Iranian-linked hackers are targeting Internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) on the networks of U.S. critical infrastructure organizations.

The warning came earlier today in the form of a joint advisory authored by the FBI, CISA, NSA, the Environmental Protection Agency (EPA), Department of Energy (DOE), and the United States Cyber Command – Cyber National Mission Force (CNMF).

The authoring agencies said that these ongoing attacks have targeted organizations across multiple U.S. critical infrastructure sectors (including Government Services and Facilities, Water and Wastewater Systems, and Energy), and have resulted in financial losses and operational disruptions since March 2026.

"The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to U.S. critical infrastructure organizations," the advisory warns.

"Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel."

"The FBI identified that this activity resulted in the extraction of the device's project file and data manipulation on HMI and SCADA displays," the U.S. agencies added.

A similar advisory issued in November 2023 warned that the CyberAv3ngers threat group, affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC), had been exploiting vulnerabilities in U.S.-based Unitronics operational technology (OT) systems.

Between November 2023 and January 2024, CyberAv3ngers hackers compromised at least 75 Unitronics PLC devices across multiple waves of cyberattacks, half of which were in WWS critical infrastructure networks.

To defend against such attacks, network defenders are advised to disconnect PLCs from the Internet or secure them using a firewall, scan logs for indicators of compromise shared in today's joint advisory, and check for suspicious traffic on OT ports (especially traffic originating from overseas hosting providers).

They should also implement multifactor authentication (MFA) for access to the OT network, keep PLCs up to date with the latest available firmware, disable all unused services and authentication methods (such as default authentication keys), and monitor network traffic for suspicious activity.

Last month, the Iranian-linked and pro-Palestinian Handala hacktivist group wiped approximately 80,000 devices on the network of U.S. medical giant Stryker, including employees' mobile devices and personal computers managed by the company.

The FBI also warned that Iranian hackers linked to the country's Ministry of Intelligence and Security (MOIS) are using Telegram in malware attacks.