Iranian Cyber Actors Target U.S. Critical Infrastructure Amid Escalating Geopolitical Tensions

These attacks highlight vulnerabilities in critical infrastructure, raising concerns about national security and economic stability.

• In March 2026, Iranian-affiliated hackers began targeting U.S. critical infrastructure, exploiting programmable logic controllers (PLCs).
• The attacks escalated amid rising geopolitical tensions, particularly U.S.-Israel military actions against Iran.
• A joint advisory from multiple U.S. agencies was issued on April 7, 2026, warning of ongoing threats and recommending immediate security measures.

• CyberAv3ngers, a group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been active since late 2023, previously compromising at least 75 PLCs worldwide.
• The attacks are part of a broader strategy of asymmetric warfare, where Iran retaliates against U.S. threats through cyber sabotage rather than conventional military action.
• U.S. agencies are responding with urgent advisories and enhanced security protocols to protect critical infrastructure from further exploitation.

In late 2023, the CyberAv3ngers group began targeting Unitronics PLCs, successfully compromising systems in U.S. water facilities, including the Municipal Water Authority of Aliquippa, Pennsylvania. These initial attacks were characterized by the alteration of device configurations to display pro-Palestinian messages, signaling a politically motivated agenda intertwined with technical capabilities. By 2024, the group escalated its operations, deploying IOControl malware against oil and gas sectors, marking a shift from opportunistic attacks to persistent threats.

The situation intensified in early 2026, coinciding with military actions by the U.S. and Israel against Iranian military targets. Following these strikes, Iranian cyber actors shifted their focus to Rockwell Automation/Allen-Bradley PLCs, exploiting vulnerabilities in ports such as 44818 and 22. They utilized Dropbear SSH to manipulate human-machine interfaces and supervisory control and data acquisition (SCADA) data, leading to operational disruptions across energy, water, and government sectors.

On April 7, 2026, a joint advisory was issued by the FBI, CISA, NSA, EPA, DOE, and USCYBERCOM, detailing indicators of compromise and recommended mitigations. This advisory emphasized the urgency of isolating PLCs from the internet, implementing firmware updates, and adopting multifactor authentication to safeguard against further attacks. The advisory also highlighted specific IP addresses and ports associated with the ongoing threats, urging municipalities and utilities to secure their Rockwell devices.

While no widespread outages have been reported yet, the potential for escalation remains high, especially given President Trump's continued threats against Iranian infrastructure. The financial implications of these attacks are significant, with cybersecurity firms like Dragos responding to multiple incidents since the onset of the U.S.-Iran conflict. The market for Rockwell Automation devices may also face impacts as organizations reassess their cybersecurity posture in light of these vulnerabilities.

• Utility companies: Increased operational costs and potential disruptions in service delivery.
• Cybersecurity firms: Heightened demand for security solutions and incident response services.
• Government agencies: Increased scrutiny and pressure to enhance national security measures.
• Consumers: Possible service interruptions and rising costs for utilities due to enhanced security measures.

• Future advisories from U.S. agencies: Monitoring for updates on threats and recommended security measures will be crucial for stakeholders.
• Market responses from cybersecurity firms: Watch for shifts in stock prices and service demand as companies react to the evolving threat landscape.
• Geopolitical developments: Changes in U.S.-Iran relations and military actions could further influence the frequency and severity of cyberattacks.