Hackers working on behalf of the Iranian government are disrupting operations at multiple US critical infrastructure sites, likely in response to the country’s ongoing war with the US, a half-dozen government agencies are warning.
In an advisory published Tuesday, the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, Department of Energy, and US Cyber Command “urgently” warned that the APT, or advanced persistent threat group, is targeting PLCs, short for programmable logic controllers. These devices, typically the size of a toaster, sit in factories, water treatment centers, oil refineries, and other industrial settings, often in remote locations. They provide an interface between computers used for automation and physical machinery.
Operational disruption and financial loss
“Since at least March 2026, the authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs,” the advisory stated. “These PLCs were deployed across multiple US critical infrastructure sectors (including Government Services and Facilities, Waste Water Systems (WWS), and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss.”
Among the PLCs being compromised or targeted are those made by Rockwell Automation/Allen-Bradley. Security firm Censys said Wednesday that an Internet scan it performed identified 5,219 such devices exposed to the Internet. A full 75 percent of them were located in the US and likely in far-off locations where equipment is located. The infrastructure being used to target the devices is a “single multi-home Windows engineering workstation running the Rockwell tool chain.”
“The current campaign involves direct access to internet-exposed PLCs using legitimate vendor software (Rockwell Studio 5000 Logix Designer), enabling actors to interact with project files and manipulate HMI/SCADA display data without requiring zero-day exploitation,” the company said. “Confirmed targeted device families include CompactLogix and Micro850.”
The workstation connects to PLCs using Remote Desktop Protocol over the non-standard TCP port 43589. It uses a self-signed certificate with the common name DESKTOP-BOE5MUC. The hosts also expose a full Windows protocol stack (DCERPC/135, MSMQ, NetBIOS).
Tuesday’s advisory said that other operational technology protocols, such as Modbus S7/10, are also being probed, indicating that PLCs from other manufacturers are also being targeted.
Hackers working on behalf of Iran’s Islamic Revolutionary Guard Corps have attacked US industrial sites before. In 2023, a group known as the “CyberAg3ngers” disrupted US-based PLCs and human-machine interfaces. At least 75 devices inside multiple critical infrastructure sectors were compromised.
In mid-March, just one day after the US and Israel launched air strikes on Iran, multinational medical device maker Stryker confirmed a cyberattack that took down much of its infrastructure for several days. Researchers further confirmed that a pro-Iranian hacking group known as Handala was responsible, as the group had claimed on social media. Handala was also behind last month’s hack of a personal email account belonging to FBI Director Kash Patel. In an email, security firm Flashpoint said that pro-Iran proxy groups are also successfully DDoSing against “major platforms like Netflix and Pinterest, as well as Australian government portals.”
Both Tuesday and Wednesday’s advisories provide the IP addresses and other identifiers of the attackers’ infrastructure. They also provide guidance for locking down PLCs. As the war with Iran continues, these sorts of cyberattacks are likely to escalate.
