Iranian Hackers Eye US Critical Infrastructure PLCs
Cyber Threat Intelligence is flagging a concerning trend: Iranian-linked threat actors are actively targeting internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) within U.S. critical infrastructure. A joint advisory from the FBI, CISA, NSA, EPA, DOE, and Cyber Command confirms these ongoing attacks have hit sectors like government services, water/wastewater, and energy since March 2026, causing both financial damage and operational disruptions.
The advisory highlights that these APT actors are specifically focused on causing disruptions by maliciously interacting with project files and manipulating data on HMI (Human-Machine Interface) and SCADA (Supervisory Control and Data Acquisition) displays. This escalation appears to be a direct response to recent geopolitical tensions involving Iran, the U.S., and Israel. The FBI has confirmed instances where these attacks led to the extraction of device project files and subsequent data manipulation, underscoring the sophisticated nature of the threats.
This isnβt entirely new territory, as a similar advisory in November 2023 pointed to the CyberAv3ngers group, reportedly linked to Iranβs IRGC, exploiting vulnerabilities in U.S. Unitronics OT systems. The pattern suggests a persistent and evolving campaign against operational technology that underpins essential services.
What This Means For You
- Security teams overseeing critical infrastructure must immediately audit their internet-facing Rockwell/Allen-Bradley PLCs and associated HMI/SCADA systems for unauthorized access or configuration changes, prioritizing the isolation or patching of any exposed devices.
Found this interesting? Follow us to stay ahead.