U.S. Agencies Alert to Iranian-Linked Cyber Threats Targeting Critical Infrastructure

Key Takeaways

• U.S. federal agencies (FBI, CISA, EPA, NSA, DOE, US Cyber Command) issued a joint advisory warning that Iranian‑affiliated APT actors are targeting internet‑exposed programmable logic controllers (PLCs) to disrupt critical infrastructure.
• The attacks, observed since March 2026, exploit weakly secured PLCs—particularly Rockwell Automation/Allen‑Bradley CompactLogix/Micro850 and Siemens S7 devices—by using leased IPs, third‑party tools, and Dropbear SSH to gain and maintain remote access.
• Primary sectors affected include Government Services & Facilities, Water & Wastewater Systems, and Energy; disruptions have caused financial losses and operational setbacks.
• Recommended mitigations: harden PLC exposure with firewalls/VPNs/gateways, monitor specific OT/IoT ports, enable physical/software key switching, disable unused remote protocols, keep firmware updated, and maintain segmented OT networks with continuous monitoring and tested incident‑response playbooks.
• Experts note that even limited OT intrusions can produce outsized impacts, lowering the barrier for future, more aggressive campaigns and underscoring the need for resilience as an ongoing capability rather than a reactive scramble.

Overview of the Joint Cybersecurity Advisory

In early 2026, a coalition of U.S. federal authorities—including the FBI, CISA, EPA, NSA, DOE, and the United States Cyber Command’s Cyber National Mission Force—released a joint cybersecurity advisory alerting critical‑infrastructure owners to a rising tide of Iranian‑affiliated cyber activity. The advisory details how threat actors linked to Iran are exploiting internet‑connected programmable logic controllers (PLCs) to manipulate control data, trigger operational disruptions, and inflict financial harm on U.S. critical‑infrastructure organizations. The agencies assess that the campaign likely originated amid heightened kinetic tensions between Iran, the United States, and Israel, framing the activity as a form of asymmetric warfare that bypasses traditional geographic limitations.

How Iranian Hackers Are Targeting PLCs

The advisory specifies that the attackers focus on PLCs that are exposed to the public internet without adequate security hardening. Frequently victimized models include Rockwell Automation/Allen‑Bradley’s CompactLogix and Micro850 series, as well as Siemens S7 PLCs. Threat actors employ leased IP addresses and third‑party infrastructure—such as the 5000 Logix Designer software—to establish seemingly legitimate connections for initial footholds. In many incidents, they also deploy Dropbear Secure Shell (SSH) to maintain persistent remote access, allowing them to interact maliciously with project files and alter data displayed on human‑machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) screens.

Sectors Most Affected by the Campaign

While the advisory does not provide an exhaustive breakdown of every compromised entity, it highlights that the most commonly targeted sectors are Government Services and Facilities, Water and Wastewater Systems (WWS), and Energy. Intrusions in these domains have led to service interruptions, forced throttling of operations, and measurable financial losses for affected organizations. The ripple effects extend beyond the immediate victim: utilities, hospitals, suppliers, and logistics partners experience downstream impacts when a municipal water plant or power generator is degraded, illustrating how OT disruptions can cascade through critical‑infrastructure interdependencies.

Historical Context and Attribution Nuances

Iranian‑linked cyber activity against U.S. infrastructure is not new. In 2023, hacktivist groups such as CyberAv3ngers (also tracked as UNC5691) compromised Israeli‑made PLCs at a water treatment facility in Aliquippa, Pennsylvania. More recently, the advisory ties the current campaign to Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC), although it stops short of naming a specific hacking group. Earlier operations—such as the Handala group’s attack on medical‑device maker Stryker and the leak of FBI Director Kash Patel’s images—demonstrate a pattern of Iranian state‑affiliated actors leveraging cyber tools to achieve strategic objectives when conventional military reach is limited.

Expert Perspectives on the Broader Implications

Security leaders emphasize that the advisory’s findings reflect two enduring lessons from years of OT incidents. First, many operational‑technology environments still retain internet‑reachable interfaces and remote‑access pathways that were never intended to be permanent fixtures. Second, even limited disruptions in OT can generate outsized chaos, straining emergency response, incurring financial costs, and damaging reputations. As Filipek, CISO at Corsica Technologies, notes, each successful or partially successful campaign lowers the threshold for future adversaries, encouraging them to evolve from nuisance‑level defacement to genuine operational interference. Allied nations observing these tactics must anticipate similar playbooks being reused wherever vendors, integrators, and remote‑maintenance channels overlap.

Recommended Mitigations for Defenders

The joint advisory prescribes a concrete set of defensive actions aimed at reducing the attack surface and increasing resilience:

1. Limit Direct Internet Exposure – Deploy firewalls, virtual private networks (VPNs), or secure gateways for any PLC that requires remote access; otherwise, keep PLCs off the public internet.
2. Monitor Suspicious Traffic – Watch for anomalous connections on OT/IoT ports commonly abused in these attacks (44818, 2222, 102, 22, 502), especially when originating from international sources.
3. Enforce Physical and Software Key Switching – Activate hardware‑based mode switches or software key features on PLCs that support them to prevent unauthorized remote modification of logic.
4. Disable Unused Remote Protocols – Turn off services such as RDP, Telnet, FTP, and VNC that are not essential for operations.
5. Block Commonly Abused Ports – Implement network‑level blocks on the ports listed above unless explicitly required.
6. Maintain Up‑to‑Date Firmware – Apply patches and updates from PLC vendors promptly; consult Rockwell Automation/Allen‑Bradley’s 2021 and 2026 hardening guides and Siemens’ equivalent recommendations.
7. Backup Configurations – Keep regular, verified backups of PLC programs and configurations to enable rapid restoration after an incident.
8. Segment OT from IT Networks – Enforce strict network segmentation so that a compromise in the business network cannot laterally move into OT environments.
9. Continuous Monitoring and Incident Response – Deploy tools capable of correlating IT and OT telemetry, conduct regular tabletop exercises, and maintain tested playbooks to ensure rapid, coordinated responses.

Filipek underscores that these measures, while not glamorous, form the foundation of a resilient OT posture: knowing exactly which assets exist, eliminating unnecessary internet exposure, segmenting networks, and cultivating a culture of continuous monitoring and rehearsed response.

Conclusion: Building Resilience as an Ongoing Capability

The joint advisory serves as a stark reminder that critical‑infrastructure defenses must evolve alongside adversaries who exploit the convergence of IT and OT. Iranian‑linked actors have demonstrated the ability to leverage modest footholds—exposed PLCs, leaked credentials, or poorly secured remote tools—to cause disproportionate disruption. By adopting the mitigations outlined above and treating resilience as a permanent, organization‑wide discipline rather than a reactive after‑thought, U.S. critical‑infrastructure owners can reduce the likelihood of successful intrusions, limit the impact of any breach, and preserve the essential services that underpin national security and public welfare.