US federal agencies are warning that Iranian-affiliated advanced persistent threat (APT) actors are exploiting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) made by Rockwell Automation/Allen-Bradley, across multiple US critical infrastructure sectors.
In a joint advisory published on April 7, 2026, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Environmental Protection Agency (EPA), the Department of Energy (DOE) and US Cyber Command’s Cyber National Mission Force (CNMF) said the activity has led to PLC disruptions. The agencies said attackers have interacted with PLC project files and manipulated data shown on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss in some cases.
The advisory says affected products include Rockwell Automation/Allen-Bradley PLCs and potentially PLCs from other vendors. The authoring agencies said they assess the activity is intended to cause disruptive effects within the United States, with observed targeting spanning Government Services and Facilities (including local municipalities), Water and Wastewater Systems, and Energy sectors.
According to the advisory, the threat actors used multiple overseas-based IP addresses to access publicly exposed Rockwell PLCs, using leased third-party infrastructure and configuration software such as Rockwell’s Studio 5000 Logix Designer to establish accepted connections to victim devices. The advisory names CompactLogix and Micro850 as examples of targeted PLC models.
The agencies also warned that inbound malicious traffic may be directed to common OT ports including 44818, 2222, 102, and 502, as well as port 22. They said the use of ports tied to other vendors’ protocols suggests the group may also be targeting PLCs beyond Rockwell products, including Siemens S7 devices. The advisory also said attackers deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable remote access via port 22.
As indicators of compromise, the advisory points organisations to IP addresses used by the actors over specified time periods, recommending defenders query logs for historical targeting and vet the IPs before taking actions such as blocking.
The agencies urged critical infrastructure operators to reduce exposure by removing PLCs from direct internet access and using secure gateways and firewalls; reviewing logs for indicators of compromise; and checking for suspicious traffic on OT-related ports, particularly traffic originating from overseas hosting providers. For Rockwell devices, the advisory also recommends placing a physical mode switch on the controller into the run position to help prevent remote modification.
The advisory references similar activity beginning in November 2023, when IRGC Cyber Electronic Command-affiliated threat actors known as “CyberAv3ngers” targeted US-based PLCs and HMIs, compromising at least 75 devices, including Unitronics PLCs used in multiple sectors such as water and wastewater systems. Private industry and open-source reporting has used other names for the group, including Hydro Kitten, Storm-0784, and the Shahid Kaveh Group.
The authoring agencies said Iranian-affiliated campaigns targeting US organisations have recently escalated, likely in response to hostilities between Iran and the United States and Israel. They urged organisations to review the advisory’s tactics, techniques and procedures and apply the recommended mitigations to reduce the risk of compromise.
US organisations were encouraged to report suspicious or criminal activity related to the advisory to CISA, the FBI and/or the NSA through established channels.
Full advisory available here Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure | CISA
