1128, which the researchers assessed as overlapping with the group publicly branded Cyber Av3ngers — an IRGC-aligned crew last prominent in the 2023 Pennsylvania water utility intrusion. [2] The new report focuses narrowly: Rockwell Automation Allen-Bradley programmable logic controllers, the devices that sit between engineering workstations and the motors, valves, and pumps that physical industry runs on.

Unit 42 counts 5,600 Allen-Bradley PLCs exposed directly to the public internet globally. [3] The count is not a list of compromised machines; it is the list of machines that could be compromised by anyone with a Shodan query and a working exploit. The population is concentrated in municipal water and wastewater utilities, food-and-beverage plants, and mid-sized manufacturing — operators for whom segmenting a PLC behind a firewall has been on the roadmap for a decade and below the line for budgets.

Read in sequence, the timing is the argument. For 47 days Iranian domestic internet access was throttled to the low single digits of normal traffic. [4] The conventional read — an authoritarian government limiting civilian connectivity during war — is true but incomplete. Iran's operational cyber teams did not go offline during those 47 days. They used Starlink VSAT terminals, which have proliferated across the country since 2023, and they used commercial uplinks in third countries. [5] The blackout was a filter, not an absence. It reduced the volume of outbound traffic from Iran to a level small enough to hide targeted operations inside.

What emerged on Thursday — Iran back on the open internet, Unit 42 report published — is the second half of a choreography. The cluster has specific, operational tooling: a customised loader that installs on Allen-Bradley MicroLogix and ControlLogix devices, a set of scripts that manipulate PLC ladder logic, and a command-and-control infrastructure that routes through cloud provider IP ranges the company declines to name. [6] The report is unusual in one respect: Unit 42 chose to publish defender-facing indicators of compromise — file hashes, network signatures, and Shodan query strings — the same day Iran's internet came back, at the cost of warning the attackers that their tools had been reverse-engineered. That choice implies a high-urgency threat the researchers considered worth burning the access for.

The Rockwell-specific targeting matters because of the installed base. Allen-Bradley is North American critical infrastructure's default PLC line. The Pennsylvania Water Authority in Aliquippa, the November 2023 CyberAv3ngers intrusion that first put this group on the public record, was running an Allen-Bradley ControlLogix device with a default password reachable from the internet. [7] The new cluster's targeting profile is similar in kind but broader in scope: wastewater SCADA systems in Texas, Ohio, and Pennsylvania; food-processing sites in Iowa and Georgia; municipal utility interconnects that CISA warned about last March.

The paper has noted through the spring that the war's cyber dimension did not show up on the kinetic ledger because it did not need to. [8] Thursday's timing is the cleanest evidence yet. A country that spent 47 days off the civilian internet did not stop conducting operations; it conducted them with less ambient traffic to hide inside. The lights came back on Thursday because the work was done.

For plant managers, the advisory is concrete: segment any Allen-Bradley PLC off the public internet by Monday, apply Rockwell's April 11 firmware patches, rotate default credentials, and check the Unit 42 IOCs against SIEM logs back to March 1. [9] The Unit 42 report names the tools. The 5,600 figure names the exposure. The two together name a weekend of work for every operator who has not done it yet.

-- DAVID CHEN, Beijing