A coalition of six US government agencies has issued an urgent advisory detailing disruptive cyberattacks on American critical infrastructure by an Iranian state-affiliated advanced persistent threat group. The attacks, which began no later than March 2026, target programmable logic controllers (PLCs) deployed across sectors including government services, wastewater systems, and energy. These incidents are believed to be linked to the ongoing conflict between Iran and the United States.
Programmable logic controllers are compact devices, often resembling toasters in size, that serve as intermediaries between automation software and physical machinery in industrial environments. They are commonly found in factories, water treatment facilities, oil refineries, and other remote operational sites. The advisory, released on Tuesday, was jointly published by the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, Department of Energy, and US Cyber Command.
According to the advisory, the Iranian APT group has successfully disrupted PLC functions, leading to operational interruptions and financial losses for some victim organizations. The document states, “Since at least March 2026, the authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs. These PLCs were deployed across multiple US critical infrastructure sectors (including Government Services and Facilities, Waste Water Systems (WWS), and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss.”
Security researchers have identified Rockwell Automation/Allen-Bradley PLCs as a primary target in these attacks. On Wednesday, the security firm Censys reported that an internet scan revealed 5,219 such devices publicly accessible online. Of these, 75 percent are located within the United States, likely in isolated areas where industrial equipment is typically situated.
The infrastructure leveraged by the attackers to compromise these PLCs is described as a “single multi-home Windows engineering workstation running the Rockwell tool chain.” This setup allows the hackers to remotely manipulate the controllers, potentially causing widespread disruptions to critical services.
