Hackers working for the Iranian government are disrupting operations at multiple US critical-infrastructure sites, six federal agencies warned, likely in response to the ongoing conflict between the two countries. In a joint advisory, the FBI, CISA, NSA, EPA, Department of Energy, and US Cyber Command said the group is targeting programmable logic controllers (PLCs) — the small devices that bridge automation software and physical machinery in factories, water plants, and refineries.
The agencies said that since at least March 2026 the Iranian-affiliated group has disrupted PLCs across government, wastewater, and energy sectors, with some victims suffering operational disruption and financial loss. Many of the targeted devices are made by Rockwell Automation/Allen-Bradley; security firm Censys said an internet scan found 5,219 such devices exposed online, roughly 75 percent of them in the US.
According to Censys, the attacks trace to a single multi-homed Windows engineering workstation running Rockwell's Studio 5000 Logix Designer, which connects to PLCs over Remote Desktop on the non-standard TCP port 43589 using a self-signed certificate (common name DESKTOP-BOE5MUC). The targeting has hit CompactLogix and Micro850 families, and the advisory notes that other protocols such as Modbus and S7 are being probed, suggesting devices from other vendors are also in scope.
Iranian operations against US industrial systems are not new: in 2023 the "CyberAv3ngers" group disrupted dozens of US PLCs and human-machine interfaces. More recently, medical-device maker Stryker confirmed an attack that downed much of its infrastructure, which researchers tied to the pro-Iran group Handala — the same crew linked to a hack of FBI Director Kash Patel's personal email. The advisories provide attacker IP addresses and guidance for hardening PLCs, and officials expect such attacks to escalate as the conflict continues.