Cerebro

Select Region

Select Language

Back to Top Stories

US warns Iranian hackers are disrupting critical infrastructure

Federal agencies say Iran-linked actors are exploiting internet-facing industrial controllers to cause operational outages and financial losses across energy, water, and government facilities.

Apr 7, 2026, 4:26 PM EDT
US warns Iranian hackers are disrupting critical infrastructurenytimes.com
Why it matters:
  • Disruptions to industrial control systems can ripple through power, water, and other essential services, threatening public safety and the economy.
Driving the news:
  • A joint advisory from CISA, FBI, NSA, EPA, DOE, and U.S. Cyber Command says Iran-affiliated APT actors are targeting internet-facing Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs) used in U.S. critical infrastructure.
  • The activity has led to PLC disruptions across multiple sectors, including government services and facilities, water and wastewater systems, and energy, with some victims experiencing operational disruption and financial loss.
State of play:
  • The advisory identifies exploitation of internet-facing OT devices, including malicious interaction with project files and manipulation of data on human-machine interfaces and SCADA displays.
  • Agencies say the disruptions have occurred since March 2026, with victims across a wide variety of industrial automation processes.
What they're saying:
  • "Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley," the alert states.
  • "The authoring agencies assess a group of Iranian-affiliated advanced persistent threat (APT) actors is conducting this activity to cause disruptive effects within the United States," the advisory reads.
The big picture:
  • The warning is the first public federal advisory on domestic critical infrastructure threats since the U.S. war with Iran began, underscoring a shift toward operational technology targeting.
  • It follows a broader pattern of Iran-linked groups escalating cyber activity, including a high-profile breach at Stryker and other campaigns tied to the conflict.
What to watch:
  • Agencies recommend taking vulnerable internet-connected controllers offline, reviewing logs for indicators of compromise, and locking down affected Rockwell devices to prevent unauthorized access.
  • Expect continued monitoring of PLCs and SCADA/HMI displays for suspicious activity, especially on internet-facing OT assets.
The bottom line:
  • Iran-linked actors are actively exploiting internet-facing industrial controllers in the U.S., causing real-world disruptions that agencies are urging organizations to harden against now.