Control panel of power plant showing cyber attacks on critical infrastructure

U.S. Federal Agencies Warn of Iranian-Linked Cyber Attacks on Critical Infrastructure Amid Ongoing Conflict

U.S. federal authorities have issued a joint cybersecurity advisory about Iranian-affiliated cyber attacks targeting critical infrastructure by exploiting operational technology (OT).

The attacks have disrupted operations across the country by manipulating control data, resulting in financial losses for some critical infrastructure organizations.

“The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to U.S. critical infrastructure organizations,” the agencies stated.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), the National Security Agency (NSA), the Department of Energy (DOE), and the United States Cyber Command – Cyber National Mission Force jointly issued the cybersecurity alert.

According to the authoring agencies, the cyber attacks started in March 2026 and likely stemmed from the ongoing kinetic conflict between Iran and the United States and the state of Israel.

Iranian hackers target U.S. critical infrastructure via popular PLCs

The U.S. authorities say they have observed Iranian hackers targeting critical infrastructure to disrupt operations by exploiting programmable logic controllers (PLCs). They urged network defenders to study the Iranian hackers’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) and apply the recommended mitigations.

According to the authoring agencies, the Iranian cyber attacks exploit PLCs exposed to the internet without security hardening. Devices frequently targeted include Rockwell Automation/Allen-Bradley-manufactured PLCs, such as CompactLogix and Micro850, and Siemens S7 PLCs.

The alert also stated that attackers use leased IP addresses and third-party infrastructure, like 5000 Logix Designer software, to create trusted connections for initial access. In some cases, they also dropped Dropbear Secure Shell (SSH) software to maintain remote access.

The cyber attacks commonly targeted Government Services and Facilities, Water and Wastewater Systems (WWS), and Energy Sectors. While the authoring agencies did not explain the scope of the cyber attacks, some have resulted in disruptions and financial losses.

U.S. critical infrastructure targeted in Iranian asymmetric warfare

Iranian-linked hackers have previously targeted U.S. critical infrastructure, in what some cybersecurity experts believe is asymmetric warfare. While Iranian missiles cannot reach the U.S. mainland, as far as is known currently, cyber attacks can cross border lines.

“The fallout is not contained by borders,” said Ross Filipek, CISO at Corsica Technologies. “If a municipal utility goes down, suppliers, hospitals, and regional partners feel it. If an energy operator has to throttle operations, downstream manufacturing and logistics take a hit.”

“Globally, allied partners watching these campaigns have to assume the same playbook will be reused similarly abroad, especially where vendors, integrators, and remote maintenance channels overlap,” added Filipek.

In 2023, Iranian-affiliated hacktivists CyberAv3ngers or UNC5691 targeted a water treatment facility in Aliquippa, Pennsylvania, by compromising Israeli-made programmable logic controllers.

U.S. critical infrastructure organizations have also sustained frequent cyber attacks from other adversaries besides Iran. A previous cybersecurity advisory warned that Chinese state-linked hackers Volt Typhoon are pre-positioning themselves within U.S. critical infrastructure to disrupt operations during a geopolitical conflict.

While pro-Iranian hacktivists have targeted U.S. critical infrastructure in the past, the current hacking campaign is linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC). However, the advisory did not specify which Iranian hacking group was responsible.

Previously, Handala, an Iranian government-linked threat group, was responsible for the cyber attack on U.S. medical equipment manufacturer Stryker and the leaking of FBI director Kash Patel’s pictures.

“The developments outlined in the advisory didn’t happen in a vacuum,” added Filipek. “Years of high-profile infrastructure incidents have shown the world two things. First, that many operational technology environments still have internet-reachable interfaces and remote access paths that were never meant to be permanent. Second, that even limited disruptions can create outsized chaos, from emergency response strain to financial loss and reputational damage. Each successful or even partially successful campaign lowers the barrier for the next one, and emboldens actors to move from nuisance level defacement into real operational interference.”

Protecting U.S. critical infrastructure from Iranian-linked cyber attacks

The authoring agencies recommended various mitigations, including protecting internet-exposed PLCs by firewalls, VPNs, or secure gateways for devices that require remote access. Additionally, network defenders should monitor suspicious internet traffic on IoT ports 44818, 2222, 102, 22, or 502, especially from international sources. They should also enable physical mode and software key switching on PLCs with these features to prevent remote modification.

Other recommendations include storing configuration backups, turning off unused protocols such as RDP, Telnet, FTP, and VNC, blocking common ports, and keeping devices updated.

Rockwell Automation/Allen-Bradley PLC operators should also review the manufacturer’s 2021 and 2026 guidelines for securing their devices. Similarly, operators should contact PLC manufacturers and the authoring agencies if they experience cyber attacks.

“The most important mitigation steps aren’t glamorous, but they’re essential,” continued Filipek. “Agencies need to know exactly which OT assets they control, remove direct internet exposure, and segment OT from business networks so one compromise doesn’t trigger a ripple effect. From there, invest in continuous monitoring that understands both IT and OT signals, and pair it with incident response muscle memory through tested playbooks and tabletop exercises. The organizations that fare best are the ones that treat resilience as an always-on capability, not a scramble after an alert.”