US federal agencies has issued a joint cybersecurity advisory warning that Iranian-affiliated hackers are actively targeting internet-exposed programmable logic controllers (PLCs) used in critical infrastructure sectors across the United States.
The alert highlights ongoing attacks against Rockwell/Allen-Bradley PLCs. According to the FBI, the activity is linked to advanced persistent threat (APT) actors associated with Iran.
Officials say the attackers are exploiting exposed devices to disrupt operations, including tampering with project files and manipulating data displayed on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems. These actions can interfere with real-time monitoring and control processes essential to industrial environments.
The campaign has impacted multiple sectors, including government services, water and wastewater systems, and energy. Since March 2026, the attacks have led to both financial losses and operational disruptions.
Authorities assess the surge in activity may be linked to escalating geopolitical tensions involving Iran, the United States, and Israel. In some cases, attackers successfully extracted PLC project files and altered operational data displays.
In December 2024, the US authorities released an advisory on the CyberAv3ngers group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). In a campaign between November 2023 and January 2024, the threat actor compromised at least 75 Unitronics PLC devices, many within water and wastewater systems.
To mitigate risk, organizations are recommended to close direct internet access to PLCs or secure them behind firewalls, enable multifactor authentication (MFA), update firmware, disable unused services, and monitor for suspicious network traffic.
Last month, the Iranian-linked hacktivist group Handala reportedly wiped tens of thousands of devices in a major US healthcare company’s network. Separately, the FBI has warned that Iranian actors linked to the Ministry of Intelligence and Security (MOIS) are increasingly using messaging platforms like Telegram to distribute malware.