CloudSEK researchers have documented how artificial intelligence has fundamentally collapsed the barrier to targeting industrial control systems, compressing what once required weeks of specialist knowledge into a five-minute reconnaissance workflow.
The findings come as the 28 February 2026 US-Israel strikes against Iran triggered the largest single-event activation of Iranian-aligned cyber actors ever documented, with over 60 hacktivist groups mobilising within hours – many without deep ICS expertise, but now equipped with AI tools that make that expertise unnecessary.
Key Findings
- CloudSEK identified 40,000+ internet-exposed US industrial control systems immediately discoverable using AI-assisted reconnaissance – and confirmed that a passive five-minute workflow using free tools can identify live devices, retrieve default credentials, map accessible interfaces, and enumerate CVEs without authenticating to or probing a single system.
- OpenAI confirmed in October 2024 that Iranian-affiliated actors (CyberAv3ngers) used ChatGPT to conduct ICS reconnaissance, querying default credentials for industrial devices, generating Shodan search strings, and requesting automation scripts – one of the first documented use of a commercial LLM by a state-affiliated actor against critical infrastructure.
- More than 60 Iranian-aligned hacktivist groups mobilised within hours of the 28 February 2026 strikes. The death of Supreme Leader Khamenei disrupted IRGC command structures, removing the political constraints that historically governed Iranian cyber targeting. Proxy and hacktivist groups now operate without accountability for civilian harm.
- US government reporting confirms 75+ US ICS devices were compromised in campaigns linked to the same threat ecosystem, including 34+ in the Water and Wastewater sector. The 2023 Aliquippa water plant compromise – forced onto manual operations by a default password – is the documented template these groups are replicating.
- Internet exposure across OT and ICS environments is worsening: 35% year-on-year growth in exposed systems and a 160% surge in Unitronics port 20256 exposure, despite two years of CISA advisories following the Aliquippa attack (ReliaQuest, H1 2025).
Why This Matters
The real shift is not in malware sophistication. It is in speed, scale, and accessibility. AI is enabling less technically mature actors to perform ICS reconnaissance that once required years of specialist knowledge.
In a conflict environment where over 60 groups are simultaneously activated and seeking accessible targets, AI compresses the cycle from intent to impact.
CloudSEK researchers reproduced the AI-assisted reconnaissance chain as a passive research exercise, mirroring the confirmed methodology. Following the same process, researchers identified multiple live instances of unauthenticated, internet-exposed ICS systems with direct operational impact potential.
CloudSEK notes that the passive nature of this research, standard HTTP requests against publicly indexed systems, is indistinguishable from what a threat actor would perform.
The cyber fallout from the Iran-US conflict is not limited to advanced state-linked operators. Loosely aligned hacktivists and proxy actors can now use AI-assisted workflows to identify and prioritise exposed industrial assets in real time, increasing the risk of opportunistic disruption to water treatment, energy distribution, fuel management, and manufacturing operations.
The same 28 February window also saw OpenAI confirm a partnership with the US Department of Defense, triggering a 295% spike in ChatGPT app uninstalls (Sensor Tower via TechCrunch). As commercial AI platforms face governance pressure around military use, threat actors migrate to unconstrained alternatives. The safety guardrails that limited CyberAv3ngers on ChatGPT in 2024 are a floor, not a ceiling.
Immediate Defensive Priorities
CloudSEK recommends that organisations urgently:
- Remove ICS management interfaces from the public internet immediately and place them behind VPN. This single action eliminates the AI-assisted passive reconnaissance attack path entirely.
- Change default credentials on all deployed ICS devices. The Unitronics default password 1111 is in a vendor manual, in CISA Advisory AA23-335A, and in active use on internet-exposed devices today.
- Block industrial protocol ports at the perimeter: TCP 20256, 102, 502, 44818, 1911 and UDP 47808 have no legitimate reason to be directly internet-accessible.
- Audit all third-party remote access to OT environments. IT managed service providers with tools on OT networks are confirmed entry points for supply chain attacks.
CloudSEK’s findings are based on passive reconnaissance of publicly indexed information and exposed web interfaces, without logging into or actively probing any system.
You can read the research here: AI, the Iran-US Conflict, and the Threat to US Critical Infrastructure | CloudSEK
Like this:
Like Loading...
Related
This entry was posted on March 6, 2026 at 3:10 pm and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
CloudSEK Identifies 40,000+ Exposed US Industrial Systems Vulnerable to AI-Assisted Recon as Iranian-Aligned Groups Mobilise
CloudSEK researchers have documented how artificial intelligence has fundamentally collapsed the barrier to targeting industrial control systems, compressing what once required weeks of specialist knowledge into a five-minute reconnaissance workflow.
The findings come as the 28 February 2026 US-Israel strikes against Iran triggered the largest single-event activation of Iranian-aligned cyber actors ever documented, with over 60 hacktivist groups mobilising within hours – many without deep ICS expertise, but now equipped with AI tools that make that expertise unnecessary.
Key Findings
Why This Matters
The real shift is not in malware sophistication. It is in speed, scale, and accessibility. AI is enabling less technically mature actors to perform ICS reconnaissance that once required years of specialist knowledge.
In a conflict environment where over 60 groups are simultaneously activated and seeking accessible targets, AI compresses the cycle from intent to impact.
CloudSEK researchers reproduced the AI-assisted reconnaissance chain as a passive research exercise, mirroring the confirmed methodology. Following the same process, researchers identified multiple live instances of unauthenticated, internet-exposed ICS systems with direct operational impact potential.
CloudSEK notes that the passive nature of this research, standard HTTP requests against publicly indexed systems, is indistinguishable from what a threat actor would perform.
The cyber fallout from the Iran-US conflict is not limited to advanced state-linked operators. Loosely aligned hacktivists and proxy actors can now use AI-assisted workflows to identify and prioritise exposed industrial assets in real time, increasing the risk of opportunistic disruption to water treatment, energy distribution, fuel management, and manufacturing operations.
The same 28 February window also saw OpenAI confirm a partnership with the US Department of Defense, triggering a 295% spike in ChatGPT app uninstalls (Sensor Tower via TechCrunch). As commercial AI platforms face governance pressure around military use, threat actors migrate to unconstrained alternatives. The safety guardrails that limited CyberAv3ngers on ChatGPT in 2024 are a floor, not a ceiling.
Immediate Defensive Priorities
CloudSEK recommends that organisations urgently:
CloudSEK’s findings are based on passive reconnaissance of publicly indexed information and exposed web interfaces, without logging into or actively probing any system.
You can read the research here: AI, the Iran-US Conflict, and the Threat to US Critical Infrastructure | CloudSEK
Share this:
Like this:
Related
This entry was posted on March 6, 2026 at 3:10 pm and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.