Iranian-Linked Hackers Disrupt U.S. Water, Energy, and Government PLCs, Six Agencies Warn
A joint advisory from the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command confirms that IRGC-affiliated actors have caused operational disruptions at multiple U.S. critical infrastructure sites by exploiting internet-exposed Rockwell Automation controllers.
Six federal agencies released joint advisory AA26-097A on April 7, 2026, confirming something that most prior advisories on Iranian cyber activity had stopped short of saying: the disruptions are real, they've already happened, and they've cost money.
The advisory, reviewed directly on the CISA website, says Iranian-affiliated advanced persistent threat actors have been targeting internet-facing programmable logic controllers (PLCs) manufactured by Rockwell Automation and Allen-Bradley across U.S. water and wastewater systems, energy facilities, and government installations since at least March 2026. Organizations from multiple sectors experienced disruptions through malicious interactions with project files and manipulation of data on HMI and SCADA displays, according to the advisory.
The group behind the campaign is CyberAv3ngers, a persona operated by Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), also tracked in private industry under names including Storm-0784, Hydro Kitten, Bauxite, and UNC5691. This isn't their first rodeo with U.S. water infrastructure. A similar campaign beginning in November 2023 compromised at least 75 Unitronics PLC devices across water and wastewater facilities, as documented in the earlier advisory AA23-335A.
What's worth flagging about the current campaign is the access method. According to AA26-097A as analyzed in detail by Censys and by Intruvent Edge, the actors aren't burning zero-days. They're using Rockwell's own Studio 5000 Logix Designer, the same professional engineering environment that legitimate operators use to program and maintain these controllers. That means the resulting network traffic resembles normal engineering activity to most detection tooling. The access path runs through either stolen credentials, a compromised workstation, or CVE-2021-22681, a cryptographic key vulnerability in Rockwell's Logix platform that CISA added to its Known Exploited Vulnerabilities catalog in March 2026, according to a Picus Security analysis of the campaign.
Once in, the actors deploy Dropbear SSH on port 22 to establish a persistent command-and-control channel, extract and modify PLC project files, then re-upload them. They also manipulate what operators see on SCADA display screens, which means personnel can be watching false process readings while adversarial logic runs in the background. That's not a theoretical risk description; the advisory says it caused operational disruption and financial loss.
The attack surface isn't small. Censys scanning published alongside their advisory analysis found 5,219 internet-exposed hosts globally responding to EtherNet/IP and identifying as Rockwell Automation devices. The United States accounts for roughly 75 percent of that exposure, at 3,891 hosts, with a notable share sitting on cellular carrier networks, consistent with field-deployed devices using cellular modems for remote access.
The broader context matters here. According to the 1898 & Co. advisory analysis of AA26-097A, this campaign likely reflects anticipated Iranian retaliatory cyber operations following hostilities between Iran and the United States and Israel. That's a moderate-confidence assessment from multiple private-sector analysts, not a confirmed government attribution of motive. The advisory itself doesn't specify a geopolitical trigger.
For operators, the regulatory exposure compounds the operational one. Energy sector facilities with internet-exposed PLCs controlling bulk electric assets may be looking at reportable violations under NERC CIP-005 and CIP-007. Water utilities have reporting obligations under CIRCIA and documentation requirements under America's Water Infrastructure Act. The advisory confirms activity that, if it hit your facility, probably triggers both.
CISA's headline mitigation is blunt: get the PLCs off the internet. For CompactLogix and MicroLogix devices with a physical mode switch, placing it in RUN position is the one control that CIP protocol commands cannot override remotely, according to the advisory and Censys analysis. Everything else, MFA, network segmentation, patching CVE-2021-22681, is necessary but secondary to that.
Sources cited:
- CISA Advisory AA26-097A (cisa.gov) (https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a)
- Censys blog: Iranian-Affiliated APT Targeting Rockwell/Allen-Bradley PLCs (https://censys.com/blog/iranian-affiliated-apt-targeting-rockwell-allen-bradley-plcs/)
- Intruvent Edge: CISA Confirms Iranian Disruption of US Critical Infrastructure (https://edge.intruvent.com/p/intruvent-edge-cisa-confirms-iranian)
- 1898 & Co. Advisory: CISA AA26-097A Iranian-Affiliated Cyber Actors (https://1898advisories.burnsmcd.com/iranian-affiliated-cyber-actors-exploit-rockwell-automation-programmable-logic-controllers-across-u.s.-critical-infrastructure-cisa-aa26-097a)
- Picus Security: CISA Alert AA26-097A Analysis (https://www.picussecurity.com/resource/blog/cisa-alert-aa26-097a-iranian-affiliated-actors-target-plcs-across-us-critical-infrastructure)
- IC3/FBI Joint Advisory PDF (AA26-097A) (https://www.ic3.gov/CSA/2026/260407.pdf)
This release was originally distributed via ETL Newswire. Visit CISA Advisory AA26-097A (cisa.gov) for the full story, related releases, and contact information.
Visit CISA Advisory AA26-097A (cisa.gov) →