Federal Agencies Issue Urgent Joint Advisory
Multiple U.S. government bodies issued an urgent joint warning on Tuesday, alerting the public and operators of critical infrastructure that Iranian government-affiliated hackers are actively launching disruptive cyberattacks against American energy and water systems. The advisory was jointly released by the FBI, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), the Department of Energy, and U.S. Cyber Command.
The warning specifically identifies Iran-affiliated advanced persistent threat (APT) actors as the culprits, stating that these groups are targeting internet-facing operational technology (OT) devices — most notably programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.
"Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley."
What the Hackers Are Doing
According to the joint alert, the attacks go beyond simple intrusions. The threat actors are engaging in malicious interactions with project files and are manipulating data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays. These are the graphical dashboards and control panels that operators rely on to monitor and manage industrial processes, meaning that corrupted or falsified data could lead to dangerous physical outcomes.
The advisory explicitly notes that this activity has led to PLC disruptions across several U.S. critical infrastructure sectors. Affected industries include Government Services and Facilities, the Water and Wastewater Systems (WWS) sector, and the Energy sector. Some victims experienced both operational disruption and financial loss as a result of the intrusions.
Timeline: From 2023 to the Present
This is not the first time federal agencies have raised alarms about Iranian hackers targeting similar systems using similar techniques. The earliest such warning followed an incident in late 2023, when an Iranian government-linked group claimed responsibility for attacking a water facility in Pennsylvania.
Since March of this year, however, the agencies report that a newly identified Iranian-affiliated APT group has been responsible for a fresh wave of compromises. The advisory notes that agencies identified this group through direct engagements with victim organizations. The earlier campaign alone is said to have compromised at least 75 devices.
Escalation Following U.S.-Israel Strikes on Iran
The timing of the latest attacks is notable. The advisory links the surge in disruptive activity to the onset of U.S.-Israel military strikes against Iran, suggesting that Tehran-connected cyber operators have stepped up retaliatory or coercive operations in cyberspace following those events.
In addition to critical infrastructure targets, Iranian hackers have claimed victims in other sectors in the wake of the broader conflict. Among those reportedly affected are major medtech company Stryker, as well as various local government entities.
Malware via Telegram Also a Concern
Separately, the FBI warned last month that Iranian hackers were deploying malware through the Telegram messaging application. While that particular campaign predates the current conflict with Iran, it underscores the range and adaptability of Iranian cyber operations, which span both targeted industrial attacks and broader malware distribution schemes.
Key Takeaways for Critical Infrastructure Operators
- PLCs manufactured by Rockwell Automation/Allen-Bradley are specifically identified as targets.
- Attackers are manipulating HMI and SCADA display data, not just gaining access to networks.
- Sectors at elevated risk include energy, water and wastewater systems, and government facilities.
- At least 75 devices were compromised in the earlier campaign identified by federal agencies.
- Victims have reported both operational disruptions and financial losses.
- The threat has intensified since the start of U.S.-Israel military action against Iran.
Operators of internet-facing OT devices — particularly those running Rockwell Automation equipment — are strongly urged to review the full advisory from CISA and partner agencies and to implement recommended mitigations without delay.
Source: CyberScoop