Iranian Hackers Target Thousands of US Industrial Devices in Escalating Cyberattacks

Iranian-linked hackers have been systematically targeting thousands of US industrial control systems, with nearly 4,000 Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs) exposed online and vulnerable to attack, according to a joint advisory from multiple U.S. federal agencies.

The Scale of the Threat The attack surface is substantial. Cybersecurity firm Censys identified 5,219 internet-exposed hosts globally that respond to EtherNet/IP (EIP) and self-identify as Rockwell Automation/Allen-Bradley devices. Of these, 3,891—or 74.6%—are located in the United States, with a disproportionate share found on cellular carrier autonomous system numbers (ASNs), indicating field-deployed devices connected via cellular modems.

This widespread exposure creates an alarming attack surface for Iranian state-backed advanced persistent threat (APT) groups that have been targeting these industrial control systems since March 2026. The FBI has confirmed that these attacks have resulted in the extraction of device project files and data manipulation on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.

Why This Matters Industrial control systems like PLCs are the backbone of critical infrastructure operations, controlling everything from manufacturing processes to water treatment facilities and power distribution. When these systems are compromised, the consequences extend beyond data theft to potential operational disruptions and physical damage.

The timing of this campaign is particularly concerning. According to the authoring agencies, "Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel." This suggests the attacks are part of a broader geopolitical conflict playing out in cyberspace.

Historical Context This isn't the first time Iranian hackers have targeted US industrial systems. Nearly three years ago, a threat group affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) and tracked as CyberAv3ngers launched attacks against Unitronics operational technology systems. Between November 2023 and January 2024, they compromised at least 75 Unitronics PLC devices across multiple waves of cyberattacks, with half of those located in Water and Wastewater Systems critical infrastructure networks throughout the United States.

More recently, the Handala hacktivist group—linked to Iran's Ministry of Intelligence and Security—wiped approximately 80,000 devices from the network of US medical giant Stryker, including employees' mobile devices and company-managed personal computers. These incidents demonstrate an escalating pattern of Iranian cyber operations against US targets.

Defensive Measures To protect against these ongoing attacks, network defenders should implement several critical security measures:

• Network Segmentation: Secure PLCs using firewalls or disconnect them entirely from the Internet
• Log Monitoring: Scan logs for signs of malicious activity and suspicious traffic patterns
• Port Monitoring: Pay special attention to suspicious traffic on operational technology (OT) ports, particularly when originating from overseas hosting providers
• Access Control: Enforce multifactor authentication (MFA) for access to OT networks
• Patch Management: Keep all PLC devices up to date with the latest firmware and security patches
• Service Minimization: Disable unused services and authentication methods on industrial devices

The Broader Implications This campaign highlights a critical vulnerability in how industrial control systems are deployed and managed. The fact that thousands of these devices remain exposed to the internet years after similar attacks have demonstrated the risks suggests a systemic failure in industrial cybersecurity practices.

Many of these exposed devices appear to be field-deployed units using cellular connectivity—a common setup for remote industrial equipment. This presents unique challenges for security teams, as cellular-connected devices often bypass traditional network security controls and may be located in remote areas where physical security is difficult to maintain.

The targeting of Rockwell Automation devices specifically is significant because these PLCs are among the most widely deployed industrial control systems globally. Their ubiquity makes them an attractive target for nation-state actors seeking to maximize their impact.

Looking Forward As geopolitical tensions continue to manifest in cyberspace, organizations operating industrial control systems must recognize that they are potential targets for state-sponsored cyberattacks. The combination of exposed devices, critical infrastructure targets, and escalating international conflicts creates a perfect storm for industrial cybersecurity incidents.

The solution requires a multi-faceted approach: technical controls to secure exposed devices, operational changes to reduce attack surfaces, and strategic planning to ensure business continuity in the face of potential disruptions. Organizations that fail to address these vulnerabilities may find themselves caught in the crossfire of international cyber conflicts.