Iran-affiliated hackers have disrupted equipment tied to multiple U.S. industrial and public service sites, prompting a rare multi-agency federal warning that the cyber activity is already causing operational problems and financial losses.
According to a joint advisory issued April 7 by the FBI, CISA, NSA, the Environmental Protection Agency, the Department of Energy, and U.S. Cyber Command, the campaign has targeted internet-connected industrial control devices across the government services, water and wastewater, and energy sectors.
The advisory says the hackers are exploiting programmable logic controllers, or PLCs, which are used to control physical machinery and industrial processes. Federal agencies said the actors have manipulated project files and altered data shown on human-machine interface and SCADA displays, the screens operators use to monitor and manage industrial systems. In some cases, officials said, the attacks led to "operational disruption and financial loss." The affected organizations were reportedly spread across several critical infrastructure sectors in the United States.
U.S. officials did not publicly name the victim organizations, but the government made clear the activity is not theoretical. The joint advisory states that since at least March 2026, federal agencies have worked with victim organizations that experienced disruptions after Iran-affiliated actors accessed exposed PLCs. The document says the affected sectors include local municipalities, water and wastewater systems, and energy operations.
The campaign appears focused in part on Rockwell Automation and Allen-Bradley PLCs, though the advisory warns other brands may also be at risk. Federal investigators said the hackers used overseas-based IP addresses and configuration software to establish accepted connections to internet-facing devices. They also observed malicious traffic directed at ports commonly associated with operational technology, suggesting broader interest beyond one manufacturer. The advisory further says actors deployed Dropbear SSH software on victim endpoints to maintain remote access.
U.S. officials believe the hackers are seeking to cause "disruptive effects within the United States" and that the activity has escalated amid hostilities involving Iran, the United States, and Israel. The federal advisory similarly says Iranian-affiliated targeting campaigns against U.S. organizations have recently intensified, likely in response to those broader tensions.
WIRED reported that the behavior described in the new advisory resembles earlier attacks attributed to CyberAv3ngers, a group linked to Iran's Islamic Revolutionary Guard Corps. That group previously targeted Unitronics devices used in water and wastewater facilities, including incidents in the United States. The new federal warning does not publicly assign the latest campaign to a named group, but it explicitly references previous reporting on CyberAv3ngers and says the current actors are Iranian-affiliated advanced persistent threat actors.
Agencies are now telling organizations to remove PLCs from direct internet exposure, check logs for known indicators of compromise, monitor traffic on ports tied to operational technology, and harden devices through firewalls and secure gateways. For Rockwell devices specifically, the advisory recommends placing the controller's physical mode switch into run position and consulting the vendor and federal agencies if compromise is suspected.
