-
Some hackers affiliated with Iran are infiltrating US industrial control systems directly linked to the internet impacting water, energy, and other US government facilities.
-
These attacks have not only resulted in major interruptions in day-to-day operations but also led to fiscal damages by altering the information operators see on their screens.
-
Federal agencies urge immediate action: disconnect PLCs from the internet, switch physical modes to “run,” and check logs for suspicious overseas IPs.
Iranian-affiliated hackers are actively breaking into the industrial controllers that run America’s water systems, energy grid, and government facilities.
The FBI, CISA, and four other federal agencies released a warning about this on April 7, 2026. The alert came after the authorities confirmed multiple breaches have already caused operational disruptions and financial losses.
A Digital Siege on America’s Critical Infrastructure
These hackers, tagged advanced persistent threat (APT) actors, have apparently been at it since March. Their target? Internet-connected programmable logic controllers, also called PLCs. These controllers? They’re like the tiny brains keeping factories and other critical infrastructure like water pumps, energy grid, etc., running.
The attackers took a keen interest in hitting Rockwell Automation and Allen-Bradley PLCs. Think CompactLogix and Micro850 models. But officials warn other brands like Siemens S7 could be next.
The attackers don’t just peek at systems. They actively mess with project files. They manipulate what shows up on human machine interface (HMI) and SCADA displays. Imagine a water plant operator seeing normal pressure readings while a tank actually overflows. That’s the danger here.
Multiple victims across government services, water systems, and energy sectors have already suffered operational disruptions and financial losses.
How the Attackers Slip Through
Hackers use IP addresses based overseas to get straight into exposed PLCs. They often use rented hosting services to access them and do it using software they can all get, like Rockwell Automation’s Studio 5000 Logix Designer that’s standard for the job.
Once they’re inside, they install a Dropbear SSH tool. And this gives them a way to come back into the system any time they like, via port 22. They also use ports 44818, 2222, 102 and 502 to talk to each other. This is because these are all OT ports that lots of organisations just leave open
The FBI have managed to sniff out some of the specific IP addresses that this campaign is using. Early in March an attacker was active using the IP 135.136.1.133.
Lots of other addresses (185.82.7373.[.]162 to 185.82.73.[.]171) were linked up with the victim devices since January last year. This stuff isn’t exactly new from this particular group.
The same group of hackers, CyberAv3ngers, Shahid Kaveh Group and Hydro Kitten, have now hit at least 75 Unitronics PLCs in the past two and half years. They mostly target water and wastewater systems in particular.
These same Iranian-affiliated actors are also responsible for a wider cyber campaign across the Middle East, targeting hundreds of organizations in sectors ranging from government to energy, proving that their operational scope extends far beyond US critical infrastructure.
Feds Recommend Steps to Mitigate the Attacks
According to federal agencies, time is of essence when it comes to stopping these breaches. Here are the immediate steps every organization with PLCs should take:
First, disconnect every PLC from the public-facing internet. No exceptions. Use a secure gateway or jump host if you need remote access.
Secondly, for Rockwell devices, physically flip the mode switch to the “run” position. This prevents remote modifications. Only switch to “program” mode when absolutely necessary, and flip it back immediately after.
Thirdly, check your logs for those overseas IP addresses. Look for traffic on ports 44818, 2222, 102, and 502, especially from foreign hosting providers.
Lastly, create offline backups of your PLC logic and configurations. Store them securely. You’ll need them for fast recovery.
The Bigger Picture
The war between Iran, the US, and Israel lately is likely what’s fueling these attacks. The FBI believes these hackers tied to Iran aren’t just coming to steal data; their main goal is to disrupt critical infrastructure.
Device manufacturers aren’t off the hook either. Agencies say vendors must build secure-by-default products. Don’t just continue to work with the default setting – change them. Enable multifactor authentication, and put basic security in place, that shouldn’t cost extra.
If something looks suspicious, don’t ignore it. Report to CISA right away at [email protected] or just call 1-844-Say-CISA. Also, you can contact Rockwell Automation’s PSIRT team too at [email protected]. Just remember, faster is better.
The bottom line? Iran’s hackers have found a soft target. Don’t let it be your facility.
