Six U.S. national security agencies have issued a joint advisory warning that Iranian-affiliated threat actors are actively exploiting internet-facing industrial controllers across American critical infrastructure. The campaign has already caused operational disruption and financial loss.
KEY FACTS
- WhatOngoing Iranian-affiliated exploitation of internet-exposed PLCs and OT environments across multiple U.S. critical infrastructure sectors
- WhoU.S. critical infrastructure operators in water/wastewater, energy, and government services and facilities; Iranian-affiliated actors linked by public reporting to CyberAv3ngers / Shahid Kaveh Group / IRGC-CEC
- WhenObserved since at least March 2026; advisory published April 7, 2026
- HowDirect access to internet-facing PLCs, use of industrial configuration software, project file extraction, HMI/SCADA display manipulation, and remote access over OT-associated ports and SSH
- ImpactOperational disruption and financial loss in some victim environments; exact victim count undisclosed
- DevicesRockwell Automation/Allen-Bradley CompactLogix and Micro850 PLCs confirmed; port activity suggests possible interest in Siemens S7 and other OT devices, but no confirmed public reporting establishes compromise of non-Rockwell devices
- Actor ContextPublic reporting on the advisory ties the activity to the CyberAv3ngers persona and IRGC-CEC, while describing the 2026 activity as a continuation or successor to earlier Iranian disruptive PLC operations
WHAT HAPPENED
On April 7, 2026, U.S. cyber and national security agencies published a joint advisory warning that Iranian-affiliated threat actors are conducting active exploitation of internet-connected operational technology devices inside the United States. The campaign specifically targets programmable logic controllers, including Rockwell Automation/Allen-Bradley systems used in industrial automation processes across critical infrastructure sectors.
According to the advisory and corroborating public analysis, the threat actors accessed exposed PLCs using overseas-based IP addresses and used configuration software such as Rockwell Automation's Studio 5000 Logix Designer to establish accepted connections with victim devices. Once connected, the actors extracted project files and manipulated data displayed on human machine interfaces and SCADA systems, resulting in direct operational consequences beyond reconnaissance or staging.
The affected sectors identified by the authoring agencies include Government Services and Facilities, Water and Wastewater Systems, and Energy. In several cases, the activity resulted in operational disruption, and in a smaller number of cases it caused financial loss. U.S. agencies did not identify specific victim organizations or disclose the number of impacted environments.
TechCrunch reported that the agencies described the campaign as a marked escalation in tactics by Iranian hackers targeting American critical infrastructure. The advisory itself states that Iranian-affiliated campaigns targeting U.S. organizations have recently intensified, likely in response to hostilities involving Iran, the United States, and Israel.
THREAT ACTOR ANALYSIS
Public reporting on the advisory identifies the activity as linked to Iranian-affiliated actors associated with the CyberAv3ngers persona, also tracked as the Shahid Kaveh Group, acting on behalf of Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command. The group is additionally tracked as Hydro Kitten (CrowdStrike), Storm-0784 (Microsoft), and UNC5691 (Google/Mandiant). That attribution is consistent with the advisory's comparison to the November 2023 CyberAv3ngers campaign that targeted PLCs in U.S. critical infrastructure, including water-sector environments.
The more precise analytical question is not whether Iran-linked attribution exists, but how directly the April 2026 activity maps to the earlier CyberAv3ngers operation. Public sources differ slightly in how they frame that continuity. Some describe the 2026 activity as linked directly to CyberAv3ngers, while others characterize it as successor activity sharing the same sponsorship, tradecraft, and target profile. What is consistent across the reporting is the Iranian nexus, the IRGC-CEC connection, and the operational focus on disruptive OT effects inside the United States.
CSIS analysis published in the wake of the advisory characterized Iran's posture as a shift from episodic cyberattacks to a sustained campaign against critical infrastructure, treating cyberspace as an extension of state power.
WHAT WAS EXPOSED
- Internet-facing PLCs deployed in U.S. critical infrastructure environments
- PLC project files extracted from victim systems
- HMI and SCADA display data manipulated by the attackers
- Operational technology processes disrupted in multiple victim environments
- Financial loss reported in some cases
No public advisory states that large-scale personal data theft occurred in this campaign. The primary public impact described to date is operational disruption of industrial control environments, not mass PII exposure.
TECHNICAL FAILURE CHAIN
The attack path began because internet-connected industrial controllers were reachable from outside the organization. Censys research published after the advisory identified 5,219 internet-exposed Rockwell Automation/Allen-Bradley PLC hosts globally, with approximately 3,900 (75%) located in the United States - many connected via cellular networks and running end-of-life software. The advisory explicitly recommends removing PLCs from direct internet exposure via secure gateway and firewall, indicating that exposed OT assets were a foundational failure condition.
The actors did not need exotic initial access malware to begin interacting with targeted devices. Instead, they used accepted industrial configuration tooling to create legitimate-looking connections to victim PLCs. That creates a visibility problem for defenders because malicious actions may initially resemble authorized engineering activity.
Once connected, the actors were able to extract project files, alter HMI and SCADA display data, and establish remote access via Dropbear SSH. That points to insufficient isolation between internet-reachable management paths and live control environments.
The authoring agencies specifically note the need for Rockwell customers to place physical mode switches in run position and review hardening guidance. That suggests at least some targeted environments lacked basic compensating controls that would have limited unauthorized logic interaction.
The advisory instructs organizations to query available logs for suspicious traffic on OT-relevant ports and for known actor infrastructure, suggesting many operators may not have had effective monitoring or alerting in place for this type of remote access activity.
INDICATORS OF COMPROMISE
- Port 44818EtherNet/IP (CIP)
- Port 2222SSH (alt) / EtherNet/IP
- Port 102S7comm / ISO-TSAP
- Port 22SSH
- Port 502Modbus
- 135.136.1[.]133 (active March 2026)
- 185.82.73[.]162 (active January 2025 - March 2026)
- 185.82.73[.]164 (active January 2025 - March 2026)
- 185.82.73[.]165 (active January 2025 - March 2026)
- 185.82.73[.]167 (active January 2025 - March 2026)
- 185.82.73[.]168 (active January 2025 - March 2026)
- 185.82.73[.]170 (active January 2025 - March 2026)
- 185.82.73[.]171 (active January 2025 - March 2026)
- CVE-2021-22681CVSS 9.8Rockwell Automation insufficiently protected cryptographic key affecting CompactLogix, ControlLogix, and other Logix controllers, enabling authentication bypass and unauthorized access to PLC project files and logic. Added to CISA KEV catalog March 5, 2026 with mandatory federal remediation deadline of March 26 - a deadline that had already lapsed before AA26-097A was published. Referenced in the advisory via Rockwell PN1550.
- T0883Internet Accessible DeviceInitial Access - actors used programming software to access publicly exposed PLCs without sufficient network/hardening controls
- T1565Stored Data ManipulationImpact - actors maliciously interacted with project files and altered data displayed on HMI and SCADA displays
- T0885Commonly Used PortCommand and Control - actors used commonly used OT ports to communicate with PLCs
- T1219Remote Access ToolsCommand and Control - actors deployed Dropbear SSH on victim endpoints for remote access through port 22
REGULATORY EXPOSURE
- NERC CIP obligations for affected electric-sector operators, specifically CIP-005 (Electronic Security Perimeter - internet-exposed PLCs violate boundary protections), CIP-007 (System Security Management - inadequate access controls on OT devices), and CIP-010 (Configuration Change Management - unauthorized project file extraction and logic interaction). NERC's Watch Operations team is actively monitoring the grid and coordinating with DOE and the Electricity Subsector Coordinating Council in response to the advisory
- FISMA compliance obligations for Government Services and Facilities sector operators under federal information security requirements
- SEC 8-K materiality disclosure - publicly traded critical infrastructure operators face the four-business-day reporting obligation if operational disruption or financial loss meets materiality thresholds
- State public utility and environmental regulator scrutiny where water or energy service disruption occurred
- NSM-22 (National Security Memorandum 22, superseding PPD-21 in April 2024)sector risk management agency responsibilities with EPA for water and DOE for energy, carrying direct accountability for resilience failures in their respective sectors
- Ongoing CISA and sector-specific resilience pressure where internet-accessible OT assets remained exposed despite repeated public warnings dating to the November 2023 CyberAv3ngers advisory (AA23-335A)
This incident sharpens a governance question that regulators will not ignore: why internet-reachable OT assets remained exposed in sectors that have been on explicit notice since the 2023 campaign and multiple years of public warnings about externally accessible industrial control systems.
INTELLIGENCE GAPS
Exact victim count remains undisclosed.
No public victim identities have been released.
No public evidence yet quantifies the financial loss.
Public reporting supports Iran-linked attribution, but the exact continuity between this operation and the prior CyberAv3ngers campaign is framed with slight variation across sources.
It remains unclear how many non-Rockwell devices were actually compromised versus merely targeted or probed.
There is no public timeline for initial compromise dates in each victim environment.
No public reporting confirms whether destructive logic changes occurred beyond project file interaction and display manipulation.
The advisory references downloadable STIX XML and STIX JSON files for machine-readable IOC ingestion.
ZERO|TOLERANCE Advisory
If a controller is directly reachable from the public internet, the exposure should be handled as a live operational risk.
Remote management paths into PLC environments should require brokered access, strict authentication, and independent monitoring rather than direct routable exposure.
The use of accepted engineering software means defenders need detection logic that focuses on who is connecting, from where, and during what maintenance window, not just whether malware executed.
Organizations that ignored those lessons are now facing the exact scenario earlier advisories warned about.
Even where public descriptions differ on whether this is a direct continuation or successor campaign, the pattern is clear: exposed industrial devices remain a viable pressure point during geopolitical escalation.
SOURCES
CISA/FBI/NSA/EPA/DOE/U.S. Cyber Command (AA26-097A), TechCrunch, Picus Security, 1898 Advisories/Burns & McDonnell, SecurityAffairs, CSO Online, CyberScoop/Censys, Utility Dive, CSIS, CrowdStrike