CISA Warns of Iranian-Affiliated Actors Targeting US Critical Infrastructure PLCs

US government agencies, including the FBI, CISA, and NSA, issued a joint warning on April 7, 2026, detailing an ongoing campaign by Iranian-affiliated advanced persistent threat (APT) actors targeting internet-facing programmable logic controllers (PLCs). The actors are primarily focusing on Rockwell Automation devices, but also appear to be targeting Siemens and Modbus-compatible systems, impacting sectors such as US Government Services, Water and Wastewater Systems (WWS), and Energy.

Picus Security, a cybersecurity firm, has analyzed the tactics, techniques, and procedures (TTPs) associated with this campaign. The activity, confirmed since at least March 2026, involves tampering with PLC project files, manipulating Human-Machine Interface (HMI) and SCADA displays, and in some instances, has led to operational disruptions and financial losses. The motivation is assessed to be geopolitical retaliation linked to US-Iran hostilities.

This campaign represents an escalation from previous operations, notably the November 2023 CyberAv3ngers campaign. While the earlier attack used default credentials against Unitronics PLCs, the current actors are employing legitimate engineering software, such as Rockwell's Studio 5000 Logix Designer, to gain access. This sophisticated approach makes malicious activity harder to distinguish from authorized administrative actions. The actors have also been observed deploying Dropbear SSH for persistent remote access.

Adding to the concern, CISA recently added a vulnerability (CVE-2021-22681) related to Rockwell's Studio 5000 Logix Designer and PLCs to its Known Exploited Vulnerabilities catalog in March 2026. This confirms that Rockwell controllers are under active exploitation. Picus Security offers its platform to help organizations simulate emerging threats and validate their defenses against such sophisticated attacks.