Iran-Linked APT Disrupts U.S. Water and Energy PLCs as Six Agencies Warn of Active Campaign
A joint advisory from CISA, FBI, NSA, EPA, DOE, and U.S. Cyber Command confirms Iranian-affiliated actors have manipulated industrial control systems across water, energy, and government networks since at least March 2026.
Six federal agencies issued a joint advisory on April 7, 2026 confirming what many OT security practitioners had already suspected: Iranian-affiliated threat actors aren't just probing U.S. critical infrastructure, they're inside it and turning dials.
The advisory, designated AA26-097A and reviewed in full by this reporter on the CISA and IC3 public document repositories, details an active campaign targeting internet-exposed programmable logic controllers, primarily Rockwell Automation/Allen-Bradley CompactLogix and Micro850 devices. The authoring agencies confirm that victims have already sustained operational disruption and financial loss, not just theoretical exposure.
The access method is not subtle. According to the advisory, the actors used overseas-based IP addresses and leased third-party hosting infrastructure to connect to exposed PLCs. Their tool of choice was Rockwell's own Studio 5000 Logix Designer software, establishing what appeared to the target network as a legitimate engineering connection. Once in, they extracted .ACD project files containing ladder logic and configuration settings, and falsified data on HMI and SCADA displays.
The advisory covers three sectors explicitly: Government Services and Facilities, including local municipalities; Water and Wastewater Systems; and Energy. The EPA press statement quoted Assistant Administrator Jess Kramer warning that the water sector faces an "urgent and ongoing" threat, and noted that confirmed incidents include configuration wiping, software-based mechanical sensor tampering, and HMI disruption.
Assessment confidence on attribution sits at moderate-to-high. The advisory does not name a specific group, but CSIS's analysis of the advisory, published in May 2026, assessed that the tactics, techniques, and procedures overlap substantially with CyberAv3ngers, which presents publicly as a hacktivist collective but is assessed with moderate confidence to be an IRGC-affiliated APT. Picus Security's technical breakdown notes that Dragos separately tracks a related cluster as BAUXITE, characterizing it as a Stage 2 ICS Kill Chain actor capable of deploying custom backdoors on OT devices.
The underlying vulnerability is less a technical flaw than a configuration failure. CVE-2021-22681, an authentication bypass in Rockwell's Studio 5000 Logix Designer and Logix PLCs, was added to CISA's Known Exploited Vulnerabilities catalog in March 2026. But the advisory is clear that the fundamental issue isn't the CVE: it's that PLCs are reachable from the public internet at all. Rockwell issued guidance in 2026 reiterating that customers should disconnect devices from the internet and harden their OT deployments. The attackers didn't need a zero-day. They needed a search engine and patience.
The geopolitical framing matters for threat projection. CISA's advisory states that Iranian-affiliated APT targeting of U.S. organizations has "recently escalated, likely in response to hostilities between Iran, and the United States and Israel." CSIS's analysis adds that Iran's cyber capabilities may be partially constrained by kinetic losses and internet disruptions, but the advisory confirms enough operational reach to cause real disruption at multiple U.S. sites. That's not a deterred adversary.
There's a structural problem sitting underneath this specific incident. CSIS noted in its May 2026 analysis that CISA is expected to lose $707 million in additional budget cuts under the current administration, and that the Acting Director of CISA has stated the agency cannot currently perform the outreach and preparatory activity needed to counter cyber threats. The advisory was issued anyway, by six agencies, in coordinated fashion. What's harder to assess is whether the downstream capacity to act on it at the local water utility level is actually there.
The advisory directs all critical infrastructure operators to urgently review TTPs and indicators of compromise, remove internet-exposed access to OT devices, implement multi-factor authentication where it's architecturally possible, and monitor logs for the IP indicators listed in the document. Rockwell's Product Security Incident Response Team is listed as a direct contact for organizations operating affected hardware.
For the water sector in particular, a sector already dealing with aging infrastructure and constrained IT budgets, the ask is significant. A PLC running a treatment plant isn't patched the way a Windows server is. Downtime windows require fallback planning, safety reviews, and change control that small municipal utilities often don't have the staff to execute quickly. The advisory acknowledges as much. Acknowledging it and solving it are different things.
Sources cited:
- CISA Advisory AA26-097A (CISA.gov) (https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a)
- IC3 Joint Advisory AA26-097A (IC3.gov PDF) (https://www.ic3.gov/CSA/2026/260407.pdf)
- EPA Press Release on Joint Advisory (EPA.gov) (https://www.epa.gov/newsreleases/epa-fbi-cisa-nsa-issue-joint-cybersecurity-advisory-water-system-regarding-iranian)
- CSIS Analysis: The Iranian Cyber Threat to U.S. Critical Infrastructure (https://www.csis.org/analysis/iranian-cyber-threat-us-critical-infrastructure)
- Picus Security: CISA Alert AA26-097A Analysis (https://www.picussecurity.com/resource/blog/cisa-alert-aa26-097a-iranian-affiliated-actors-target-plcs-across-us-critical-infrastructure)
- CybelAngel: Iranian Actors Target US Infrastructure Via Exposed PLCs (https://cybelangel.com/blog/iranian-threat-actors-target-us-critical-infrastructure/)
This release was originally distributed via ETL Newswire. Visit CISA Advisory AA26-097A (CISA.gov) for the full story, related releases, and contact information.
Visit CISA Advisory AA26-097A (CISA.gov) →