Iranian-Linked Hackers Targeting U.S. Critical Infrastructure Programmable Logic Controller

A joint advisory from multiple U.S. federal agencies warns that Iranian-affiliated advanced persistent threat (APT) actors are actively targeting internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) on networks of U.S. critical infrastructure organizations.

The Joint Warning

The warning was issued today by the FBI, CISA, NSA, Environmental Protection Agency (EPA), Department of Energy (DOE), and United States Cyber Command – Cyber National Mission Force (CNMF).

According to the agencies, these ongoing attacks have targeted organizations across multiple critical infrastructure sectors, including:

  • Government Services and Facilities
  • Water and Wastewater Systems
  • Energy

The campaigns have resulted in financial losses and operational disruptions since March 2026.

Attack Objectives and Methods

“The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays,” the advisory warns.

Confirmed impacts include:

  • Extraction of device project files
  • Manipulation of data on HMI (Human-Machine Interface) and SCADA (Supervisory Control and Data Acquisition) displays
  • Operational disruptions across critical infrastructure

The agencies note that “Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel.”

Historical Context: CyberAv3ngers Attacks

This activity mirrors a similar campaign documented in November 2023, when CyberAv3ngers—a threat group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC)—exploited vulnerabilities in U.S.-based Unitronics operational technology (OT) systems.

Between November 2023 and January 2024, CyberAv3ngers compromised at least 75 Unitronics PLC devices across multiple attack waves, with approximately half located in Water and Wastewater Systems (WWS) critical infrastructure networks.

Defense Recommendations

Network defenders are advised to implement the following protective measures:

  • Disconnect PLCs from the Internet or secure them using a firewall
  • Scan logs for indicators of compromise provided in the joint advisory
  • Monitor for suspicious traffic on OT ports, especially from overseas hosting providers
  • Implement multifactor authentication (MFA) for OT network access
  • Update PLCs to the latest available firmware versions
  • Disable all unused services and authentication methods, including default authentication keys
  • Continuously monitor network traffic for suspicious activity

Related Iranian Cyber Threats

Last month, the Iranian-linked and pro-Palestinian Handala hacktivist group wiped approximately 80,000 devices on the network of U.S. medical device manufacturer Stryker, including employees’ mobile devices and company-managed personal computers.

Additionally, the FBI warned that Iranian hackers linked to the country’s Ministry of Intelligence and Security (MOIS) are using Telegram in coordinated malware attacks.

Related Articles

Back to top button