U.S. agencies warn of Iran-linked cyberattacks

U.S. agencies are warning that Iran-linked hackers are not just stealing data. They are reaching for the machines that open valves, move water, and run power equipment inside American critical infrastructure. (cisa.gov) The warning came in a joint advisory published on April 7, 2026 by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the National Security Agency, the Environmental Protection Agency, the Department of Energy, and United States Cyber Command. The agencies said the activity has already caused operational disruption and financial loss in the United States. (cisa.gov) The targets are not ordinary office computers. They include operational technology, which is the hardware and software that directly controls physical processes in places like water plants, energy facilities, and public services. (cisa.gov) One device in that world is the programmable logic controller. A programmable logic controller is a small industrial computer that tells pumps when to start, motors when to stop, and treatment systems how to react when sensors detect a change. (cisa.gov) If a business laptop goes down, staff may lose email for a few hours. If a programmable logic controller is tampered with, a water system, a factory line, or an energy process can behave the wrong way in the real world. (cisa.gov) The April advisory says Iran-affiliated actors are exploiting internet-facing programmable logic controllers, especially devices made by Rockwell Automation under the Allen-Bradley brand. The agencies said the attackers have interacted maliciously with project files and altered information shown on human-machine interface and supervisory control and data acquisition screens. (cisa.gov) Those display systems are the dashboards operators watch to understand what a plant is doing. If an attacker changes what appears on those screens, workers can be looking at false readings while the underlying equipment is doing something else. (cisa.gov) The sectors named in the advisory are government services, energy, and water and wastewater systems. Those are the kinds of systems that cannot simply be shut off for a full rebuild because they support daily life for cities, towns, and public agencies. (cisa.gov) The agencies tied the warning to a wider threat picture that has been building for months. On June 30, 2025, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the Department of Defense Cyber Crime Center, and the National Security Agency warned that a declared ceasefire would not remove the possibility of Iranian cyber activity against vulnerable United States networks. (cisa.gov) (nsa.gov) This is not the first time Washington has connected Iran-linked actors to industrial control threats. In December 2023, U.S. and allied agencies warned that Islamic Revolutionary Guard Corps-affiliated cyber actors were exploiting programmable logic controllers in multiple sectors, including water systems. (cisa.gov) The pattern in these advisories is simple. Attackers look for internet-exposed devices, weak passwords, old software, and flat networks where business systems and plant systems sit too close together. (cisa.gov 1) (cisa.gov 2) That is why the government’s advice sounds less like espionage fiction and more like maintenance work. The agencies are telling operators to patch known vulnerabilities, remove direct internet exposure where possible, separate operational technology from information technology networks, and monitor industrial equipment with tools that understand plant traffic instead of only office traffic. (cisa.gov) They also recommend changing default credentials, enforcing multifactor authentication where systems support it, and reviewing remote access paths that vendors or contractors may use to reach equipment. In industrial environments, the quietest connection is often the one an attacker abuses first. (cisa.gov 1) (cisa.gov 2) The immediate story is a warning from Washington. The bigger story is that the line between cyberattack and physical disruption keeps getting thinner when internet-connected industrial controllers are left exposed. (cisa.gov)