Iran cyber actors disrupting US water, energy facilities, FBI warns

Your PLCs aren't internet-connected, right? Right?!

by · The Register

Iranian-affiliated actors have escalated intrusions targeting critical US water and energy facilities, in some cases disrupting operations, the FBI and American cyber defense agencies said on Tuesday.

The US government alert comes as the war lted by the US and Israel enters its sixth week, with President Donald Trump threatening to wipe out Iran's civilization before Pakistan convinced him to agree to a two-week ceasefire.

Iran's cyber intrusions targeting critical infrastructure have been ongoing since March, according to the feds, and they aim to disrupt operational technology (OT) devices, specifically programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. 

PLCs are used to control and monitor industrial equipment in water treatment plants, food production sites, oil refineries, power grids, and other critical facilities, and they've been a longtime favorite target of Iranian cyber crews.

In 2023, the FBI and friends blamed a series of attacks targeting Unitronics Vision Series PLCs on CyberAv3ngers, a group affiliated with the Islamic Revolutionary Guard Corps (IRGC). These weren't sophisticated cyberattacks, however. CyberAv3ngers broke into US-based water facilities by using default passwords for internet-accessible PLCs.

A year later, the same crew infected PLCs, human-machine interfaces (HMIs), and other OT devices with custom malware, and used that access to remotely control US and Israel-based water and fuel management systems.

The latest round of OT-device attacks also targets PLCs, HMIs, and supervisory control and data acquisition (SCADA) displays, according to a joint alert from the FBI, CISA, National Security Agency, Environmental Protection Agency, Department of Energy, and US Cyber Command.

"The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions - including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays - to US critical infrastructure organizations," the joint alert said. 

"These PLCs were deployed across multiple US critical infrastructure sectors within a wide variety of industrial automation processes … Some of the victims experienced operational disruption and financial loss," it continued.

The FBI declined to provide additional details about the disruptions.

A threat analyst, who asked to remain anonymous because of safety concerns, confirmed to The Register that Iran-linked attackers are "looking for opportunities to disrupt utilities here and in the Middle East."

Sergey Shykevich, threat intelligence group manager at Check Point Research, told The Register that the FBI advisory "confirms what we've observed for months: Iran's cyber escalation follows a known playbook."

It's also worth noting that the energy and utilities sector was the fifth-most targeted industry in the US last month, according to Check Point's cyberattack tracking.

The security company, which has headquarters in Tel Aviv, documented "identical" targeting against Israeli PLCs last month, Shykevich said. 

"Iranian threat actors are now moving faster and broader and targeting both IT and OT infrastructure," he added. "It is not the first time Iranian actors are targeting operational technology in the US for disruption purposes, so organizations shouldn't treat this as a new threat, but as an accelerating one."

For companies, this means making sure systems are patched, multi-factor authentication has been turned on, and critical OT systems aren't exposed to the internet, Shykevich said. 

US government agencies also suggest that anyone using Rockwell Automation/Allen-Bradley-manufactured PLCs review the vendor's guidance, which includes disconnecting all internet-connected devices.

Plus, check available logs for suspicious traffic on the ports associated with OT devices, including 44818, 2222, 102, and 502, especially traffic originating from overseas hosting providers. ®

Iran's cyberattack against med tech firm is 'just the beginning': Even without a navy, or air power, 'They'll still have the ability to hack'Jessica Lyons, 18 Mar 2026Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacksIOCONTROL targets IoT and OT devices from a ton of makers, apparentlyJessica Lyons, 13 Dec 2024US warns Iranian terrorist crew broke into 'multiple' US water facilitiesThere's a war on and critical infrastructure operators are still using default passwordsJessica Lyons Hardcastle, 04 Dec 2023Iran targets M365 accounts with password-spraying attacks: Researchers say some targets correlate with cities hit by Iranian missile strikesJessica Lyons, 31 Mar 2026