Iranian-Linked Hackers Target U.S. Critical Infrastructure PLCs, CISA Warns
Iranian-affiliated cyber actors are actively targeting internet-exposed programmable logic controllers across U.S. critical infrastructure, according to a new joint advisory from CISA, the FBI, NSA, EPA, DOE, and U.S. Cyber Command. The campaign is notable not only because it reaches deep into operational technology environments, but because the intent appears openly disruptive. Officials say the activity has already led to PLC disruptions in multiple sectors, with attackers manipulating project files and altering data displayed on HMI and SCADA systems.
This is not the kind of intrusion defenders can dismiss as routine scanning. In several cases, the agencies say victim organizations experienced operational disruption and financial loss. That matters because PLCs sit close to physical processes. When someone tampers with the logic, the display data, or the remote control path into those systems, the impact can move quickly from cyber incident to real-world operational problem.
What Happened
The advisory says Iranian-affiliated APT actors exploited internet-facing OT devices, including Rockwell Automation and Allen-Bradley PLCs, across multiple U.S. critical infrastructure sectors. The affected sectors include government services and facilities, water and wastewater systems, and energy. The agencies assess that the threat actors used leased third-party infrastructure and industrial configuration software to establish accepted connections to victim PLCs.
Among the specific device families called out were CompactLogix and Micro850 PLCs. The actors are said to have accessed exposed controllers, extracted project files, and manipulated data presented on HMI and SCADA displays. That combination is especially dangerous in OT because it can interfere with both control logic and operator visibility at the same time.
Why This Advisory Matters
This campaign lands at a time when geopolitical tensions are already elevating concern over retaliatory cyber activity. The agencies say Iranian targeting of U.S. organizations has escalated recently, and that the current PLC-focused activity is likely intended to cause disruptive effects inside the United States.
There is also a wider lesson here for defenders. These incidents were not described as exotic zero-click attacks against hardened, isolated control systems. The bigger story is older and more uncomfortable: internet exposure, weak remote access design, insufficient hardening, and insecure OT connectivity are still creating openings into environments that were never meant to be reachable this way.
That is why the advisory should be read as more than a vendor-specific warning. Even though Rockwell Automation and Allen-Bradley products are central to the report, the agencies explicitly warn that other branded OT devices may also be at risk. The observed targeting of protocol-related ports associated with multiple industrial environments suggests the actors are looking beyond a single vendor stack.
How the Intrusions Worked
According to the advisory, the attackers used overseas-based IP addresses to reach internet-facing PLCs. They leveraged industrial programming software, including Rockwell Automation's Studio 5000 Logix Designer, to create accepted connections with victim devices. This detail is important because it suggests the adversary was not merely probing the edge. They were interacting with equipment in a way that mimicked legitimate engineering workflows.
Once inside that access path, the actors allegedly extracted project files and manipulated the values or information shown on HMI and SCADA displays. In OT environments, false or altered display information can be just as dangerous as direct logic tampering because operators may make decisions based on what they believe the process is doing in real time.
The advisory also says the actors deployed Dropbear SSH on victim endpoints to support remote access over port 22. That gives defenders another clue about persistence and post-access tradecraft. The use of common OT and administrative ports means a lot of this traffic can blend into poorly monitored industrial networks unless there is strong segmentation and asset-aware inspection in place.
The Bigger Iranian OT Playbook
This activity did not emerge in a vacuum. U.S. agencies tie it to a broader lineage of Iranian disruptive operations against industrial environments. The advisory explicitly references the earlier CyberAv3ngers activity, linked to Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command. That 2023 campaign targeted Unitronics PLCs and HMIs and compromised at least 75 devices across critical infrastructure.
That earlier wave was a warning shot. The current campaign shows a familiar strategic pattern: find internet-exposed control devices, leverage weak remote access conditions, and create outsized psychological and operational impact without needing to breach every layer of enterprise infrastructure first. It is a reminder that for many threat actors, direct access to poorly protected OT assets can be faster, cheaper, and more disruptive than a traditional long-dwell intrusion.
Sectors at Risk
The joint advisory names government services and facilities, water and wastewater systems, and the energy sector as observed target areas. Those sectors matter because even small disruptions can carry public consequences. A municipal utility, a regional water facility, or a local energy-related industrial process may not have the same cyber staffing or architecture maturity as a large federal network, but the real-world impact of downtime can still be severe.
In practice, that means local municipalities, public utilities, field-deployed industrial systems, and remote sites connected through cellular or third-party remote access paths should assume they are within the threat model. If a PLC is directly reachable from the internet, the question is no longer whether that is a bad idea. The question is whether someone has already noticed it.
Indicators of Compromise
Defenders should review historical logs and network telemetry for the following IP addresses and related activity windows cited by the authoring agencies. These indicators should be investigated and validated in context before blocking, but they provide a concrete starting point for threat hunting.
| Indicator | Observed From | Observed To |
|---|---|---|
| 135.136.1[.]133 | March 2026 | March 2026 |
| 185.82.73[.]162 | January 2025 | March 2026 |
| 185.82.73[.]164 | January 2025 | March 2026 |
| 185.82.73[.]165 | January 2025 | March 2026 |
| 185.82.73[.]167 | January 2025 | March 2026 |
| 185.82.73[.]168 | January 2025 | March 2026 |
| 185.82.73[.]170 | January 2025 | March 2026 |
| 185.82.73[.]171 | January 2025 | March 2026 |
Additional network and behavioral indicators highlighted by the agencies include suspicious traffic involving ports 44818, 2222, 102, 22, and 502; use of industrial programming software to create accepted PLC connections; deployment of Dropbear SSH for remote access; extraction of PLC project files; and manipulation of HMI or SCADA-displayed data.
MITRE ATT&CK Mapping
The advisory maps the observed activity to several key ATT&CK techniques for industrial and enterprise environments. Initial access was associated with T0883: Internet Accessible Device. Command and control activity included T0885: Commonly Used Port and T1219: Remote Access Tools. The operational impact was mapped to T1565: Stored Data Manipulation.
For defenders, this matters because it provides a structured way to validate detections, purple-team controls, and OT monitoring rules. If your security tooling cannot reliably identify unauthorized engineering connections, remote tool deployment in OT zones, or changes to controller logic and displays, this advisory is a good reason to close those gaps quickly.
What Defenders Should Do Right Now
The agencies' guidance is direct. Remove PLCs from direct internet exposure. Use a secure gateway or jump host for mediated access. Apply multifactor authentication in front of OT remote access even if the PLC itself does not support MFA. Lock down cellular modems and external connectivity. Review firewall rules for unnecessary industrial protocol exposure. And where a controller uses a physical mode switch, place it in run mode when programming is not actively required.
Just as important, defenders should not treat this as only a perimeter problem. Create offline backups of PLC logic and configurations. Monitor asset configuration changes. Hunt for unusual internet-originating logins and for ICS management protocol functions that alter operating modes or modify programs. If remote access is needed, control it tightly and assume that exposed administrative interfaces will eventually be found.
Why OT Security Still Lags
One of the uncomfortable truths behind advisories like this is that many industrial environments still inherit decades-old assumptions about trust, uptime, and isolation. Remote connectivity was often added later for convenience, vendor support, field operations, or cost efficiency. Over time, those exceptions became part of the architecture. The result is a growing population of controllers and engineering paths that are reachable, weakly authenticated, or insufficiently monitored.
That is exactly why threat groups keep coming back to OT. The barrier to meaningful disruption is lower when exposed devices are already doing the hard work for them. For many organizations, secure-by-design conversations happen too late, after remote access has already been bolted onto fragile systems that were never built for hostile internet conditions.
NeuraCyb's Assessment
The latest U.S. warning on Iranian-affiliated PLC exploitation is not just another nation-state bulletin. It is a concrete example of how geopolitical cyber pressure is colliding with long-standing OT security weaknesses inside critical infrastructure. The affected sectors are foundational, the access paths are disturbingly ordinary, and the reported outcome has already crossed into operational disruption and financial loss.
For critical infrastructure operators, this is the kind of advisory that should trigger action the same day it is read. Internet-exposed PLCs, unmanaged remote access, weak segmentation, and poor change visibility are no longer theoretical issues. They are active opportunities for disruptive actors who know exactly where to look.
References
- CISA Joint Advisory AA26-097A: Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across U.S. Critical Infrastructure
- Official PDF of the April 2026 Joint Advisory
- CISA Joint Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities
- CISA Alert: Exploitation of Unitronics PLCs Used in Water and Wastewater Systems
- Joint Fact Sheet: Iranian Cyber Actors May Target Vulnerable U.S. Networks and Entities of Interest
- Rockwell Automation Security Advisory Index
