A coalition of six US government agencies has issued an urgent advisory regarding an advanced persistent threat group with ties to Iran. This group is actively disrupting operations at multiple critical infrastructure sites within the United States. The advisory, released on Tuesday, points to the ongoing conflict between Iran and the US as a likely motivator for these cyber intrusions.
The agencies involved include the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, Department of Energy, and US Cyber Command. They collectively warn that the APT is focusing its attacks on programmable logic controllers, commonly referred to as PLCs. These devices, often about the size of a toaster, are integral to industrial automation processes.
PLCs serve as a critical interface between computer systems used for automation and the physical machinery they control. They are deployed in a variety of settings, including factories, water treatment centers, and oil refineries. Many of these locations are remote, making them challenging to secure and monitor effectively.
According to the advisory, the Iranian-affiliated APT group has been disrupting PLC functions since at least March 2026. This assessment is based on engagements with victim organizations. The affected PLCs span multiple US critical infrastructure sectors, such as Government Services and Facilities, Waste Water Systems, and the Energy sector.
The disruptions have led to significant consequences for some victims, including operational disruption and financial loss. The advisory explicitly states, “Some of the victims experienced operational disruption and financial loss.” This highlights the tangible impact of these cyberattacks on essential services and economic stability.
Among the specific PLCs being compromised or targeted are those manufactured by Rockwell Automation/Allen-Bradley. Security firm Censys reported on Wednesday that an Internet scan identified 5,219 such devices exposed to the Internet. A notable 75 percent of these exposed devices are located in the United States, likely in distant or isolated areas where industrial equipment is often situated.
The infrastructure used to target these devices involves a “single multi-home Windows engineering workstation running the Rockwell tool chain.” This setup allows the attackers to leverage specialized software tools to manipulate the PLCs, potentially causing widespread disruptions across critical systems.
