As the US and Iran agreed to a ceasefire on Tuesday, six US federal agencies have warned that Iran-affiliated threat actors have compromised internet-exposed programmable logic controllers at critical infrastructure facilities in the US.
The attacks, which the agencies linked to escalating hostilities between Iran and the US and Israel, targeted Rockwell Automation and Allen-Bradley PLCs at water and wastewater, energy, and government facilities, including local municipalities, and have been active since at least March 2026, according to the advisory, co-authored by the FBI, CISA, NSA, EPA, Department of Energy, and US Cyber Command’s Cyber National Mission Force, and published on Tuesday.
“Since at least March 2026, the authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs,” the advisory said. “These PLCs were deployed across multiple US critical infrastructure sectors (including Government Services and Facilities, WWS, and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss.”
How attackers gained access
To carry out those manipulations, the actors used leased overseas infrastructure and legitimate Rockwell Automation configuration software to connect to victim PLCs, specifically CompactLogix and Micro850 devices that were left directly exposed to the public internet, the advisory said.
Once inside, they extracted project files, altered SCADA and HMI display data, and installed remote access software to maintain a persistent foothold, it added.
The advisory also warned that port activity associated with Siemens S7 PLC protocols “suggests these actors may also be targeting devices manufactured by companies other than Rockwell Automation/Allen-Bradley.”
Steve Povolny, VP of AI strategy and security research at Exabeam, said the campaign reflects longstanding structural weaknesses in OT environments. “Programmable logic controllers and supporting HMI stacks are often deployed on aging hardware, run outdated firmware for years at a time, and sit inside operational networks that were never designed with adversarial persistence in mind,” he said.
Gabrielle Hempel, security operations strategist at Exabeam, said the attacks exposed a fundamental design problem. “The most concerning thing about this report is that Iranian actors aren’t using sophisticated malware or new zero-days, but leveraging accessible PLCs and low-hanging fruit to manipulate systems and cause disruption,” she said. “If an OT environment is reachable from the internet, that is an inherent design flaw and not a nation-state problem.”
A recurring Iranian playbook
The advisory linked the current campaign to a pattern of Iranian state-affiliated targeting of US industrial control systems. The authoring agencies have previously reported similar activity by CyberAv3ngers, affiliated with Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command, which compromised at least 75 Unitronics PLC devices across water, wastewater, and other critical infrastructure sectors beginning in November 2023.
The current activity is attributed to a separate, though related, group of Iranian-affiliated APT actors, the advisory said.
The authoring agencies assessed that the group is “conducting this activity to cause disruptive effects within the United States.” The advisory said the escalation is likely tied to ongoing US-Iran-Israel hostilities.
Ross Filipek, CISO at Corsica Technologies, said the consequences of even partial compromises extend well beyond individual victim organizations. “If a municipal utility goes down, suppliers, hospitals, and regional partners feel it,” he said. “Each successful or even partially successful campaign lowers the barrier for the next one, and emboldens actors to move from nuisance-level defacement into real operational interference.”
Indicators of compromise and recommended actions
The advisory listed eight IP addresses linked to the threat actors, active as far back as January 2025, along with downloadable indicators of compromise, and recommended organizations query their logs for any matching activity, particularly traffic on OT-associated ports originating from overseas hosting providers.
“Ensure all access is mediated, monitored, and controlled,” the advisory said. For Rockwell Automation controllers with a physical mode switch, it is recommended to place the switch in run position to block remote modification.
The advisory also placed responsibility on device manufacturers, stating: “It is ultimately the responsibility of the device manufacturer to build products that are secure by design and default.” Hempel said that the principle needs to become an enforced baseline. “‘Secure by design’ needs to be enforced as a baseline expectation across the board,” she said.
Povolny said organizations should treat the advisory as an active warning, not a routine notification. “Adversaries are signaling intent, capability, and access patterns, and defenders should respond with the assumption that probing activity is already underway,” he said.