Iranian Hackers Are Hitting U.S. Critical Infrastructure

Iran-affiliated cyber actors are actively targeting internet-exposed industrial control systems across the United States, disrupting operations in sectors that millions of people depend on. In a joint advisory published April 7, 2026, the FBI, CISA, NSA, EPA, Department of Energy, and US Cyber Command confirmed that this critical infrastructure cyberattack campaign has already caused operational disruption and financial loss at multiple organizations.

The advisory identifies Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) as the primary targets,with confirmed compromises in government services and facilities, water and wastewater systems, and the energy sector.

What the Attackers Are Doing

PLCs are embedded computers that automate physical processes: everything from water treatment chemical dosing to power grid switching. When attackers reach these devices, the consequences move beyond data theft. They can alter what operators see on their screens, change how systems behave, and interfere with processes that directly affect physical infrastructure.

The Iranian-affiliated actors gained initial access by connecting to internet-facing PLCs using leased third-party infrastructure and Rockwell Automation's own Studio 5000 Logix Designer software. Targeted devices include CompactLogix and Micro850 models. Once inside, the attackers deployed Dropbear, an SSH tool, on victim endpoints to maintain persistent remote access through port 22.

From that foothold, they extracted device project files and manipulated data displayed on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) panels. These are the dashboards operators use to monitor and control industrial processes in real time. Falsifying what those displays show can mask malicious activity, delay detection, and push operators into making decisions based on bad data.

A Known Playbook, Moving Faster

This is not the first time Iranian actors have gone after U.S. industrial systems. In late 2023, IRGC-affiliated actors known as CyberAv3ngers compromised at least 75 Unitronics PLC devices across U.S. water and wastewater facilities by exploiting devices left with default or no passwords. That campaign targeted the Municipal Water Authority of Aliquippa in Pennsylvania, among others.

The current campaign follows the same basic logic but operates across a wider set of sectors and with greater speed. Threat intelligence from Check Point Research noted that identical targeting patterns appeared against Israeli PLCs in March 2026 before the U.S. advisory was issued, pointing to a coordinated, multi-front operation.

The escalation tracks with a broader shift in Iranian cyberactivity following Operation Epic Fury — the coordinated U.S.-Israeli military strikes on Iran's nuclear facilities and military infrastructure on February 28, 2026. Since then, Iranian state-linked and proxy groups have ramped up DDoS attacks, hack-and-leak operations, and now direct interference with industrial control systems.

The Threat Actor Ecosystem Behind the Campaign

The advisory does not attribute the PLC campaign to a single named group, but it sits within a well-documented Iranian cyber ecosystem. Research published this week identified Homeland Justice, Karma/KarmaBelow80, and Handala Hack — a group previously covered in connection with the breach of FBI Director Kash Patel's personal email account — as elements of a single coordinated influence operation aligned with Iran's Ministry of Intelligence and Security (MOIS), rather than independent hacktivist collectives.

Separately, MuddyWater, another Iranian state-sponsored group, has been linked to attacks using CastleRAT alongside a previously undocumented JavaScript-based malware called ChainShell. ChainShell contacts a smart contract on the Ethereum blockchain to retrieve its command-and-control address, a technique designed to make infrastructure harder to track and block. Both tools are being used against targets in defence, aerospace, energy, and government sectors.

The pattern across all of these operations is consistent: technical disruption paired with information manipulation, carried out through overlapping groups that share infrastructure and tradecraft.

What Organizations Should Do Now

The joint advisory outlines a set of concrete mitigations for organizations running Rockwell Automation PLCs. The most urgent: remove PLCs from direct internet exposure. Devices that do not need to be internet-facing should not be.

Beyond that, the agencies recommend enabling multi-factor authentication, placing a firewall or network proxy in front of PLC devices, keeping firmware up to date, disabling unused authentication features, and monitoring for unusual network traffic. Organizations should also prevent remote modification of project files, either through a physical switch or software controls.

These are not new recommendations. But the number of PLCs still accessible directly from the internet, and still running with weak ordefault credentials, remains a persistent problem across critical infrastructure operators of all sizes.

An Understaffed Defense

The timing of this campaign creates an added complication. Around 60 percent of CISA's workforce was furloughed beginning February 14, 2026, reducing the agency's capacity at the precise moment Iranian cyberactivity has intensified. The agencies involved in Tuesday's joint advisory are still functioning, but the reduction in CISA staffing leaves less institutional bandwidth for the kind of hands-on support that smaller utilities and local government operators often rely on.

For organizations that have historically depended on federal guidance and assistance, that gap matters. The threat is accelerating. The response capacity is not.