Federal Agencies Warn of Iranian-Affiliated Cyber Actors Exploiting Internet-Facing Operational Technology Devices

Background

On April 7, 2026, six federal agencies (FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command – Cyber National Mission Force) published a joint advisory warning that Iranian-affiliated threat actors are targeting internet-facing OT devices, particularly PLCs.  In some cases, the threat actors have caused operational disruptions and financial losses at U.S. critical infrastructure organizations by manipulating software files that contain configuration settings as well as showing false data on hardware and software dashboards and displays.

This campaign builds on a wave of intrusions beginning in November 2023 during which actors assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command, known by aliases including CyberAv3ngers, Hydro Kitten, Bauxite, and several others, compromised at least seventy-five Unitronics PLC devices across U.S. critical infrastructure.  The 2026 campaign, active since at least March, targets a different class of equipment and appears broader in scope.

With the ongoing conflict, the advisory notes that targeting campaigns against U.S. organizations have escalated.  Recent guidance suggests that Iran-affiliated threat actors are moving beyond pre-positioning and covert espionage to deploying attacks and causing operational disruptions and financial losses.

What Operators Should Do

• Remove PLCs and other OT devices from direct internet exposure. This is the primary recommendation. If a PLC or other OT device is reachable from the public internet without a controlled intermediary (a firewall, secure gateway, or virtual private network (VPN)), that exposure should be closed now. Additionally, for PLCs that have a physical mode switch or software key switch that prevents remote modifications, those should be activated. Network defenders should also create offline backups of the logic and configuration of their PLCs for faster recovery.
• Secure the OT network if internet access is required.  This includes implementing multifactor authentication for access to the OT network; updating PLC devices with the latest software patches from the manufacturer; blocking traffic using common ports that are unnecessary for regular use; and implementing and monitoring asset management systems that monitor device configuration changes.
• Review logs against the advisory’s published indicators of compromise.  The advisory provides IP addresses and vulnerable ports that are indicative of potential compromise.  Organizations should maintain OT network traffic logs and review logs for the indicators of compromise in the provided timeframes.

How Crowell Can Help

Crowell is happy to assist clients navigating the legal and regulatory dimensions of this advisory. If you have questions, want to assess your compliance posture, or need assistance developing or testing an incident response plan, please reach out to the authors of this alert or your regular Crowell contact. We are available on an urgent basis for clients facing active incidents or time-sensitive compliance decisions.