π―Imagine if hackers could break into the machines that control water and electricity. That's what's happening with Iranian hackers targeting important U.S. systems. It's like someone messing with the controls of a train or a water plant, which could cause big problems.
What Happened
Imagine waking up to find that your favorite local airport and bank have been breached by hackers. This is the reality that several US organizations are facing. Iranian hackers have infiltrated networks of a US airport, a bank, and a software company since February. This alarming trend shows a growing presence of foreign cyber threats right in our backyard.
The attacks were not just random; they were part of a systematic effort by an Iranian Advanced Persistent Threat (APT) group, believed to have ties to the Iranian government. Recent reports indicate that these hackers are also targeting critical infrastructure, specifically Internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) used in various sectors such as energy and water systems. The FBI warns that these ongoing attacks have resulted in financial losses and operational disruptions since March 2026. Their goal? To gather sensitive information and potentially disrupt critical services.
Critical Infrastructure Targeted
In a joint advisory published by multiple U.S. agencies, including the FBI, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency (CISA), it was revealed that Iranian-affiliated hackers are conducting exploitation activities targeting operational technology devices, including PLCs. These devices, often the size of a toaster, are crucial for automation in factories, water treatment centers, and oil refineries. The advisory noted that hackers have manipulated data displayed on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems, potentially causing dangerous conditions in some cases. Rob Lee, CEO of Dragos, emphasized that Iranian actors have shown a consistent ability to understand control loops and physical processes, indicating a serious risk of physical damage to critical systems. The advisory highlighted that this activity is part of a broader campaign linked to the Iranian Revolutionary Guard Corps (IRGC), which has previously targeted similar systems. Recent reports indicate that these Iranian-affiliated actors have escalated their intrusions, disrupting operations at critical US water and energy facilities. The FBI noted that these attacks are part of a broader escalation in cyber activities coinciding with geopolitical tensions, particularly following the ongoing conflict involving the US and Israel. The intent behind these cyber intrusions is not only to gather intelligence but also to cause operational disruptions, as evidenced by previous attacks that exploited default passwords on internet-connected PLCs.
Escalation of Tactics
The U.S. government has issued warnings that Iranian-backed hackers are escalating their tactics by specifically targeting American critical infrastructure systems. The advisory states that these hackers aim to cause significant disruption and have already resulted in operational disruption and financial loss across various sectors, including water and wastewater utilities, energy, and local government facilities. The hackers have been able to manipulate information displayed on PLCs and SCADA systems, maliciously interacting with project files that store essential device configurations.
The advisory also revealed that the hackers used leased overseas infrastructure and legitimate Rockwell Automation configuration software to connect to victim PLCs. This included CompactLogix and Micro850 devices that were left directly exposed to the public internet. Security firm Censys reported that an Internet scan identified over 5,200 such devices exposed, with a significant majority located in the US. Once inside, the attackers extracted project files, altered SCADA and HMI display data, and installed remote access software to maintain a persistent foothold. The attacks have compromised at least 75 devices across critical infrastructure sectors since March 2026.
Additionally, new intelligence suggests that the Iranian hackers are employing sophisticated social engineering tactics to gain initial access, such as spear-phishing campaigns targeting employees in key positions within these organizations. This highlights the need for organizations to bolster their training programs to recognize and mitigate such threats.
Industry experts have noted that the threat landscape is further complicated by the fact that many organizations remain unaware of the vulnerabilities presented by internet-exposed operational technology devices. According to Censys, nearly 3,891 Rockwell Automation devices are exposed online in North America alone, creating a vast attack surface for these threat actors.
New Insights on Attack Methods
Recent intelligence has confirmed that Iranian actors are using advanced techniques to gain access to PLCs. They have been observed deploying Dropbear, a Secure Shell (SSH) software, on victim endpoints to establish command-and-control capabilities through port 22. This allows them to extract project files and manipulate display data on HMI and SCADA systems, further emphasizing the need for robust security measures.
Moreover, the advisory warns organizations to prevent remote modifications of PLCs by implementing multi-factor authentication (MFA) and erecting firewalls or network proxies in front of these devices. The report also highlights the significant risk posed by the use of third-party hosted infrastructure, which has been leveraged by these hackers to create accepted connections to victim PLCs.
Recommendations for Organizations
In response to these breaches, cybersecurity experts are working diligently to assess the damage and fortify defenses. Organizations affected are urged to take immediate action:
- Update security protocols and software.
- Monitor network traffic for unusual activity.
- Educate employees on recognizing phishing attempts.
- Implement secure gateways and firewalls to protect PLCs from direct internet exposure.
- Query available logs for the IOCs provided in the advisory and check for suspicious traffic on relevant ports.
Moreover, industry professionals recommend that organizations disconnect PLCs from publicly accessible networks and enforce strict access controls. The advisory emphasizes that PLCs should never be directly accessible from the internet, and organizations should adopt zero trust architectures to strengthen their security posture.
As we navigate this cyber landscape, remember that staying informed and vigilant is your best defense against such threats.
The ongoing cyber threats from Iranian hackers highlight the urgent need for organizations to enhance their cybersecurity measures, particularly for internet-exposed operational technology devices.
