Back to News
Cyber Attack

Iran-Linked Hackers Target Internet-Facing PLCs, Disrupt U.S. Critical Systems

CyberSecurityWaala 4 days ago Apr 8, 2026
Iran-Linked Hackers Target Internet-Facing PLCs, Disrupt U.S. Critical Systems

U.S. agencies warned that Iran-affiliated cyber actors are targeting internet-exposed operational technology devices across critical infrastructure. The FBI said, “These attacks have led to diminished PLC functionality, manipulation of display data and, in some cases, operational disruption and financial loss.”

The incidents focus on programmable logic controllers made by Rockwell Automation and Allen-Bradley. The advisory named CompactLogix and Micro850 models. It said attackers used configuration software to create legitimate-looking connections to those devices.

How the attackers work

The FBI and the advisory explained the method in clear terms. Threat actors rented third-party hosting and used legitimate configuration tools such as Rockwell Automation’s Studio 5000 Logix Designer to connect to PLCs. Then they installed Dropbear, a Secure Shell implementation, on victim endpoints to enable remote access through port 22.

That access let the attackers extract the PLC project file. It also let them change the data shown on human-machine interface and SCADA screens. The advisory said those manipulations reduced PLC functionality and in some cases caused operational disruption.

Check Point Research added context. Sergey Shykevich, threat intelligence group manager at Check Point Research, said, “Iran’s cyber escalation follows a known playbook. Iranian threat actors are now moving faster and broader and targeting both IT and OT infrastructure.” His point shows this activity is part of a wider campaign, not isolated probes. This is a key takeaway from our analysis of common cybersecurity myths.

Broader influence and coordination

Researchers at DomainTools Investigations described a linked set of hacktivist personas and proxy groups. DTI said those groups function as part of “a single, coordinated cyber influence ecosystem” aligned with Iran’s Ministry of Intelligence and Security. DTI added that public domains and Telegram channels are used both to amplify messaging and to support command-and-control operations.

Flashpoint reported a new surge in distributed denial-of-service attacks and claims of hack-and-leak operations against Western and Israeli targets. JUMPSEC linked MuddyWater to tooling shared with criminal ecosystems and described how remote access trojans and loaders are being repurposed. Recorded Future has previously tracked variants such as CastleRAT under the moniker GrayBravo, and JUMPSEC reported a PowerShell deployer that dropped JavaScript-based malware named ChainShell and a botnet component called Tsundere.

Broadcom, Ctrl-Alt-Intel, and Check Point also flagged growing ties between Iranian state-directed actors and off-the-shelf criminal tools. The vendors said this mix of state intent and commercial tooling complicates attribution and raises the threat level for critical sectors.

Past incidents and ongoing risk

Security reporting by The Hacker News noted that in late 2023, a group known as Cyber Av3ngers was linked to exploitation of Unitronics PLCs that affected the Municipal Water Authority of Aliquippa. Reporting said at least 75 devices were compromised in that episode. That incident shows the risk to water and wastewater systems as well as energy and government facilities.

These cases underline a pattern. The FBI advisory and multiple vendor reports make a clear point: threat actors are targeting OT with tools and tactics that mimic legitimate configuration and management workflows.

Practical steps for defenders

The FBI and the advisory urged concrete hardening steps. They recommended that organizations avoid exposing PLCs directly to the internet. They advised using a physical or software switch to prevent remote modification. They also recommended multi-factor authentication and placing a firewall or network proxy in front of PLCs to control access.

Vendors and researchers also recommended keeping PLC firmware and software up-to-date. They said to disable unused authentication features and monitor for unusual traffic patterns to detect unauthorized SSH connections or unexpected project file downloads.

These actions will not stop every attacker. But the combination of network segmentation, strict access controls, and vigilant monitoring raises the cost for adversaries and reduces the chance of disruptive outcomes.

Security teams should follow advisories from the FBI and their vendors and combine those recommendations with threat intelligence from firms such as Check Point Research, DomainTools Investigations, JUMPSEC, and Flashpoint. Those groups are tracking actor behavior and sharing indicators that help defenders respond faster. For a broader overview of protective measures, see our guide on how to protect yourself from cyber attacks.

#PLCsecurity #OTsecurity #CyberSecurity #IranianHackers #SCADA #IndustrialControl