U.S. government agencies have issued an urgent joint advisory warning that Iranian-affiliated hackers are escalating cyberattacks on American critical infrastructure, targeting internet-exposed programmable logic controllers (PLCs) in sectors like energy, water and wastewater systems, and government facilities.[1][2][3][4] These attacks, which began intensifying in March 2026, have already caused operational disruptions, manipulated data on human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems, and led to financial losses for victims.[1][5][6] The FBI, NSA, CISA, Department of Energy, EPA, and U.S. Cyber Command jointly authored the alert released on April 7, 2026, highlighting malicious interactions with device project files and exploitation of legitimate engineering software like Studio 5000 Logix Designer.[2][6]
Hackers have primarily focused on Rockwell Automation and Allen-Bradley PLCs, which control industrial equipment in essential services, though Siemens S7 PLCs and other vendors may also be at risk.[1][2][3] According to the advisory, attackers from overseas IP addresses have installed tools like Dropbear SSH for persistent remote access, enabling data manipulation and system sabotage.[2] As reported by Wired, these efforts echo tactics used by Iran-linked groups like CyberAv3ngers, which in 2023 defaced U.S. water treatment panels amid regional tensions.[3] TechCrunch notes the escalation ties directly to the ongoing U.S.-Israel war with Iran, which started with airstrikes on February 28, 2026, killing Iran's leader, prompting Iranian hackers to broaden their operations beyond espionage.[4]
This campaign matters because it threatens lifelines like clean water, power grids, and public services, potentially affecting millions if disruptions worsen.[1][4] The North American Electric Reliability Corporation issued an all-points bulletin to energy sector members, urging vigilance, while experts like Check Point Research's Sergey Shykevich describe it as an "accelerating" threat following similar patterns against Israeli systems.[1][3] Organizations using exposed OT devices face heightened risks, with agencies recommending immediate log checks for suspicious traffic, removal of control software from the internet, and contact with Rockwell if compromised.[3][6]
What happens next remains uncertain, but federal guidance emphasizes rapid mitigation to prevent broader sabotage.[5] Victims have reported diminished PLC functionality, and while no widespread outages are confirmed, the intent for "disruptive effects" signals potential for more aggressive actions, especially amid President Trump's recent threats against Iranian infrastructure.[4] As the conflict persists, U.S. critical infrastructure operators must prioritize securing internet-facing systems to safeguard public safety and economic stability.[1][3]