DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

4,000 US Industrial Devices Exposed to Iran. They're Not Using Zero-Days. They're Reading the Manual.

Patrick Duggan
3 hours ago
4 min read

# 4,000 US Industrial Devices Exposed to Iran. They're Not Using Zero-Days. They're Reading the Manual.

On April 7, the FBI, CISA, NSA, EPA, DOE, and US Cyber Command published a joint advisory: IRGC-affiliated actors are connecting to internet-exposed Rockwell Automation PLCs across US critical infrastructure using the manufacturer's own engineering software. No exploit. No zero-day. They download Studio 5000 Logix Designer, connect to port 44818, and modify the project files that control water treatment plants, power grid substations, and government facility HVAC systems.

Censys counted the exposure: 5,219 hosts globally responding to EtherNet/IP and self-identifying as Rockwell Allen-Bradley. The United States accounts for 74.6% of that total. 3,891 programmable logic controllers, sitting on the public internet, with no authentication, no firewall, and no MFA on the OT network.

Iran is not hacking these devices. Iran is logging into them.

Who

CyberAv3ngers. IRGC Cyber Electronic Command. Also tracked as Shahid Kaveh Group, Hydro Kitten, Storm-0784, and UNC5591. This is the same unit that hit 75 Unitronics PLCs across US water and wastewater systems in November 2023. State-directed OT disruption, not opportunistic. The joint advisory explicitly states the escalation is "likely in response to hostilities between Iran, and the United States and Israel."

This is not a new actor. This is an actor with a documented history of targeting the specific devices that are currently exposed, operating under the authority of the IRGC, during an active kinetic conflict.

What they do once inside

They exfiltrate project files — the logic programs that define what the PLC does. They manipulate HMI and SCADA display data — the screens that operators watch to know what the system is doing. The combination means they can change what the system does AND change what the operator sees. The operator watches a screen that says "normal" while the PLC executes modified logic.

This is not theoretical. This is the documented TTP from the advisory.

The only CVE cited is CVE-2021-22681 — an insufficiently protected cryptographic key in Rockwell Studio 5000 and multiple Logix PLCs. CISA added it to the Known Exploited Vulnerabilities catalog in March 2026. The vulnerability has existed since at least 2021. Five years.

Why this is in our lane

We track Iranian cyber operations. We have since March 2026, when Handala Hack Team wiped 200,000 Stryker devices via compromised Microsoft Intune. We published the attack surface analysis before the Iran attribution was confirmed. We found the deobfuscated wiper payload on GitHub. We mapped the distribution network. We filed with Rewards for Justice.

Right now — tonight, as this post is being written — our Domain Watchdog is logging DNS rotations on two MuddyWater (Iran/IRGC) domains: moonzonet.com and girlsbags.shop. Both are cycling through Cloudflare-proxied IP addresses every 30 minutes. That is C2 infrastructure being staged or maintained in real time.

CyberAv3ngers targets industrial control systems. MuddyWater (also IRGC-affiliated) provides the network infrastructure and initial access for broader Iranian cyber operations. The same week that CISA publishes an advisory about 3,891 exposed PLCs, we are watching IRGC-linked domain infrastructure rotate DNS in real time. Same country. Same apparatus. Same week.

CISA published a STIX XML file with the advisory IOCs. We have indexed the campaign indicators. Our STIX feed consumers in 46 countries received them automatically.

The uncomfortable question

3,891 PLCs exposed on the public internet. No authentication. The adversary uses the manufacturer's own software to connect. The vulnerability is five years old. The actor has been doing this since at least 2023.

This is not a cybersecurity problem. This is a facilities management problem. The PLCs are exposed because someone in a water treatment plant or a government building plugged them into the network for remote access and never put a firewall in front of them. The IRGC did not need to develop an exploit. They needed an internet connection and a copy of the software that Rockwell sells to anyone.

The question is not whether Iran can reach these devices. They already have. The question is how many of the 3,891 have already been accessed and how many project files have already been modified. The advisory describes the TTP. It does not describe the blast radius.

What to do

If you operate Rockwell Allen-Bradley CompactLogix or Micro850 PLCs:

Check whether port 44818 is exposed to the internet. If it is, close it tonight. Not tomorrow. Tonight.

Check whether your HMI/SCADA displays match the actual project files on the PLC. If they do not, you have already been compromised.

Check your OT network for connections from the 185.82.73.x range and 135.136.1.133. Those are the published IOCs. But the advisory notes that additional operator IPs exist on the same staging infrastructure that were not included in the published indicators.

Subscribe to a threat feed that covers IRGC infrastructure. Ours is free. It includes the Handala campaign IOCs, the MuddyWater domain rotations we are tracking in real time, and the CyberAv3ngers indicators from the CISA advisory.

The PLCs are not going to patch themselves. The firewalls are not going to materialize. Someone has to close port 44818. If that someone is you, do it now. Iran is reading the manual and they are better at it than most of the people operating these devices.

— Patrick

Search for Iran IOCs: analytics.dugganusa.com/api/v1/search?q=IRGC+CyberAv3ngers

STIX feed (free): analytics.dugganusa.com/api/v1/stix-feed

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

4,000 US Industrial Devices Exposed to Iran. They're Not Using Zero-Days. They're Reading the Manual.

Who

What they do once inside

Why this is in our lane

The uncomfortable question

What to do

Recent Posts

Comments