CyberAv3ngers Attack Chain — CISA AA26-097A

Five-phase kill chain — Rockwell PLC campaign, March–April 2026

Reconnaissance

Shodan & Censys scan for internet-exposed Rockwell PLCs

Ports 44818 · 2222 · 502 · 102 · 22

CVE-2021-22681 — spoof authorized engineering workstation

CVSS 9.8 · no credentials

Used Rockwell Studio 5000 — looks like scheduled maintenance

Indistinguishable on wire

Deployed Dropbear SSH — persistent backdoor, survives reboots

Port 22 · outbound C2

Altered SCADA displays — operators watched fabricated readings

.ACD files extracted