Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks

Summary

Federal agencies (FBI, CISA, NSA, EPA, DOE, USCYBERCOM) warned of ongoing attacks by Iran-linked threat actors targeting internet-exposed programmable logic controllers (PLCs), particularly Rockwell Automation/Allen-Bradley devices across multiple US critical infrastructure sectors including water, energy, and government facilities. The attackers manipulate PLC project files and SCADA/HMI displays to cause operational disruptions. The campaign exhibits similar tactics to previous operations by CyberAv3ngers, an IRGC-linked group that has targeted water utilities and used AI tools like ChatGPT for reconnaissance and exploitation.

Full text

Several critical infrastructure organizations in the U.S. were disrupted by Iran-linked cyberattacks that impacted operational technology (OT) devices, according to an urgent warning from federal agencies on Tuesday. In a joint advisory, the FBI, CISA, NSA, EPA, DOE, and United States Cyber Command warned that attacks in recent weeks have targeted devices spanning multiple sectors, including Government Services and Facilities (including local municipalities), Water and Wastewater Systems, and Energy Sectors. The federal agencies say that Iranian-linked threat actors are actively targeting internet-exposed programmable logic controllers (PLCs), particularly those manufactured by Rockwell Automation/Allen-Bradley, though other vendors may also be at risk. “As a result of this activity, organizations from multiple U.S. critical infrastructure sectors experienced disruptions through malicious interactions with the project files and the manipulation of data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays,” the advisory explains. “Due to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure, the authoring agencies recommend U.S. organizations urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the Mitigations section to reduce the risk of compromise,” the advisory continued. Similar Activity by CyberAv3ngers According to the authoring agencies, the campaign has similar activity to earlier operations attributed to Iran-linked groups such as CyberAv3ngers, which previously targeted PLCs in U.S. infrastructure sectors.Advertisement. Scroll to continue reading. CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that has made previous headlines for its attacks on the water sector. In October 2024, Artificial Intelligent giant OpenAI said the CyberAv3ngers hackers used its popular ChatGPT tool to plan ICS attacks. OpenAI said accounts associated with the group used ChatGPT to conduct reconnaissance, but also to help them with vulnerability exploitation, detection evasion, and post-compromise activity. The group has targeted industrial control systems (ICS) at a water utility in Ireland (the attack left people without water for two days), a water utility in Pennsylvania, and other water facilities in the United States. Federal agencies are urging organizations to assume they may be targeted and to proactively assess their OT environments for vulnerabilities before attackers exploit them. Indicators of Compromise (IOCs) Downloadable lists of IOCs have been made available in both XML and JSON formats: AA26-097A STIX XML AA26-097A STIX JSON The attacks are part of a wider pattern of escalating Iran-linked operations. On March 11, medical technology giant Stryker was targeted by the Handala group, which reportedly wiped more than 200,000 of the company’s devices. Late last month, the United States government officially linked the notorious Handala hacker group to the Iranian government. The announcement came amid the takedown of several websites used by Handala. Handala has been on the radar of cybersecurity firms for years, but it gained widespread attention in recent weeks after ramping up its activity following the start of the US-Israel-Iran conflict. In a separate incident, Handala hacked FBI Director Kash Patel’s personal email account, releasing photos and emails allegedly taken from the inbox, though authorities said no government information was exposed. In December 2025, the US government announced rewards of up to $10 million for information on members of the Iranian hacking group known as Emennet Pasargad. Recent analysis by cybersecurity firm Augur Security revealed a six-month buildup of Iran-linked cyber infrastructure, including US-based shell companies, designed to weather kinetic strikes and ensure the resilience of its global hacking operations. Related: Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury Related: Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in Warfare Related: Iran Built a Vast Camera Network to Control Dissent. Israel Turned It Into a Targeting Tool Written By Mike Lennon For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world. More from Mike Lennon Senate Confirms Joshua Rudd to Lead NSA and US Cyber CommandUS Cyber Strategy Targets Adversaries, Critical Infrastructure, and Emerging TechnologiesZscaler Acquires Browser Security Firm SquareX CrowdStrike to Acquire Browser Security Firm Seraphic for $420 MillionTim Kosiba Named NSA Deputy DirectorCrowdStrike to Buy Identity Security Firm SGNL for $740 Million in CashPalo Alto Networks, Google Cloud Strike Multibillion-Dollar AI and Cloud Security DealMicrosoft Names New Operating CISOs in Strategic Move to Strengthen Cyberdefense Latest News Anthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge AttacksThe New Rules of Engagement: Matching Agentic Attack SpeedTrent AI Emerges From Stealth With $13 Million in FundingCritical Flowise Vulnerability in Attacker CrosshairsSevere StrongBox Vulnerability Patched in AndroidGrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise DataWebinar Today: Why Automated Pentesting Alone Is Not EnoughGPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Entities