US agencies warn of Iranian-linked APT groups targeting Rockwell/Allen-Bradley PLCs across multiple critical infrastructure sectors, causing operational disruptions and financial losses since March 2026.
The FBI, CISA, NSA, EPA, DOE, and US Cyber Command have issued a joint advisory warning that Iranian-affiliated advanced persistent threat (APT) actors are actively targeting internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) on US critical infrastructure networks.
These attacks, which began in March 2026, have targeted organizations across multiple critical infrastructure sectors including Government Services and Facilities, Water and Wastewater Systems, and Energy. The agencies report that these operations have resulted in both financial losses and operational disruptions.
Escalating Threat from Iranian APT Groups
The advisory specifically identifies that "a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to U.S. critical infrastructure organizations."
According to the FBI's assessment, this campaign represents an escalation of Iranian-affiliated targeting efforts against US organizations, "likely in response to hostilities between Iran, and the United States and Israel."
The attacks have successfully extracted device project files and manipulated data on Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) displays, potentially allowing attackers to alter what operators see and control.
Connection to Previous CyberAv3ngers Campaign
This latest advisory follows a similar warning issued in November 2023 regarding the CyberAv3ngers threat group, which is affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC). That campaign specifically targeted Unitronics operational technology systems.
Between November 2023 and January 2024, CyberAv3ngers compromised at least 75 Unitronics PLC devices across multiple attack waves. Notably, half of these compromised devices were located within Water and Wastewater Systems critical infrastructure networks, demonstrating the group's focus on essential services.
Technical Details of the Current Campaign
The current attacks focus on Rockwell/Allen-Bradley PLCs, which are widely used in industrial control systems across critical infrastructure. These devices control and monitor industrial processes, making them attractive targets for threat actors seeking to cause disruption.
Attackers are exploiting the fact that many of these PLCs are directly exposed to the internet without adequate security controls. Once accessed, they can:
- Extract the device's project file, potentially revealing system architecture and control logic
- Manipulate data displayed on HMI and SCADA systems
- Interact with project files to alter system behavior
- Cause operational disruptions that could impact service delivery
Recommended Defensive Measures
To defend against these attacks, the joint advisory recommends several critical security measures:
Network Segmentation and Access Control:
- Disconnect PLCs from the internet where possible
- If internet connectivity is required, secure PLCs behind properly configured firewalls
- Implement multifactor authentication (MFA) for access to operational technology networks
- Disable all unused services and authentication methods, including default authentication keys
Monitoring and Detection:
- Scan logs for indicators of compromise shared in the advisory
- Monitor network traffic for suspicious activity, particularly traffic originating from overseas hosting providers
- Pay special attention to operational technology ports that may be targeted
System Hardening:
- Keep PLCs updated with the latest available firmware
- Regularly review and update security configurations
- Implement network segmentation to isolate critical systems
Broader Context of Iranian Cyber Operations
This PLC targeting campaign is part of a broader pattern of Iranian cyber operations against US interests. In March 2026, the Iranian-linked Handala hacktivist group wiped approximately 80,000 devices on the network of US medical giant Stryker, including employees' mobile devices and personal computers.
The FBI has also warned that Iranian hackers linked to the country's Ministry of Intelligence and Security (MOIS) are using Telegram in malware attacks, demonstrating the diverse tactics employed by Iranian cyber actors.
These operations appear to be part of Iran's strategy to respond to geopolitical tensions with the United States and Israel through cyber means, targeting critical infrastructure as a way to cause disruption and potentially gain leverage in broader conflicts.
Critical Infrastructure at Risk
The targeting of PLCs in critical infrastructure sectors poses significant risks to national security and public safety. Water and wastewater systems, energy infrastructure, and government facilities all rely on these control systems for daily operations.
Successful compromise of these systems could lead to:
- Disruption of water treatment and distribution
- Interference with power generation and distribution
- Manipulation of industrial processes in government facilities
- Potential safety hazards if control systems are altered maliciously
Industry Response and Mitigation
Organizations operating in critical infrastructure sectors should immediately assess their exposure to these threats. This includes:
- Inventory Assessment: Identifying all internet-exposed PLCs and other operational technology devices
- Risk Evaluation: Determining which systems, if compromised, would have the most significant impact
- Security Implementation: Applying the recommended defensive measures based on risk levels
- Continuous Monitoring: Establishing ongoing surveillance for suspicious activity
Security teams should also coordinate with equipment vendors to ensure they have the latest security guidance and firmware updates for their specific PLC models.
Looking Forward
The targeting of operational technology by Iranian APT groups represents a significant evolution in cyber threats against critical infrastructure. Unlike traditional IT systems, OT environments often have different security requirements, longer patch cycles, and operational constraints that make security implementation more challenging.
As tensions between Iran and Western nations continue, organizations in critical infrastructure sectors should expect persistent targeting from Iranian-affiliated groups. The combination of geopolitical motivations and the potential for causing real-world disruption makes these systems attractive targets for state-sponsored threat actors.
Organizations must adopt a defense-in-depth approach that combines network segmentation, strong access controls, continuous monitoring, and regular security assessments to protect their operational technology environments from these evolving threats.
The joint advisory from US agencies serves as a critical warning that should prompt immediate action from organizations responsible for critical infrastructure protection. The time to implement these security measures is now, before attackers can exploit vulnerabilities and cause potentially catastrophic disruptions to essential services.
Comments
Please log in or register to join the discussion