Threat Intelligence / BAUXITE Campaign

Iranian state-affiliated actors targeting U.S. critical infrastructure PLCs right now.

No phishing. No zero-day. No malware signature to catch.

Just one condition: your PLC is reachable from the internet.

They Used the Same Path
Your Engineers Use.

BAUXITE campaign. Rockwell Studio 5000. Internet-exposed PLCs. Active since January 2025.

1

The Threat

What BAUXITE is and why it matters

0 Confirmed IOC IPs
0 Targeted OT Ports
0 Targeted Sectors
0 Months Active
Not a malware problem 0

Zero novel exploits. Zero weaponized payloads on initial access. BAUXITE connects to your PLC the same way your engineers do. Signatures cannot differentiate the two without behavioral context.

An architectural problem 7/8

Seven of the eight confirmed IOC addresses are in a single /24 subnet active since January 2025. The infrastructure predates the current escalation. This is a sustained campaign, not an opportunistic scan.

CVE 2021-22681

Rockwell Automation - Authentication Bypass

Affects Logix controllers including CompactLogix and Micro850 families. Allows an unauthenticated attacker to bypass access level protections via CIP messaging. Rockwell advisories PN1550 and SD1771 cover remediation and internet disconnect guidance. While not required for BAUXITE access, this CVE reduces the barrier further in unpatched environments.

2

The Attack Path

Step through how BAUXITE moves through your environment

The BAUXITE attack chain requires no phishing, no novel malware, and no zero-day. It requires one enabling condition: the target PLC is reachable from the public internet. Step through the six phases below to see how a legitimate-looking engineering session becomes an operational threat.

Internet / External
🌐 Internet-Exposed
Entry Point
Hostile
Infrastructure
44818 2222 502 102 :22
IT / Remote Access
💻 Engineering
Workstation
🔧 Studio 5000
Logix Designer
OT Environment
🖥 HMI / SCADA
Display
CompactLogix /
Micro850 PLC
📂 .ACD Project
Files
🔒 Dropbear SSH
Persistence
Physical / Outcome
🏭 Industrial
Process
📊 Operator
View

This is the same path your engineers use.

Step 1 of 6
Clean Environment

Normal operations. Blue legitimate engineering pathways are active. The OT environment is running. No attack indicators are present yet. The only enabling condition for BAUXITE is that the PLC is reachable from the public internet.

1 / 6

MITRE ATT&CK Mapping

Click any technique for details and detection guidance

BAUXITE maps across both ICS and Enterprise ATT&CK frameworks. The most operationally significant observation: the initial access technique (T0883) is a structural condition, not a vulnerability. Detecting it requires behavioral baselining, not signatures.

ICS - Initial Access T0883 Internet Accessible Device click to expand
ICS - Initial Access T0885 Commonly Used Port click to expand
ICS - Impact T0809 Data Destruction / Inhibit Response click to expand
Enterprise - TA0001 Initial Access External Network Connection click to expand
Enterprise - TA0011 C2 Command and Control click to expand
Enterprise - Impact T1565.001 Stored Data Manipulation click to expand
Enterprise - Impact T1491.001 Internal Defacement click to expand
T0883 Internet Accessible Device

BAUXITE exploits PLCs that are directly reachable on the public internet. This is not a software vulnerability - it is an architectural condition. The device was never designed for direct internet exposure, and no signature-based detection control compensates for that exposure once the connection is established.

How to detect / remediate

Identify all PLC assets with internet-routable IPs. Use CISA Remote Assessment, firewall log review, or industrial asset discovery tooling. Eliminate exposure immediately. Block inbound traffic to ports 44818, 2222, 102, 502, and 22 from any non-approved source.

T0885 Commonly Used Port

BAUXITE uses standard industrial protocol ports (EtherNet/IP on 44818 and 2222, Modbus TCP on 502, Siemens S7 on 102, SSH on 22) that are expected in OT environments. This camouflages attacker traffic within legitimate operational communication patterns and defeats port-based firewall rules that only block non-standard ports.

How to detect / remediate

Apply strict allowlisting: only approved source IPs should reach OT protocol ports. Establish behavioral baselines for EtherNet/IP session sources. Any new source IP in an EtherNet/IP session is a high-confidence anomaly requiring immediate investigation.

T0809 Data Destruction / Inhibit Response Function

U.S. government agencies assess destructive capability within the scope of this campaign based on STIX mapping. No confirmed destructive events are publicly reported in the current campaign. However, actors with PLC access, project file intelligence, and HMI/SCADA manipulation capability are operationally positioned to execute destructive actions.

How to detect / remediate

Set hardware key switches to RUN mode on CompactLogix and Micro850 devices to limit program modification capability. Back up all .ACD files to secured offline storage. Verify restoration procedures before an incident occurs.

TA0001 Initial Access via External Network

Using overseas leased infrastructure (185.82.73.0/24 and 135.136.1.133), BAUXITE connects directly to exposed PLCs via Studio 5000 Logix Designer. The session is protocol-identical to an authorized remote engineering session. Without behavioral baselines around approved source IPs and maintenance windows, this traffic is undetectable by signatures.

How to detect / remediate

Block 185.82.73.162, .164, .165, .167, .168, .170, .171, and 135.136.1.133. Consider blocking the full 185.82.73.0/24 range. Require MFA for all remote OT access. Terminate any vendor or third-party access that cannot be immediately validated.

TA0011 Command and Control

Dropbear SSH is deployed on victim endpoints for persistent remote access over port 22. Dropbear is a legitimate lightweight SSH implementation. In OT environments with weak endpoint monitoring and no SSH process baselines, it blends in. The bulletin notes that detection should focus on unexpected process execution and outbound SSH from OT-connected endpoints, not on file hashes.

How to detect / remediate

Hunt for Dropbear SSH execution on Windows and Linux endpoints with OT network connectivity. Alert on outbound SSH from OT segments to any external destination. Baseline expected SSH processes and treat any deviation as a high-confidence indicator.

T1565.001 Stored Data Manipulation

Actors extract and potentially modify .ACD project files containing ladder logic, I/O configuration, tag databases, and process parameters. This provides a detailed blueprint of the industrial process and enables informed follow-on manipulation. Modified project files uploaded to PLCs outside authorized change windows are a critical indicator.

How to detect / remediate

Alert on .ACD project file access, transfer, or modification outside authorized change windows. Monitor PLC program upload events and correlate with approved maintenance schedules. Store file hashes of all .ACD files in offline secure storage for integrity comparison.

T1491.001 Internal Defacement via HMI/SCADA Manipulation

BAUXITE falsifies display data on HMI and SCADA systems. In water environments this can affect treatment and dosing decisions. In energy environments it can influence substation monitoring and control. The bulletin emphasizes that once HMI and SCADA views are manipulated, operators may act on a false picture of reality - creating an operator deception condition distinct from direct physical disruption.

How to detect / remediate

Alert when HMI or SCADA display values change without corresponding historian events. Implement process-aware monitoring that correlates HMI display state against PLC actual output values. Train operators to treat unexplained display anomalies as potential security events.

3

What You Do Now

IOC hunt, detection playbooks, and mitigation actions

0 / 8 blocked
185.82.73.162Confirmed BAUXITE C2 infrastructure - 185.82.73.0/24 subnet
Critical
185.82.73.164Confirmed BAUXITE C2 infrastructure - 185.82.73.0/24 subnet
Critical
185.82.73.165Confirmed BAUXITE C2 infrastructure - 185.82.73.0/24 subnet
Critical
185.82.73.167Confirmed BAUXITE C2 infrastructure - 185.82.73.0/24 subnet
Critical
185.82.73.168Confirmed BAUXITE C2 infrastructure - 185.82.73.0/24 subnet
Critical
185.82.73.170Confirmed BAUXITE C2 infrastructure - 185.82.73.0/24 subnet
Critical
185.82.73.171Confirmed BAUXITE C2 infrastructure - 185.82.73.0/24 subnet
Critical
135.136.1.133Confirmed BAUXITE C2 infrastructure - separate subnet
Critical
0 / 5 reviewed
:44818 - EtherNet/IPPrimary Rockwell EtherNet/IP port. Block inbound from all non-approved source IPs.
Critical
:2222 - EtherNet/IP (alt)Alternate EtherNet/IP port used by BAUXITE scanning activity.
Critical
:102 - Siemens S7 ISO TSAPIndicates multi-vendor targeting beyond Rockwell. Siemens S7-compatible devices at risk.
High
:502 - Modbus TCPIndicates multi-vendor targeting. Modbus-compatible devices at risk including many legacy OT assets.
High
:22 - SSH (Dropbear)Outbound SSH from OT endpoints. Alert on any outbound SSH from OT segments to external destinations.
Critical
0 / 7 reviewed
Traffic from 185.82.73.0/24 on OT protocol portsAny traffic from this subnet reaching EtherNet/IP, Modbus, or S7 ports is a confirmed BAUXITE indicator.
Critical
Studio 5000 / RSLogix connecting to external IPsEngineering software connecting to any IP outside your approved baseline is an immediate investigation trigger.
Critical
Dropbear SSH present or executing on OT endpointsDetect process execution and outbound SSH from OT-connected endpoints. No file hashes available - focus on process behavior.
Critical
.ACD file access outside change windowsProject file accessed, transferred, or modified outside an approved and scheduled maintenance window.
Critical
PLC program upload outside scheduled maintenanceRequires OT-aware monitoring with EtherNet/IP protocol DPI and change window baseline awareness.
Critical
New source IP in an EtherNet/IP sessionAny source IP not on your approved engineering workstation list connecting via EtherNet/IP is an adversarial signal.
Critical
HMI / SCADA values changing without historian eventsDisplay manipulation indicator. Correlate HMI display state against process historian records and PLC actual output values.
High

Detection Playbooks

Expand each playbook for detection logic and sample queries

🚫

Block IOC Infrastructure

Immediate - SIEM + firewall enforcement within 72 hours

  • Block all 8 confirmed IOC IPs at perimeter and OT DMZ firewall
  • Consider blocking full 185.82.73.0/24 as a precaution - 7 of 8 confirmed addresses are in this subnet
  • Alert on any connection attempt involving these IPs across all network segments
  • Run retrospective search against 90 days of firewall and NetFlow logs
Sample SIEM Detection - Known IOC IP sourcetype=firewall | search dest_ip IN ("185.82.73.162","185.82.73.164","185.82.73.165", "185.82.73.167","185.82.73.168","185.82.73.170","185.82.73.171", "135.136.1.133") OR src_ip IN ("185.82.73.162","185.82.73.164","185.82.73.165", "185.82.73.167","185.82.73.168","185.82.73.170","185.82.73.171", "135.136.1.133") | table _time, src_ip, dest_ip, dest_port, action | sort -_time
🔍

Hunt for Lateral Movement

Dropbear SSH, outbound OT connections, and engineering path abuse

  • Search for Dropbear SSH process execution on all Windows and Linux endpoints with OT network connectivity
  • Alert on outbound SSH (port 22) from any OT network segment to any external destination
  • Alert on Studio 5000 or RSLogix processes making network connections to IP addresses outside approved engineering baseline
  • Alert on .ACD file transfer over the network outside scheduled maintenance windows
Sample SIEM Detection - Dropbear SSH on Windows sourcetype=WinEventLog:Security EventCode=4688 | search (New_Process_Name="*dropbear*" OR Process_Command_Line="*dropbear*") | table _time, host, Account_Name, New_Process_Name, Process_Command_Line | sort -_time

Validate Engineering Sessions

OT-platform required - EtherNet/IP baseline and change window enforcement

  • Identify all approved source IPs authorized to initiate EtherNet/IP sessions to PLCs - document as a formal baseline
  • Alert on any new source IP appearing in an EtherNet/IP session (requires OT-aware monitoring with protocol DPI)
  • Alert on PLC program uploads occurring outside approved and scheduled maintenance windows
  • Correlate HMI display value changes against process historian events - unexplained divergence is a manipulation indicator
  • Run all detection logic against at least 90 days of historical data to identify pre-existing campaign activity
Sample Detection - EtherNet/IP New Source IP sourcetype=ot_netflow protocol=EtherNet/IP | stats dc(src_ip) as unique_sources, values(src_ip) as sources by dest_ip | where unique_sources > [expected_count] | table dest_ip, unique_sources, sources /* Requires OT-aware monitoring with EtherNet/IP protocol visibility */

Mitigation Actions

Immediate through long-term posture

0-72 Hours 🚨

Eliminate Internet Exposure

  • Identify all PLCs with internet-routable IPs via firewall logs or asset discovery
  • Block inbound traffic to ports 44818, 2222, 102, 502, 22 from non-approved sources
  • Use CISA Remote Assessment to confirm exposure if internal visibility is limited
0-72 Hours 🔑

Harden Access Controls

  • Set hardware key switches to RUN mode on CompactLogix and Micro850 where operationally feasible
  • Require MFA on all remote access pathways into OT environments
  • Terminate vendor and third-party access that cannot be immediately validated
0-72 Hours 📋

Audit and Backup

  • Audit all .ACD project files - compare current state against known-good versions
  • Back up all .ACD files to secured offline storage and verify restoration procedures
  • Review default credentials across all PLC and OT device inventory
Long Term 🗄

Network Segmentation

  • Place PLCs in isolated network zones with no direct internet access
  • Route all remote OT access through a DMZ and authenticated jump host
  • Ensure Studio 5000 workstations have no internet connectivity
Long Term 📊

Behavioral Baselining

  • Establish formal change management for all PLC program modifications
  • Document approved source IPs for all EtherNet/IP sessions
  • Integrate OT visibility with IT security operations for correlated detection
Long Term 🛡

Vendor Guidance

  • Apply Rockwell PN1550 for CVE-2021-22681 remediation guidance
  • Apply Rockwell SD1771 for internet disconnect and PLC hardening steps
  • Treat unauthorized external engineering connectivity as adversarial by default
Takeaway 01

Exposure is the vulnerability

BAUXITE does not need a software exploit. An internet-reachable PLC is the only enabling condition required. Remove that condition and the attack chain collapses before it begins.

Takeaway 02

Signatures will not save you

Initial access via Studio 5000 is protocol-identical to authorized engineering. Detection depends entirely on behavioral baselines: approved source IPs, change windows, and process-aware monitoring. IOC blocking is necessary but not sufficient.

Takeaway 03

This is not a one-time event

BAUXITE infrastructure has been active since January 2025. The current campaign escalated in March 2026. This is a persistent, operationally informed Iranian campaign - not an opportunistic scan. Treat it as a sustained threat condition.

Read the formal threat bulletin for the complete intelligence report, full IOC table, and source references.

← View Full Threat Bulletin
Scroll to Top