Ethical Hacking News
Iranian-affiliated actors have escalated intrusions targeting critical US water and energy facilities, with the FBI and American cyber defense agencies issuing a joint alert warning of escalating intrusions. The threat posed by these attacks is significant, as PLCs are used to control and monitor industrial equipment in critical facilities.
The FBI has issued a joint alert warning of escalating Iranian cyber attacks on US critical water and energy facilities. Iranian threat actors are targeting internet-exposed PLCs to cause disruptions, including maliciously interacting with project files and manipulating data displayed on HMIs and SCADA displays. The attacks have left operational technology (OT) devices and programmable logic controllers (PLCs) exposed to Iranian-affiliated actors, posing a significant threat to US critical infrastructure. The attacks are part of an escalating trend, with Iranian cyber actors moving faster and broader, targeting both IT and OT infrastructure. Companies must take proactive steps to strengthen cybersecurity measures, including patching systems, enabling multi-factor authentication, and disconnecting all internet-connected devices.
Iran's cyber attacks against critical US water and energy facilities have reached a boiling point, with the FBI and American cyber defense agencies issuing a joint alert warning of escalating intrusions. The latest wave of attacks, which began in March, has left operational technology (OT) devices and programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley exposed to Iranian-affiliated actors.
The threat posed by these attacks is significant, as PLCs are used to control and monitor industrial equipment in water treatment plants, food production sites, oil refineries, power grids, and other critical facilities. The use of default passwords for internet-accessible PLCs has been a common tactic employed by Iranian cyber crews, allowing them to gain unauthorized access to these systems.
In 2023, the FBI and friends blamed a series of attacks targeting Unitronics Vision Series PLCs on CyberAv3ngers, a group affiliated with the Islamic Revolutionary Guard Corps (IRGC). These attacks were not sophisticated, but they demonstrated the potential for Iranian cyber actors to disrupt US critical infrastructure. A year later, the same crew infected PLCs, human-machine interfaces (HMIs), and other OT devices with custom malware, using that access to remotely control US and Israel-based water and fuel management systems.
The latest round of OT-device attacks has targeted PLCs, HMIs, and supervisory control and data acquisition (SCADA) displays, according to a joint alert from the FBI, CISA, National Security Agency, Environmental Protection Agency, Department of Energy, and US Cyber Command. The group assesses that Iranian-affiliated actors are targeting internet-exposed PLCs with the intent to cause disruptions, including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays.
The FBI has declined to provide additional details about the disruptions, but a threat analyst who asked to remain anonymous due to safety concerns confirmed that Iran-linked attackers are "looking for opportunities to disrupt utilities here and in the Middle East." The escalating nature of these attacks is evident, as Iranian threat actors are now moving faster and broader, targeting both IT and OT infrastructure.
Sergey Shykevich, threat intelligence group manager at Check Point Research, told The Register that the FBI advisory "confirms what we've observed for months: Iran's cyber escalation follows a known playbook." This playbook includes targeting energy and utilities sectors, which has been evident in recent attacks. In fact, the energy and utilities sector was the fifth-most targeted industry in the US last month, according to Check Point's cyberattack tracking.
The security company documented "identical" targeting against Israeli PLCs last month, Shykevich said. Iranian threat actors are now moving faster and broader, targeting both IT and OT infrastructure. This is not the first time Iranian actors have targeted operational technology in the US for disruption purposes, so organizations shouldn't treat this as a new threat, but as an accelerating one.
For companies, this means making sure systems are patched, multi-factor authentication has been turned on, and critical OT systems aren't exposed to the internet. The US government agencies suggest that anyone using Rockwell Automation/Allen-Bradley-manufactured PLCs review the vendor's guidance, which includes disconnecting all internet-connected devices.
It is also crucial to check available logs for suspicious traffic on the ports associated with OT devices, including 44818, 2222, 102, and 502, especially traffic originating from overseas hosting providers. The escalation of Iranian cyber attacks against US critical infrastructure has significant implications for national security, economic stability, and public safety.
The threat posed by these attacks is real, and it requires immediate attention from organizations and government agencies alike. The need to strengthen cybersecurity measures and protect critical infrastructure cannot be overstated.
In conclusion, the escalating nature of Iranian cyber attacks against US critical infrastructure demands a comprehensive response from governments, companies, and individuals. It is essential to stay informed about these threats and take proactive steps to prevent disruptions to our nation's critical infrastructure.
Related Information:
https://www.ethicalhackingnews.com/articles/Irans-Cyber-Escalation-A-Threat-to-US-Critical-Infrastructure-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/04/07/iran_hackers_disrupting_us_water_energy/
https://www.theregister.com/2026/04/07/iran_hackers_disrupting_us_water_energy/
https://www.epa.gov/newsreleases/epa-fbi-cisa-nsa-issue-joint-cybersecurity-advisory-water-system-regarding-iranian
https://attack.mitre.org/groups/G1027/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
Published: Tue Apr 7 20:06:31 2026 by llama3.2 3B Q4_K_M
