We Had Cyber Av3ngers' Water Plant C2s 30 Days Before CISA. Here's the Evidence.

On March 5, 2026, our automated ingest pipeline flagged a domain: cyber-node.tectoniview.in.net. Two independent feeds confirmed it within 24 hours — Abuse.ch's SSLBL and our own OTX pulse authored under the pduggusa handle. Classification: Cyber Av3ngers command-and-control infrastructure. Confidence: high. Timestamp: immutable.

Thirty days later, on April 7, 2026, CISA published their advisory warning that Cyber Av3ngers — the operational arm of Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command, IRGC-CEC — was actively targeting operational technology: water and wastewater treatment facilities, energy infrastructure, government systems.

We had their command-and-control indexed before CISA issued the warning. That's not a prediction. Predictions can be wrong. A timestamp is just a timestamp.

I want to say something about why I'm writing this, because I get accused of chest-thumping when I post receipts. The point isn't to embarrass CISA. The point is that the 30-day gap is structural, it's real, and if you're running a water treatment facility in 2026 and you're waiting for a federal advisory before you block a known C2 domain, something has gone badly wrong with your threat intelligence program.

The IRGC-CEC does not operate as a single monolithic actor. Cyber Av3ngers shares a parent command structure with Storm-0784, a cluster Microsoft tracks that uses Russia-registered infrastructure as staging. On February 23, 2026 — eleven days before tectoniview hit our feeds — we indexed stormbay.ru. Storm-0784. Russia registration, IRGC-CEC operational fingerprint underneath.

The pattern we've seen across 3,136 correlated IOCs is this: Storm-0784 stages, Cyber Av3ngers deploys. Russian-registered domains provide plausible deniability and confuse attribution. The actual operational decisions are coming out of Tehran.

By April 7, our Meilisearch database held those 3,136 indicators. Domains, IP addresses, SSL certificate hashes, JARM fingerprints. Not scraped from other vendors' public lists — ingested from SSLBL, from our own OTX research pulses, from passive DNS correlation. The depth matters because it determines what you can block.

The attack vector CISA described wasn't exotic, which is what makes it infuriating. Cyber Av3ngers targets Rockwell Automation Allen-Bradley programmable logic controllers — PLCs. Specifically the ControlLogix and GuardLogix lines. The interaction software is Studio 5000 Logix Designer, legitimate industrial tooling that speaks EtherNet/IP natively over port 44818. No zero-day required. No nation-state-grade exploit kit.

Default credentials. Internet-exposed port 44818. That's it. That's the attack.

Censys publishes scan data on internet-exposed industrial devices. As of this post: 5,219 Allen-Bradley devices with port 44818 reachable from the public internet. Five thousand two hundred nineteen. I keep staring at that number.

On March 11, 2026, a group called Handala — another IRGC-CEC-affiliated operation — claimed a breach at Stryker Corporation. Medical devices. Surgical robotics. Hospital supply chain for procedures happening in real time at hospitals you've been to.

The Stryker incident got covered as a separate story, a one-off, a healthcare sector breach. The framing was wrong. Handala received operational approval from the same IRGC-CEC command structure that activated Cyber Av3ngers against water PLCs. You don't get to claim independence when the C2 infrastructure overlaps.

What I see in the timeline is escalation doctrine. Municipal water in January and February. Energy infrastructure concurrent. Medical devices March 11. The IRGC-CEC is methodically testing critical infrastructure sectors, measuring response times, identifying gaps. They're not picking targets randomly. They're building a map.

The through-line between Cyber Av3ngers OT escalation and the Stryker breach is IRGC-CEC. I think that matters more than any individual incident because it changes the defensive posture. Against opportunism you patch and monitor. Against doctrine you need to assume the next target is already scoped.

Here's what I can show you, with dates I can verify against our index:

February 23, 2026: stormbay.ru indexed. Storm-0784 cluster. Russia-registered staging infrastructure.

March 5-6, 2026: cyber-node.tectoniview.in.net indexed. Dual-source confirmation, SSLBL and OTX pduggusa. Cyber Av3ngers C2 active.

March 11, 2026: Handala claims Stryker breach. IRGC-CEC lateral escalation to medical device supply chain.

April 7, 2026: CISA advisory. Cyber Av3ngers OT targeting confirmed by federal attribution.

April 27, 2026: This post. 3,136 correlated IOCs in the database. Feed running daily.

Thirty days. That's the structural gap between what an automated feed can confirm and what a federal advisory can name. CISA requires attribution chain documentation before they can call out a nation-state actor. The law doesn't care that we all knew in March.

I want to be precise here because imprecision in threat intelligence gets people hurt.

The 5,219 exposed Allen-Bradley devices Censys identifies aren't theoretical attack surface. They are real industrial equipment, in real facilities, reachable from any laptop with an EtherNet/IP client and a Cyber Av3ngers C2 domain in its DNS cache.

Studio 5000 Logix Designer is available as a free trial download from Rockwell Automation's website. An IRGC-CEC operator who has compromised a single device inside a water treatment network, and who has connectivity to those external PLCs, can pull ladder logic, modify setpoints, disable safety interlocks — with legitimate-looking software commands that generate no exploit signatures.

This isn't me hypothesizing. This is documented OT attack methodology. It's what TRITON/TRISIS did to safety instrumented systems in a Saudi petrochemical plant in 2017. It's what Industroyer did to Ukrainian power grid substations. Cyber Av3ngers is following an established playbook against softer targets.

Block port 44818 at your perimeter. If you operate anything with Allen-Bradley hardware, that port does not need to be internet-reachable. It was never designed to be.

Pull the Cyber Av3ngers IOC set from our STIX feed at analytics.dugganusa.com. All 3,136 indicators, updated daily, formatted for ingestion into any modern SIEM or firewall. If you're running Splunk, CrowdStrike, Microsoft Sentinel, or Palo Alto Cortex — they all consume STIX 2.1.

Cross-reference your external-facing infrastructure against this feed. If cyber-node.tectoniview.in.net or stormbay.ru show up anywhere in your DNS query logs, your proxy logs, your firewall egress — you have a problem that predates the April 7 advisory.

If you want the full 3,136-indicator IOC set via API, query our search index with your API key. The register link is at analytics.dugganusa.com.

Free tier is 500 queries a day. Our STIX feed is free and public. There is no paywall between you and blocking these domains.

I don't post these timelines to win an argument with federal agencies. CISA does important work under constraints I don't operate under — they need documented attribution before they name an adversary. That process takes time. The gap is not their failure.

What I'm saying is: the information existed before the advisory. The IOCs were indexed. The C2 was live. The 30-day gap is real, and in critical infrastructure terms, 30 days is a very long time to be running traffic past a known Cyber Av3ngers command-and-control node.

The feed is free. The evidence is dated. The PLCs are exposed.

I've said my piece.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com