Threat groups linked to the Iranian government are targeting critical infrastructure in the United States as part of the ongoing war between the two nations that is taking place both in Iran and in cyberspace, several U.S. federal agencies warn.

The attackers are exploiting a range of operational technology (OT) devices, including programmable logic controllers (PLCs), that are used in a range of critical infrastructure sectors, from government facilities to water and waste water systems (WWS) to energy companies, according to a joint alert this week from CISA, the FBI, National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and United States Cyber Command – Cyber National Mission Force (CNMF).

“The authoring agencies assess a group of Iranian-affiliated advanced persistent threat (APT) actors is conducting this activity to cause disruptive effects within the United States,” the agencies wrote.

The threat groups include Handala and CyberAv3ngers – also known as the Shahid Kaveh Group. Handala has been among the most active of the Iran-linked groups and was responsible for the data wiper attack on U.S. medical tech company Stryker last month.

Meanwhile, CyberAv3ngers, which is linked with Iran’s Islamic Revolutionary Guard Corps’ (IRGC) Cyber Electronic Command, was the attacker behind the 2023 intrusion into the municipal water operations in Aliquippa, Pennsylvania, by compromising a programmable logic controller (PLC) from Unitronics. CyberAv3ngers also was linked to other intrusions, which compromised at least 75 devices.

Ongoing Efforts

According to the federal agencies’ alert, there are ongoing attempts by Iran-affiliated attackers to exploit PLCs from Rockwell Automation and a subsidiary, Allen Bradley, to access project files and manipulate the data shown on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.

“Since at least March 2026, the authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs,” the agencies wrote. “These PLCs were deployed across multiple U.S. critical infrastructure sectors (including Government Services and Facilities, WWS, and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss.”

Cyberattacks Part of Modern Warfare

None of this should come as a surprise in the wake of the U.S. and Israeli bombing campaign against Iran that started February 28, according to Joe Saunders, CEO of RunSafe Security, whose technology is aimed at protecting embedded systems and critical infrastructure from attacks.

“Cyberattacks are key components now in all war and kinetic attacks,” Saunders said. “Not only does Iran have the means, it has the motivation to undermine U.S. government and disrupt a well-functioning society. Cyberattacks are one way to break down physical barriers and can be executed at a time and place of a nation-state’s choosing to achieve counter-effects.”

Organizations and countries should always be prepared for cyberattacks, with a focus on resilience and recovery, he said, adding that “this proves critical infrastructure is an extension of national security.”

Multiple Battlegrounds

The ongoing war between Russia and Ukraine illustrated the dual nature of modern combat, and the conflict in Iran is no different. Almost immediately after the bombing started, there were reports of Iranian-affiliated threat groups and pro-Iranian hacktivists mobilizing to attack not only the United States and Israel, but also neighboring countries in the Middle East they viewed as aiding the attacking forces.

Cybersecurity firm Flashpoint, which has been issuing almost daily updates to both the kinetic war and the battle in cyberspace, noted this week that “pro-Iranian proxy groups [are] claiming disruptive attacks on major multinational platforms, international government portals, and claiming the exfiltration of sensitive source code from a prime US defense contractor.”

According to Flashpoint’s notice, such groups are expanding their target beyond regional entities with successful distributed denial-of-service (DDoS) attacks against high-profile online platforms like Netflix and Pinterest, as well as Australian government portals. In addition, some hacktivists claim to have highly sensitive avionics source code and firmware from aerospace giant and defense contractor Lockheed Martin.

CyberAv3ngers Targeting Critical Infrastructure

The federal agencies’ alert noted that CyberAv3ngers is launching its attacks against U.S. critical infrastructure by running configuration software – like Rockwell’s Studio 5000 Logix Designer – on leased third-party hosted systems to create an accepted connection to the victims’ PLCs, including CompactLogix and Micro850 devices.

There also are indications that the hackers are targeting devices from manufacturers other than Rockwell, such as the Siemens S7 PLC. The attackers also deployed Dropbear SSH software on compromised endpoints to give them remote access, the agencies wrote.

Previous Warnings

This isn’t the first time since the onset of the war that the federal government has warned about cyberthreats from Iran-linked groups. The FBI last month said bad actors linked to Iran’s Ministry of Intelligence and Security (MOIS) are using the Telegram messaging app as a command-and-control (C2) tool to push malware to Iran dissidents, journalist it views as opposing Iran, and other opposition groups around the world. The malware collects intelligence and has led to data leaks.

Such activity predates the current Iran war, but the FBI wrote that it was highlighting the activity “due to the elevated geopolitical climate of the Middle East and current conflict.”