Several critical infrastructure organizations in the US were disrupted by Iran-linked cyberattacks that impacted operational technology (OT) devices, according to an urgent warning from federal agencies on Tuesday.
In a joint advisory, the FBI, CISA, NSA, EPA, DOE, and United States Cyber Command warned that attacks in recent weeks have targeted devices spanning multiple sectors, including government services and facilities (including local municipalities), water and wastewater systems, and energy sectors.
The federal agencies say that Iranian-linked threat actors are actively targeting internet-exposed programmable logic controllers (PLCs), particularly those manufactured by Rockwell Automation/Allen-Bradley, though other vendors may also be at risk.
“As a result of this activity, organizations from multiple U.S. critical infrastructure sectors experienced disruptions through malicious interactions with the project files and the manipulation of data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays,” the advisory explains.
“Due to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure, the authoring agencies recommend U.S. organizations urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the Mitigations section to reduce the risk of compromise,” the advisory continued.
Similar activity by CyberAv3ngers
According to the authoring agencies, the campaign has similar activity to earlier operations attributed to Iran-linked groups such as CyberAv3ngers, which previously targeted PLCs in US infrastructure sectors.
CyberAv3ngers is a group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that has made previous headlines for its attacks on the water sector.
In October 2024, artificial intelligence giant OpenAI said the CyberAv3ngers hackers used its popular ChatGPT tool to plan ICS attacks. OpenAI said accounts associated with the group used ChatGPT to conduct reconnaissance, but also to help them with vulnerability exploitation, detection evasion, and post-compromise activity.
The group has targeted industrial control systems (ICS) at a water utility in Ireland (the attack left people without water for two days), a water utility in Pennsylvania, and other water facilities in the United States.
Federal agencies are urging organizations to assume they may be targeted and to proactively assess their OT environments for vulnerabilities before attackers exploit them.
Indicators of Compromise (IOCs)
Downloadable lists of IOCs have been made available in both XML and JSON formats:
The attacks are part of a wider pattern of escalating Iran-linked operations. On March 11, medical technology giant Stryker was targeted by the Handala group, which reportedly wiped more than 200,000 of the company’s devices.
Late last month, the United States government officially linked the notorious Handala hacker group to the Iranian government. The announcement came amid the takedown of several websites used by Handala.
Handala has been on the radar of cybersecurity firms for years, but it gained widespread attention in recent weeks after ramping up its activity following the start of the US-Israel-Iran conflict.
In a separate incident, Handala hacked FBI Director Kash Patel’s personal email account, releasing photos and emails allegedly taken from the inbox, though authorities said no government information was exposed.
In December 2025, the US government announced rewards of up to $10 million for information on members of the Iranian hacking group known as Emennet Pasargad.
Recent analysis by cybersecurity firm Augur Security revealed a six-month buildup of Iran-linked cyber infrastructure, including US-based shell companies, designed to weather kinetic strikes and ensure the resilience of its global hacking operations.
Related: Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury
Related: Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in Warfare
Related: Iran Built a Vast Camera Network to Control Dissent. Israel Turned It Into a Targeting Tool
