FBI, Pentagon warn of Iran hacking groups targeting operational technology

Hackers affiliated with the government of Iran are attacking internet-facing operational technology (OT) devices and causing disruptions across multiple U.S. critical infrastructure sectors.

The attacks have led to “operational disruption and financial loss,” according to a new advisory from the Defense Department, FBI, National Security Agency (NSA) and other federal agencies. Officials believe the attacks escalated in response to the current military conflict between the U.S. and Iran.

Iranian-affiliated threat actors are specifically targeting internet-connected OT devices including Rockwell Automation or Allen-Bradley-manufactured programmable logic controllers (PLC). Other devices from Siemens may also be included in the campaign. 

“As a result of this activity, organizations from multiple U.S. critical infrastructure sectors experienced disruptions through malicious interactions with the project files and the manipulation of data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays,” the agencies said. 

“Since at least March 2026, the authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs.”

The advisory said Iranian actors are targeting local municipal governments, water and wastewater systems and the energy sector. It comes one week after a water treatment plant in Minot, North Dakota reported a ransomware attack. 

A Minot city official told Recorded Future News that they called the incident a ransomware attack but said there was no direct ask for money and there was no direct interaction “beyond a letter on a screen.”

The FBI confirmed to Recorded Future News that it is involved in the investigations into the attack on Minot and another separate attack on a county government in Indiana. 

Water companies and other critical infrastructure organizations use PLCs to control and monitor various stages and processes, including turning on and off pumps at a pump station to fill tanks, reservoirs and more.

The FBI advisory specifically highlights CVE-2021-22681 — a vulnerability affecting Rockwell operational technology products. The Cybersecurity and Infrastructure Security Agency (CISA) said the bug was being exploited one month ago and ordered all federal agencies to patch it by March 26. 

Organizations are urged to remove PLCs and other operational technology from direct internet exposure and check logs for any suspicious traffic.

The agencies compared the activity to an Iranian campaign in 2023 and 2024 where hackers linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted PLCs made by Israeli company Unitronics. In Tuesday’s advisory, U.S. officials revealed for the first time that Iran’s 2023 campaign involved at least 75 devices that were compromised. 

While the incidents were largely defacements of utility technology, federal officials warned at the time that the attackers may use their access to the devices as a way to gain deeper network level access that would allow them to cause physical damage to equipment or worse.

Since the 2023 campaign, cyber defenders said Iranian actors continued to target U.S. critical infrastructure. Dragos CEO Rob Lee told reporters in February that the same group behind the 2023 attacks continued to focus on energy utilities, oil and gas, railways and the water sector.

Lee said the group showed “a consistent ability to get a better and better understanding of control loops and physical processes, not just defacing human interfaces.”

The State Department issued $10 million rewards for information on the Iranians behind the 2023 attacks, explicitly naming six security officials allegedly linked to IRGC hacking groups. One of the men named, Hamid Reza Lashgarian, is head of the IRGC’s Cyber-Electronic Command (CEC).

The kinetic conflict between the U.S., Israel and Iran has had cybersecurity consequences since it began at the end of February. A prominent medical device firm had 200,000 company devices wiped and other attacks have been reported. Cybersecurity experts said there are also dozens of Iran-linked attacks that have not been publicized.