Iran-Linked APT Hits US Critical Infrastructure PLCs Amid Escalating Conflict

An Iranian government-affiliated threat group has been actively disrupting programmable logic controllers (PLCs) across US critical infrastructure since at least March 2026, triggering a joint advisory from six federal agencies including the FBI, CISA, NSA, EPA, DOE, and US Cyber Command. Targeted sectors include government facilities, wastewater systems, and energy infrastructure - with confirmed operational disruptions and financial losses reported by victim organizations.

The campaign focuses on Rockwell Automation/Allen-Bradley PLCs, which bridge industrial automation software and physical machinery in factories, water treatment plants, and oil refineries. Censys identified 5,219 such devices exposed to the internet, 75% located in the US. The attack infrastructure traced back to a single multi-homed Windows workstation running the Rockwell toolchain - a narrow but effective foothold for reaching widely distributed industrial targets.

The timing aligns with escalating US-Iran geopolitical tensions, suggesting this is a deliberate pressure campaign rather than opportunistic intrusion. The concentration of internet-exposed industrial control systems in remote, hard-to-monitor locations makes this attack surface particularly difficult to defend at scale.