Censys finds 5,219 devices exposed to attacks by Iranian APTs, majority in U.S.

Researchers at Censys have identified 5,219 exposed Rockwell Automation PLCs, primarily located in the United States, which are vulnerable to attacks by Iranian advanced persistent threats (APTs). This discovery comes on the heels of a warning issued by U.S. agencies, including the FBI, CISA, and NSA, on April 7, 2026, regarding the exploitation of internet-exposed Rockwell PLCs by Iran-linked APTs¹. The threat actors are targeting operational technology across various critical infrastructure sectors, aiming to disrupt government services, water systems, and energy. The exposure of these devices poses a significant risk, as state-aligned actors are now involved, shifting the threat model from criminal to geopolitical. This development necessitates a different approach to mitigation, as the motivations and tactics of nation-state actors differ from those of traditional cybercriminals. The presence of these exposed devices underscores the need for defenders to take immediate action to secure or disconnect them, as the potential consequences of inaction could be severe.