.svg){kind=spacer}
May 4, 2026
The Dark Reading article reports that Iranian-affiliated threat actors have recently disrupted U.S. critical infrastructure by targeting internet-exposed operational technology devices, especially programmable logic controllers. Citing a joint advisory from CISA, the FBI, NSA, EPA, DOE, and U.S. Cyber Command, it says the activity began in March 2026, shortly after U.S. and Israeli attacks on Iran, and focused particularly on Rockwell Automation / Allen-Bradley PLCs used in sectors such as energy, water and wastewater, and government facilities. According to the article, the attackers manipulated PLC project files, tampered with HMI and SCADA displays, and in some cases caused operational disruption and financial loss. It also notes that while the agencies did not formally name the perpetrators, the tradecraft resembled earlier PLC attacks by CyberAv3ngers, a group linked to Iran’s IRGC.
The article then explains how the intrusions were carried out and what defenders are being told to do in response. The advisory says the attackers used overseas-hosted infrastructure and legitimate configuration software such as Rockwell’s Studio 5000 Logix Designer to establish accepted connections to exposed PLCs, including CompactLogix and Micro850 devices, and they also deployed Dropbear SSH to maintain remote access. Dark Reading emphasizes that the immediate lesson is less about exotic nation-state capability than about longstanding exposure of OT systems to the public internet: experts quoted in the piece argue that any internet-reachable OT environment is already a design flaw. The recommended mitigations therefore center on basic but urgent steps, including removing PLCs from direct internet exposure, using secure gateways and firewalls, reviewing logs for suspicious traffic on OT-related ports, searching for the advisory’s indicators of compromise, and placing Rockwell controllers into “run” mode where appropriate.
