Federal cybersecurity and law enforcement agencies warned Tuesday that Iranian-linked hackers are targeting internet-exposed programmable logic controllers used across U.S. critical infrastructure, including the energy and water sectors, in a campaign that officials said is aimed at causing disruption.
In a joint advisory, the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, Department of Energy, and U.S. Cyber Command's Cyber National Mission Force said the activity is focused in part on Rockwell Automation Allen-Bradley devices and follows a broader pattern of Iranian cyber operations against poorly secured industrial systems.
"The FBI assesses a group of Iranian-affiliated APT actors [that] are targeting internet-exposed PLCs with the intent to cause disruptions, including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays, to U.S. critical infrastructure organizations," the advisory said, using the abbreviation for advanced persistent threat.
The agencies said the attacks have hit organizations in critical infrastructure sectors, including government facilities, water and wastewater systems, and energy, and have led to financial losses and operational disruptions since March.
Officials urged operators to remove operational technology and industrial control assets from direct public internet exposure, secure remote access, review logs for indicators of compromise, and watch for suspicious traffic on OT ports, especially traffic from overseas hosting providers.
The warning lands amid heightened tensions tied to the conflict involving Iran, the United States, and Israel, and federal agencies have repeatedly cautioned that Iranian-affiliated actors often exploit unpatched devices, outdated software, and default passwords when looking for targets of opportunity.
"Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel," the advisory said.
The campaign echoes the 2023 and 2024 OT port intrusions tied to Iran's Islamic Revolutionary Guard Corps, when attackers targeted Israeli-made Unitronics PLCs and HMIs at water and wastewater, energy, food and beverage manufacturing, and healthcare facilities, including dozens of U.S. victims.
In Pennsylvania, hackers breached equipment used by the Municipal Water Authority of Aliquippa and displayed an anti-Israel message on the control interface, prompting a multiagency U.S. warning about the risks posed by internet-exposed industrial systems with default or no passwords.
The broader threat picture has also sharpened in recent weeks, with The Associated Press reporting in March that pro-Iranian hackers were expanding activity that could pull in American defense contractors, power stations, and water plants as the war intensified.
Industry groups said they are stepping up monitoring, with Kimberly Mielcarek, vice president of the North American Electric Reliability Corp., saying the grid watchdog sent an "all-points bulletin" urging "industry vigilance."
"Our Watch Operations team is actively monitoring the grid, while we continue to coordinate closely with the Department of Energy, the Electricity Subsector Coordinating Council, and our federal and provincial partners," she said.
Still, federal officials have said they are not yet seeing a broad surge in malicious cyber activity attributed to Iran, even as they continue to warn critical infrastructure operators not to let down their guard.
"We're seeing a steady state, we have not seen a rise in threat actor activity, which is fantastic, but again we can't take our eyes off," acting CISA Director Nick Andersen said last month.
Theodore Bunker ✉
Theodore Bunker, a Newsmax writer, has more than a decade covering news, media, and politics.
© 2026 Newsmax. All rights reserved.