The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Department of Energy issued a joint security advisory today, warning of ongoing malicious activity by Iranian-linked hacking groups.
The report states that since March 2026, these groups have been targeting internet-facing programmable logic controllers (PLCs) within critical infrastructure organizations. The affected sectors include government facilities, water systems, and the energy industry, with attacks already resulting in operational disruptions and financial losses.
“The FBI assesses that these Iranian-linked advanced persistent threat (APT) actors are attempting to damage critical infrastructure by maliciously accessing project files and manipulating human-machine interface (HMI) and supervisory control and data acquisition (SCADA) system data,” the joint advisory stated.
Authorities believe the frequency of these attacks against US targets has escalated recently, likely as a direct response to heightened tensions between Iran, the US, and Israel. Investigations indicate that the attackers have successfully extracted device project files and tampered with monitoring data displayed on operator screens.
Strengthening Industrial Control System Defenses
This follows a November 2023 warning regarding the CyberAv3ngers, a hacking group affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC), which exploited vulnerabilities in Unitronics operational technology (OT) systems. Between November 2023 and January 2024, the group compromised at least 75 PLCs, half of which were located within water system networks.
To mitigate these threats, cybersecurity experts recommend immediate defensive measures. First, PLC devices should be disconnected from the public internet or strictly isolated behind firewalls. Furthermore, administrators should audit logs for the indicators of compromise cited in the advisory and closely monitor OT port traffic, particularly for unusual connections originating from overseas hosting providers.
Officials also recommend implementing multi-factor authentication (MFA) for all OT network access and ensuring that PLC firmware is kept up to date. All unused services and default authentication keys should be disabled to minimize the potential attack surface.
Beyond infrastructure-focused attacks, the scope of Iranian hacking operations has recently expanded. Last month, the pro-Palestinian group Handala targeted US medical giant Stryker, wiping data from approximately 80,000 devices across the company’s network, including employee mobile devices and PCs. The FBI also warned that hackers linked to the Iranian Ministry of Intelligence and Security (MOIS) are actively using the Telegram platform to distribute malware.
