Iranian-linked hackers compromise programmable logic controllers across US critical infrastructure sectors
Six US government agencies warned of an ongoing campaign targeting industrial automation devices in water, energy, and government facilities since March 2026.
1 source · cross-referenced
- Six US government agencies (FBI, CISA, NSA, EPA, DoE, US Cyber Command) issued an urgent warning on April 8, 2026 about Iranian-affiliated hackers targeting programmable logic controllers (PLCs) at US critical infrastructure sites.
- The campaign has affected multiple sectors including water treatment, energy, and government facilities since at least March 2026, with confirmed operational disruptions and financial losses.
- Attackers are using legitimate Rockwell automation software to access internet-exposed devices without zero-day exploits, targeting CompactLogix and Micro850 controllers.
- A Censys scan identified 5,219 Rockwell-made PLCs exposed to the internet, with 75% located in the US.
- The attacks follow a pattern of Iranian cyber operations against US infrastructure, including the 2023 CyberAv3ngers campaign and March 2026 Stryker medical device breach attributed to the Handala group.
Six US government agencies jointly warned of a coordinated campaign targeting programmable logic controllers at critical US infrastructure on April 8, 2026. The FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, Department of Energy, and US Cyber Command identified an Iranian-affiliated advanced persistent threat group conducting disruptions since at least March 2026 across water systems, energy facilities, and government operations.
The attackers are using legitimate Rockwell automation software—specifically Studio 5000 Logix Designer—to directly access and manipulate industrial devices deployed in factories, refineries, water treatment centers, and remote facilities. This approach bypasses the need for zero-day exploits, making the campaign relatively straightforward to execute but difficult to detect through conventional security monitoring. Targeted device families include CompactLogix and Micro850 controllers.
A Censys internet scan found 5,219 Rockwell-manufactured PLCs exposed directly to the internet, with roughly 75 percent located within the United States. The attackers are connecting through a single Windows engineering workstation running the Rockwell tool chain, communicating over a non-standard TCP port using a self-signed certificate. The workstation also exposes standard Windows networking protocols including DCERPC, MSMQ, and NetBIOS, suggesting a staging infrastructure rather than a sophisticated or ephemeral operation.
The campaign represents an escalation in Iranian cyber activity against US industrial targets. A similar group known as CyberAv3ngers conducted PLC attacks in 2023, and the Handala group, associated with Iranian interests, claimed responsibility for a March 2026 intrusion at medical device maker Stryker that disrupted operations for several days. Pro-Iran proxy groups have also been observed conducting distributed denial-of-service attacks against consumer platforms and Australian government systems.
Victims have reported operational disruption and financial losses, though the advisory did not provide quantified impact assessments or identify specific compromised organizations. The advisory included technical indicators including IP addresses and guidance for securing exposed devices.
- Apr 26, 2026 · 404 Media
FBI Extracted Deleted Signal Messages from iPhone Notification Database
Trust66 - Apr 24, 2026 · TechCrunch — AI
Delve's security certifications failed to prevent breaches at multiple customers
Trust57 - Apr 22, 2026 · MIT Technology Review — AI
AI is lowering barriers for cybercriminals while defenses race to catch up
Trust52