Iran‑linked cyber strikes

Hackers tied to Iran are no longer just stealing files from American networks. A joint United States warning issued on April 7 said they have already exploited and in some cases disrupted equipment at water systems, energy sites, and government facilities inside the United States. (cisa.gov) The equipment they are hitting is called a programmable logic controller, which is a small industrial computer that opens valves, starts pumps, and keeps factory lines moving. If a normal office computer is the front desk, a programmable logic controller is the hand on the switch. (cisa.gov) Federal agencies said the attackers went after internet-exposed controllers made by Unitronics and other vendors, then changed settings, tampered with project files, and manipulated what operators saw on screens. The advisory says some victims suffered operational disruption and financial loss, which means this moved past digital trespassing into real-world interruption. (cisa.gov) This is not the first time Iranian-linked groups have used this playbook. Ars Technica reported that the same broad ecosystem was tied to the 2023 campaign by Cyber Av3ngers, which defaced human-machine interfaces and disrupted more than 75 internet-connected devices at U.S. critical-infrastructure organizations. (arstechnica.com) What changed in April 2026 is the timing and the target list. The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Environmental Protection Agency, the Department of Energy, and United States Cyber Command all signed the advisory, and they said the sectors at risk include water, wastewater, energy, and government services. (epa.gov) Security researchers are also seeing a wider campaign around the industrial attacks. Security.com said the Iranian group Seedworm, also known as MuddyWater, had been active since February 2026 on networks tied to a U.S. bank, a U.S. airport, a nonprofit, and the Israeli operations of a U.S. software company. (security.com) That mix of targets shows two different goals at once. One set of operations aims at operational technology, which is the gear that runs physical systems, while another set aims at information technology, which is the email, file, and identity layer used for spying, extortion, or public leaks. (security.com) (cisa.gov) Officials tied the escalation to the war that began on February 28, 2026, when U.S.-Israel strikes hit Iran, and multiple outlets reported the cyber activity intensified afterward. TechCrunch and U.S. News both said the April warning described the campaign as an escalation linked to the ongoing conflict. (techcrunch.com) (usnews.com) The most immediate weakness is simple exposure. The federal advisory says many targeted controllers were reachable from the public internet, which is the industrial equivalent of leaving a control cabinet unlocked on the sidewalk. (cisa.gov) That is why the warning reaches beyond utilities. A transport company, a finance firm, or a software provider may not run a water plant, but they can still be hit by the same Iranian groups through stolen passwords, remote access tools, and leak operations that turn a network breach into a political message. (security.com) (arstechnica.com) The federal advice was blunt: disconnect industrial controllers from the public internet, change default passwords, enforce multi-factor authentication, and watch for unusual remote access. When six agencies issue that list together after confirmed disruption, it usually means they think more attempts are coming, not fewer. (cisa.gov)