BAUXITE PLC Campaign Targets Internet-Exposed Industrial Controllers
Iranian IRGC-affiliated threat actors exploiting internet-exposed PLCs across U.S. critical infrastructure using legitimate engineering pathways
Executive Summary
Iranian state-affiliated threat actors tracked as BAUXITE are actively exploiting internet-exposed programmable logic controllers across U.S. critical infrastructure. The campaign marks an escalation from earlier Iranian OT activity because the actors are no longer relying on default credentials alone. They are using Rockwell Automation Studio 5000 Logix Designer to connect to exposed CompactLogix and Micro850 PLCs in a way that is technically indistinguishable from authorized remote engineering activity. Once access is established, the actors extract .ACD project files, deploy Dropbear SSH for persistence, and manipulate HMI and SCADA displays. U.S. government agencies also assess destructive capability within the scope of this campaign.
The central weakness is architectural, not merely procedural. PLCs were never designed for direct internet exposure, and no signature-based detection stack can compensate for that condition. The highest-value immediate actions are straightforward: remove PLCs from internet access, set hardware key switches to RUN mode, and verify that default credentials are not present anywhere in the environment.
BAUXITE uses legitimate engineering software for initial access. A Studio 5000 connection from a BAUXITE-controlled IP is protocol-identical to an authorized remote engineering session. Detection requires behavioral baselines around approved source IPs and maintenance windows, not signature matching.
Key Findings
- ▸ BAUXITE uses legitimate Rockwell engineering software (Studio 5000 Logix Designer) for initial access, making signature-based detection ineffective and behavioral engineering session baselines essential.
- ▸ Targeted devices include Rockwell CompactLogix and Micro850 PLCs. Observed port targeting on 102 (Siemens S7 ISO TSAP) and 502 (Modbus TCP) indicates a multi-vendor targeting model extending beyond Rockwell environments.
- ▸ Persistence is established via Dropbear SSH - a legitimate open-source SSH implementation that reduces forensic visibility in poorly monitored OT environments. No file hashes are available; focus on process execution behavior.
- ▸ Extraction of .ACD project files gives actors an operational blueprint containing ladder logic, I/O configuration, tag databases, and process parameters - providing detailed process-level understanding before any manipulation begins.
- ▸ HMI and SCADA display manipulation creates an operator deception condition. Falsified display data misleads operators, masks physical anomalies, and increases the probability of erroneous response during a live incident.
- ▸ Seven of the eight confirmed IOC addresses sit within 185.82.73.0/24 and have been active since January 2025, indicating sustained infrastructure that predates the March 2026 campaign escalation by over a year.
- ▸ No file hashes have been published. Behavioral monitoring, engineering session baselining, and process-aware detection are the primary defensive path. IOC blocking is necessary but not sufficient against this campaign.
Detailed Threat Analysis
BAUXITE is an Iranian state-sponsored threat group attributed to the IRGC Cyber Electronic Command. The campaign reflects a maturation of Iranian OT targeting from opportunistic controller access into a more operationally informed intrusion model. The actors demonstrate familiarity with Rockwell software ecosystems, EtherNet/IP protocol behavior, PLC project file structures, and the operational realities of industrial environments.
The threat is not limited to a single victim class. The confirmed victim sectors are Government Services and Facilities, Water and Wastewater Systems, and Energy, but the scan pattern is broader. BAUXITE is scanning industrial protocol ports internet-wide, which means any organization operating internet-reachable PLCs is a viable target whether or not it appears in the currently confirmed victim list.
The most important technical distinction in this campaign is that the adversary is using trusted engineering pathways rather than obviously malicious tooling for initial access. A BAUXITE connection using Studio 5000 can look identical to a legitimate remote engineering session unless defenders have established behavioral baselines around approved source IPs, maintenance windows, and authorized change pathways. This makes the campaign especially dangerous in environments where OT access governance is weak and security teams lack visibility into engineering activity.
The operational risk is unusually high because the actors are not stopping at access. By extracting .ACD project files, they gain process-level understanding of the environment. By manipulating HMI and SCADA displays, they create a condition where operators act on false information. In water environments, this affects treatment and dosing decisions. In energy environments, it influences substation control and monitoring. In government facilities, it can affect HVAC, physical access, and building automation systems.
This bulletin places BAUXITE within a broader Iranian OT targeting trajectory, noting sustained Iranian use of OT disruption as a coercive instrument and referencing parallel developments including the PYROXENE cluster and concurrent IT-side pressure from other Iranian actors. This is not a one-time event. It is a sustained campaign model that critical infrastructure operators should treat as a persistent threat condition.
Attack Chain Overview
The BAUXITE attack chain does not require phishing, novel malware, or a zero-day. It requires one enabling condition: the target PLC is reachable from the public internet. The campaign then proceeds through a structured sequence of reconnaissance, access, intelligence collection, persistence, operator deception, and potential destructive impact.
Reconnaissance
T0883 / T0885Actors scan for internet-exposed devices responding on industrial protocol ports: EtherNet/IP on 44818 and 2222, Modbus TCP on 502, and Siemens S7 ISO TSAP on 102. This indicates a multi-vendor targeting model rather than a narrowly scoped Rockwell-only operation.
Initial Access
TA0001 / T0883Using overseas leased infrastructure (185.82.73.0/24), BAUXITE connects to exposed CompactLogix and Micro850 PLCs via Studio 5000 Logix Designer. The session is protocol-identical to authorized engineering activity. CVE-2021-22681 can further reduce the barrier to access in unpatched environments.
Project File Extraction
T1565.001Actors download .ACD project files containing ladder logic, I/O configuration, tag databases, and process parameters. This provides a detailed blueprint of the target's industrial process and enables informed follow-on manipulation of the physical environment.
Persistence
TA0011BAUXITE deploys Dropbear SSH on victim endpoints for remote access over port 22. Dropbear is a legitimate lightweight SSH implementation that blends into environments lacking strong OT process monitoring and endpoint baselines. No file hashes are available for detection.
HMI / SCADA Manipulation
T1491.001Actors falsify display data on HMI and SCADA systems. This undermines operator trust, masks physical anomalies, and increases the probability of operational error. Operators are forced to make decisions based on a false picture of actual process state.
Assessed Destructive Capability
T0809The bulletin maps the campaign to ICS technique T0809 (Data Destruction / Inhibit Response Function). No confirmed destructive events are publicly reported in the current campaign, but U.S. government agencies assess destructive capability as relevant to the operational context of this campaign.
MITRE ATT&CK Mapping
Indicators of Compromise
No file hashes have been published for this campaign. Because BAUXITE relies heavily on legitimate tooling and expected protocols, organizations should prioritize behavioral indicators equally with atomic indicators. IOC blocking is necessary but not sufficient as a standalone control.
Immediately hunt for connections involving the eight confirmed IPs, unexpected inbound EtherNet/IP traffic from external sources, outbound SSH from OT segments, and any unauthorized .ACD access or PLC program changes. Run against at least 90 days of historical data to identify campaign activity that may predate current alert deployment.
Detection Analysis
The bulletin provides a layered detection model that prioritizes behavioral monitoring over pure IOC matching because BAUXITE uses legitimate engineering software and common administrative pathways. Detections are separated into standard SIEM-compatible analytics and OT platform-dependent analytics, reflecting the reality that some detections are not feasible without industrial protocol visibility. Signature-only approaches are explicitly insufficient because the initial access method is indistinguishable from legitimate engineering activity without behavioral context.
Standard SIEM Compatible Detections
- Known IOC IP in inbound or outbound network traffic
- Dropbear SSH process execution on Windows endpoints
- Dropbear SSH process execution on Linux endpoints
- Inbound external connection to EtherNet/IP ports (44818, 2222)
- Inbound external connection to Modbus TCP (502) or Siemens S7 (102)
- Outbound SSH from OT network segments to any external destination
- Studio 5000 or RSLogix processes connecting to external IP addresses
- .ACD project file transfer detected over the network
OT Platform Required Detections
- PLC program upload event outside authorized maintenance windows (requires OT-aware monitoring with EtherNet/IP protocol DPI and change window baseline)
- New source IP appearing in an EtherNet/IP session against any PLC (requires approved engineering workstation IP baseline and industrial protocol visibility)
Run all detection analytics against a minimum of 90 days of historical log data. BAUXITE infrastructure has been active since January 2025. Activity may predate current detection deployments by a significant margin.
Prevention and Mitigation
The bulletin is explicit that no detection control fully compensates for direct internet exposure of PLCs. The most effective immediate mitigation is to eliminate that exposure and enforce hardware and network boundaries that prevent unauthorized engineering access.
Eliminate Internet Exposure
- Identify and remove direct internet exposure for all PLCs via firewall logs, asset discovery, or CISA Remote Assessment
- Block inbound traffic to ports 44818, 2222, 102, 502, and 22 from any non-approved source IP
- Block all 8 confirmed IOC IPs and consider blocking the full 185.82.73.0/24 range
Harden Device Access
- Set hardware key switches to RUN mode on CompactLogix and Micro850 devices wherever operationally feasible
- Limit PROGRAM or REMOTE mode settings to supervised maintenance windows only
- Require MFA for any remote access pathway with OT connectivity
Audit and Validate
- Audit all remote access pathways and terminate vendor or third-party access that cannot be immediately validated
- Verify default credentials are not present on any PLC or OT device in inventory
- Back up all .ACD project files to secured offline storage and verify restoration procedures
Network Segmentation
- Place PLCs in isolated network zones with no direct internet access
- Route all remote OT access through a DMZ and authenticated jump host
- Remove internet connectivity from Studio 5000 engineering workstations
Device Configuration
- Review Rockwell advisory PN1550 for CVE-2021-22681 device-specific remediation
- Review Rockwell advisory SD1771 for internet disconnect and PLC hardening guidance
- Disable unused communication services on OT devices and replace default credentials
Change Management
- Establish formal change management for all PLC program modifications
- Authorize engineering sessions only from workstations physically within the OT network
- Document approved source IPs for all EtherNet/IP sessions as a formal baseline
Long-term resilience depends on eliminating internet-exposed controllers, building behavioral baselines for engineering activity, integrating OT visibility with IT security operations, and treating unauthorized external engineering connectivity as a high-confidence adversarial signal until proven otherwise. Organizations should develop and exercise OT-specific incident response plans for cases where process telemetry cannot be trusted, as HMI/SCADA manipulation can degrade the reliability of data used in incident response decisions.
Reporting and Resources
Organizations that suspect BAUXITE-related compromise should preserve logs, avoid restoring from potentially compromised backups before forensic review, and report incidents through the channels identified below. Update OT-specific incident response plans and exercise decision-making processes for cases where process telemetry may not be reliable.
Incident Reporting
- CISA 24/7 Operations Center
- central@cisa.dhs.gov
- CISA reporting portal (bulletin resources)
- FBI Internet Crime Complaint Center (IC3)
Vendor Guidance
- Rockwell PSIRT@rockwellautomation.com
- PN1550 - CVE-2021-22681 remediation
- SD1771 - Internet disconnect and PLC hardening
Industry Resources
- CISA AA23-335A (2023 Unitronics campaign)
- CISA Known Exploited Vulnerabilities Catalog
- WaterISAC (water sector coordination)
- E-ISAC (electricity sector coordination)
- MS-ISAC (government sector coordination)
The BAUXITE campaign is a direct reminder that industrial cyber risk becomes operational risk the moment internet-exposed PLCs and uncontrolled engineering access are allowed to coexist. The fastest gains come from removing public exposure, enforcing hardware and network boundaries, and treating unauthorized external engineering sessions as adversarial by default.
Step Through the BAUXITE Attack Path
See how this campaign unfolds zone by zone, with IOC checklists, MITRE technique details, and detection playbooks built for your security team.
Launch Interactive Guide →