The attack surface targeted by Iranian-linked hackers in cyberattacks against U.S. critical infrastructure networks includes thousands of Internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation.

According to a joint advisory issued by multiple U.S. federal agencies on Tuesday, Iranian state-backed hacking groups have been targeting Rockwell Automation/Allen-Bradley PLC devices since March 2026, causing operational disruptions and financial losses.

"Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel," the authoring agencies warned.

"The FBI identified that this activity resulted in the extraction of the device's project file and data manipulation on HMI and SCADA displays."

As cybersecurity firm Censys reported one day later, three-quarters of more than 5,200 such industrial control systems found exposed online globally are from the United States.

"Censys data identifies 5,219 internet-exposed hosts globally responding to EtherNet/IP (EIP) and self-identifying as Rockwell Automation/Allen-Bradley devices," Censys said.

"The United States accounts for 74.6% of global exposure (3,891 hosts), with a disproportionate share on cellular carrier ASNs indicative of field-deployed devices on cellular modems."

​To defend against these ongoing attacks, network defenders are advised to secure PLCs using a firewall or disconnect them from the Internet, scan logs for signs of malicious activity, and check for suspicious traffic on OT ports (especially when it originates from overseas hosting providers).

Admins should also enforce multifactor authentication (MFA) for access to OT networks, keep all PLC devices up to date, and disable unused services and authentication methods.

This ongoing campaign follows similar attacks from nearly three years ago, when a threat group affiliated with the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) and tracked as CyberAv3ngers targeted vulnerabilities in U.S.-based Unitronics operational technology (OT) systems.

CyberAv3ngers hackers compromised at least 75 Unitronics PLC devices in multiple waves of cyberattacks between November 2023 and January 2024, with half of those in Water and Wastewater Systems critical infrastructure networks across the United States.

More recently, the Handala hacktivist group (linked to Iran's Ministry of Intelligence and Security) wiped approximately 80,000 devices from the network of U.S. medical giant Stryker, including employees' mobile devices and company-managed personal computers.