Critical Alert: Iranian-Affiliated Actors Target U.S. Infrastructure via Industrial Control Systems

In a major joint advisory released on April 7, 2026, a coalition of U.S. federal agencies—including the FBI, CISA, NSA, EPA, DOE, and CNMF—issued an urgent warning regarding ongoing cyber exploitation targeting critical infrastructure. Iranian-affiliated advanced persistent threat (APT) actors are actively compromising internet-facing operational technology (OT) devices, specifically focusing on programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.

The authoring agencies report that these attacks have already led to significant operational disruptions across multiple sectors, including Energy, Water and Wastewater Systems (WWS), and Government Facilities. The attackers gain access to these devices to manipulate the very heart of industrial processes.

According to the advisory:

“This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss”.

By altering what operators see on their management screens, the actors can mask malicious changes to industrial logic, leading to “operational disruption and financial loss” in several confirmed cases.

The primary vector for these attacks is the direct exposure of OT devices to the public internet. Threat actors are using leased, overseas-based infrastructure and legitimate configuration software—such as Rockwell Automation’s Studio 5000 Logix Designer—to create unauthorized connections to victim PLCs.

Once a connection is established, the actors deploy additional tools to maintain access.

“The actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22”.

While the current focus is on Rockwell Automation devices like CompactLogix and Micro850, the agencies warn that the targeting of common ports like 502 and 102 suggests the actors may also be eyeing other brands, such as Siemens S7 PLCs.

The agencies assess that this campaign is a deliberate effort to cause disruptive effects within the United States, likely escalating in response to ongoing geopolitical hostilities. This activity mirrors historical campaigns by the IRGC-affiliated group CyberAv3ngers, who previously compromised at least 75 U.S.-based devices.

The authoring agencies emphasize that “it is ultimately the responsibility of the device manufacturer to build products that are secure by design,” but they urge immediate defensive action from current operators.

Key defensive steps include:

• Disconnect PLCs: Remove all PLCs from the public-facing internet immediately.
• Use Secure Gateways: Ensure all remote access is mediated through a secure gateway or jump host.
• Physical Protection: For controllers with a physical switch, place the switch into the “Run” position to prevent unauthorized remote programming changes.
• Monitor Ports: Query logs for suspicious traffic on OT ports such as 44818, 2222, 102, and 502, especially those originating from overseas hosting providers.

As the threat remains ongoing, the agencies conclude that organizations should “urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs)” provided in the full advisory to safeguard their systems against these persistent adversaries.