Iranian-Affiliated Hackers Hit U.S. Water, Energy, and Government PLCs, Six Agencies Warn
A joint CISA advisory documents active Iranian APT exploitation of internet-exposed Rockwell Automation controllers, with confirmed operational disruptions and financial losses across multiple critical infrastructure sectors.
Six U.S. government agencies issued a joint cybersecurity advisory on April 7 warning that Iranian-affiliated advanced persistent threat actors have been actively compromising internet-facing programmable logic controllers at American water utilities, energy facilities, and local government sites since at least March 2026.
The advisory, designated AA26-097A and reviewed in full by ETL Newswire, was co-authored by the FBI, CISA, NSA, EPA, the Department of Energy, and U.S. Cyber Command's Cyber National Mission Force. That's an unusually wide signing coalition for an OT advisory, and the list of co-signers is itself a signal about how seriously the government is treating this.
According to the advisory, the actors used overseas-based IP addresses and leased third-party infrastructure to connect to exposed Rockwell Automation/Allen-Bradley CompactLogix and Micro850 controllers. The access method didn't require novel malware. The actors used Rockwell's own Studio 5000 Logix Designer configuration software to establish what the advisory describes as "an accepted connection to the victim's PLC." That's worth sitting with: the attack vector was legitimate vendor tooling, not a bespoke implant.
At the center of the campaign is an authentication bypass flaw in Rockwell's Logix controllers. The advisory references CVE-2021-22681, a vulnerability tied to an insufficiently protected cryptographic key in Studio 5000 Logix Designer, which Rockwell updated guidance on in March 2026 and which CISA added to its Known Exploited Vulnerabilities catalog around the same time. The gap between a 2021 CVE and confirmed exploitation in 2026 points to a structural problem: OT patching cycles are slow by design, and that lag has real consequences.
The disruptions weren't theoretical. According to the joint advisory, some victim organizations experienced operational disruption and financial loss after actors tampered with PLC project files and manipulated data on human machine interface and SCADA displays. Security teams, according to analysis reviewed by ETL Newswire from Cybersecurity Dive, discovered the intrusions only after operational failures triggered manual investigations, by which point attackers had maintained access for weeks.
The advisory's port targeting list is a detail defenders should not skip. Malicious traffic was directed at ports 44818 (EtherNet/IP, associated with Rockwell), 2222, 102 (ISO-TSAP, associated with Siemens S7), 22 (SSH), and 502 (Modbus TCP). The multi-vendor port profile is a moderate-confidence indicator, per the advisory itself, that the actors are not limiting operations to Rockwell gear.
The geopolitical framing is explicit in the primary document. The advisory states that Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, "likely in response to hostilities between Iran, and the United States and Israel." That's an assessed motivation, not a confirmed one, and it's worth labeling it as such. The advisory does not attribute this campaign to a named group by designation, though it cross-references the earlier CyberAv3ngers campaign, which targeted Unitronics PLCs starting in November 2023 during the Gaza conflict and was linked to the IRGC's Cyber Electronic Command.
The remediation guidance in AA26-097A is mostly architectural: take PLCs off the public internet, block industrial protocol ports at the perimeter, enforce multi-factor authentication on all remote access pathways, and back up PLC logic offline. The advisory also includes a notable passage directed at device manufacturers, stating that it is "ultimately the responsibility of the device manufacturer to build products that are secure by design and default." That's CISA invoking its Secure by Design initiative in a live-threat advisory, which is a policy statement as much as a technical one.
According to figures cited in Cybersecurity Dive, more than 3,000 Rockwell devices remain visible on the public internet. That number is an exposure count, not a compromise count. The gap between the two is where the risk lives right now.
Sources cited:
- CISA Advisory AA26-097A (joint FBI/CISA/NSA/EPA/DOE/CNMF) (https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a)
- Cybersecurity Dive (https://www.cybersecuritydive.com/news/iran-linked-hackers-targeting-water-energy-in-us-fbi-and-cisa-warn/816949/)
- IC3 / CISA Advisory PDF (AA26-097A) (https://www.ic3.gov/CSA/2026/260407.pdf)
- Picus Security blog (AA26-097A analysis) (https://www.picussecurity.com/resource/blog/cisa-alert-aa26-097a-iranian-affiliated-actors-target-plcs-across-us-critical-infrastructure)
- CybelAngel REACT Team analysis (https://cybelangel.com/blog/iranian-threat-actors-target-us-critical-infrastructure/)
This release was originally distributed via ETL Newswire. Visit CISA Advisory AA26-097A (joint FBI/CISA/NSA/EPA/DOE/CNMF) for the full story, related releases, and contact information.
Visit CISA Advisory AA26-097A (joint FBI/CISA/NSA/EPA/DOE/CNMF) →