US warns of Iranian hackers targeting critical infrastructure PLCs

Federal authorities have issued a joint warning about a widening campaign targeting critical infrastructure networks in the United States. Iranian-linked actors are probing internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) across sectors that include government services and facilities, water and wastewater systems, and energy facilities. The alarm, issued by the FBI, CISA, NSA, the Environmental Protection Agency, the Department of Energy, and the Cyber National Mission Force, indicates that these operations have been active since March 2026 and have already produced financial losses and operational disruptions for affected organizations.

The advisory describes a pattern in which Iranian-affiliated APT (advanced persistent threat) groups access internet-facing PLCs with the aim of causing disruption. The attackers are said to interact with project files in ways that alter what is shown on HMIs (human-machine interfaces) and SCADA (supervisory control and data acquisition) displays. In essence, the goal appears to be not only data theft but real-world interference with how process information is presented to operators, raising the risk of faulty decision-making or unsafe control actions in critical facilities. The document underscores that this activity aligns with broader regional tensions and the possibility that these campaigns are a calculated response to hostilities involving Iran, the United States, and Israel.

Context from earlier years helps frame the current threat landscape. A November 2023 advisory warned about the CyberAv3ngers unit—a group tied to Iran’s Islamic Revolutionary Guard Corps (IRGC)—exploiting vulnerabilities in U.S.-based Unitronics OT systems. Between late 2023 and early 2024, CyberAv3ngers compromised numerous Unitronics PLC devices across several waves, with a notable share affecting critical infrastructure networks within water-related sectors. This historical thread illustrates a persistent pattern of targeting OT environments that rely on widely deployed PLC platforms.

Recent publicized incidents add further dimension to the risk narrative. Reports from the last month describe a separate incident where the Handala hacktivist group, aligned with pro-Palestinian aims, wiped roughly 80,000 devices on the network of a major U.S. medical device company, extending beyond traditional IT boundaries to include employees’ mobile devices and corporate devices managed by the firm. The FBI has also highlighted ongoing malware operations attributed to Iranian-linked actors that have leveraged messaging platforms such as Telegram as part of their operational toolkit. Taken together, these developments emphasize a consistent focus on compromising operational technology and the endpoints that connect to industrial networks.

The current advisory consolidates these threads into a warning that the threat environment around OT and ICS (industrial control systems) remains active and dynamic. It points to the weaponization of internet-facing PLCs as a viable attack surface, capable of extracting project files and inducing data manipulation visible on control displays. In response, the agencies emphasize a need for vigilance in monitoring indicators of compromise and suspicious OT traffic, especially traffic that originates from overseas hosting providers, as part of understanding the scope and evolution of these campaigns. They also remind readers that past episodes, including the Unitronics compromises and the CyberAv3ngers activity, illustrate how quickly a foothold in OT networks can translate into broader operational risk.

The convergence of state-aligned threat activity and destructive hacktivism in the OT sphere signals a shifting risk calculus for operators overseeing critical infrastructure. The intertwining of espionage-style campaigns with disruptive capabilities—and the use of widely deployed PLC platforms—means that even routine maintenance or routine network exposure can become a focal point for adversaries. As investigators continue to piece together the technical details of these intrusions, the broader takeaway is clear: the security of internet-connected PLCs and OT environments remains a high-priority concern for federal partners and for the organizations that run essential services. The warning issued on April 7, 2026, serves as a sober reminder that the line between cyber operations and real-world impact on public infrastructure continues to blur, reinforcing the need for ongoing situational awareness within the evolving landscape of industrial cybersecurity.