Iranian Cyberattacks Target Nearly 4,000 US Industrial Devices
High severity — significant development or major threat actor activity
Basically, hackers linked to Iran are attacking thousands of US industrial machines online.
Iranian-linked hackers have targeted nearly 4,000 US industrial devices, raising alarms about critical infrastructure security. This ongoing threat could disrupt operations and cause significant losses. Immediate action is needed to protect these vulnerable systems.
What Happened
Iranian state-backed hackers have launched a series of cyberattacks targeting U.S. critical infrastructure networks. The focus has been on programmable logic controllers (PLCs) manufactured by Rockwell Automation, with nearly 4,000 devices exposed to the Internet. This alarming trend was highlighted in a recent joint advisory from multiple U.S. federal agencies.
The attacks began in March 2026 and have resulted in operational disruptions and financial losses for affected organizations. The FBI has reported that these attacks have led to the extraction of sensitive project files and manipulation of data on Human-Machine Interface (HMI) and SCADA displays.
Who's Affected
The primary targets of these attacks are U.S. industrial organizations utilizing Rockwell Automation's PLC devices. According to cybersecurity firm Censys, approximately 74.6% of the 5,219 internet-exposed Rockwell devices globally are located in the United States, with 3,891 hosts identified as vulnerable.
What Data Was Exposed
The attacks have compromised critical operational data, including project files and real-time operational data displayed on HMI systems. This data manipulation poses significant risks to the operational integrity of affected systems, especially in sectors reliant on automation and control systems.
What You Should Do
To mitigate the risks associated with these ongoing cyberattacks, network defenders are advised to take several proactive measures:
- Secure PLCs: Use firewalls to restrict access or disconnect devices from the Internet.
- Monitor Logs: Regularly scan logs for signs of malicious activity and check for suspicious traffic, particularly from overseas.
- Implement MFA: Enforce multifactor authentication for access to operational technology (OT) networks.
- Update Devices: Keep all PLC devices up to date with the latest security patches.
- Disable Unused Services: Turn off any services or authentication methods that are not in use.
This recent wave of cyberattacks follows a pattern of similar threats from Iranian-affiliated groups, notably the CyberAv3ngers, who previously targeted vulnerabilities in U.S.-based operational technology systems. Such persistent threats underscore the urgent need for enhanced cybersecurity measures across critical infrastructure sectors.
🔍 How to Check If You're Affected
- 1.Check for unusual access logs on PLC devices.
- 2.Scan for unauthorized changes in HMI and SCADA displays.
- 3.Monitor network traffic for connections from foreign IP addresses.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: The targeting of PLCs indicates a strategic shift towards disrupting critical infrastructure, necessitating immediate defensive measures across all sectors.
🗓️ Story Timeline
Sources
Also covered by
Nearly 4K industrial control devices vulnerable to Iran-linked hacking campaign