Iran-linked cyberattacks hit US infrastructure

A water plant or grain terminal can be run by the digital equivalent of a breaker box, and United States agencies now say Iran-linked hackers have been reaching into those controls and, in some cases, knocking operations off balance. On April 7, 2026, the Cybersecurity and Infrastructure Security Agency said the activity had already caused operational disruption and financial loss at multiple American critical infrastructure organizations. (cisa.gov) The devices at the center of the warning are programmable logic controllers, which are small industrial computers that tell pumps when to start, valves when to open, and conveyor belts when to stop. The April 7 advisory says the hackers targeted internet-facing controllers made by Rockwell Automation under the Allen-Bradley brand. (cisa.gov) The attackers did not need to invent a new kind of weapon for this campaign. Federal agencies said many of the exposed devices were reachable from the public internet and still used default passwords, which is the factory-set code that often stays unchanged after installation. (cisa.gov) Once inside, the hackers allegedly changed project files and tampered with what operators saw on human-machine interface screens, which are the dashboards plant workers use to watch pressure, flow, and alarms. The same advisory says they also manipulated supervisory control and data acquisition displays, which are the larger control panels that tie whole industrial processes together. (cisa.gov) That matters because industrial control systems are not office software. A bad spreadsheet can waste an afternoon, but a bad command to a controller can halt a water pump, interrupt a loading system, or force a site to shut down while engineers check whether the readings on screen match the machinery on the floor. (arstechnica.com) This is not the first time Iranian-linked operators have gone after these kinds of machines. In November 2023, a joint United States and allied advisory said Islamic Revolutionary Guard Corps-affiliated actors compromised at least 75 programmable logic controllers and human-machine interfaces in multiple sectors, including water and wastewater systems. (cisa.gov) The newer warning suggests the playbook is evolving from nuisance defacements into direct operational interference at American sites. Wired reported this week that the current wave has hit energy and water targets, while federal officials told outlets the affected sectors also include logistics and other industrial operations. (wired.com) (govtech.com) The United States government has been warning for months that Iranian cyber actors could target vulnerable American networks during periods of tension. In a July 2025 fact sheet, the National Security Agency, the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Department of Defense Cyber Crime Center urged operators to harden internet-exposed systems tied to critical infrastructure. (nsa.gov) The immediate fixes in the April 2026 advisory are not exotic. Agencies told operators to remove industrial devices from direct internet exposure, change default passwords, require phishing-resistant multi-factor authentication for remote access, and keep manual backups of controller logic so a tampered system can be rebuilt. (cisa.gov) The unsettling part is how ordinary the weak points were. The federal warning says some of the targeted equipment was visible from the open internet, which means a foreign intelligence service or a loosely affiliated hacking crew could find the front door with the same kind of scanning tools security researchers use every day. (cisa.gov)