A new U.S. government advisory has raised fresh concerns over Iranian-affiliated APT targeting PLCs, warning that cyberattacks are now moving beyond data theft into direct disruption of industrial systems.
Issued on April 7, 2026, the joint alert from the FBI, CISA, NSA and other agencies confirms that Iran-linked threat actors are actively exploiting internet-facing programmable logic controllers (PLCs), with incidents already impacting multiple critical infrastructure sectors.
This is not a theoretical threat. According to the advisory, several organizations have experienced operational disruptions and even financial losses after attackers interfered with industrial processes.
From Network Access to Operational Disruption
What makes this campaign stand out is its intent. The Iranian-affiliated APT targeting PLCs activity is not focused on espionage, it is designed to disrupt.
Attackers have been manipulating PLC project files and altering data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) systems. In practice, this means operators could be relying on inaccurate data while underlying processes are being changed in real time.
The affected sectors include government services, water and wastewater systems, and energy, areas where even minor disruptions can have significant downstream impact.
How the Attacks Are Carried Out
The entry point is often simple: internet exposure.
The advisory notes that attackers are scanning for publicly accessible PLCs, particularly models such as CompactLogix and Micro850—and connecting to them using legitimate engineering tools like Studio 5000 Logix Designer.
Once inside, the activity becomes more deliberate. Threat actors extract configuration files, modify logic, and establish persistence. In some cases, they deploy tools like Dropbear SSH to maintain remote access through port 22.
The attacks rely on commonly used industrial communication ports, including 44818, 2222, 102, 22, and 502, allowing malicious traffic to blend in with normal OT operations.
Investigators also observed the use of overseas IP addresses and leased third-party infrastructure, suggesting a coordinated and sustained effort rather than opportunistic scanning.
A Campaign That Has Been Building Over Time
The current activity is not happening in isolation. U.S. agencies link it to earlier Iran-aligned operations, including campaigns attributed to the CyberAv3ngers group that targeted PLCs in 2023.
What has changed is the persistence. The latest advisory tracks activity spanning from at least January 2025 through March 2026, with ongoing incidents reported as recently as March.
Officials suggest the escalation may be tied to broader geopolitical tensions, but the technical pattern is clear: industrial control systems are becoming a repeated target.
Exposure and Weak OT Security
The Iranian-affiliated APT targeting PLCs campaign exposes a long-standing weakness in critical infrastructure, too many industrial devices remain directly accessible from the internet.
In many cases, attackers did not need sophisticated exploits. They gained access because systems lacked basic protections like network segmentation, strong authentication, or restricted remote access.
The result is a dangerous scenario where adversaries can move from initial access to operational control with relatively little resistance.
What Organizations Are Being Urged to Do
The advisory calls for immediate action, starting with visibility.
Organizations are urged to review logs for suspicious traffic, especially connections originating from overseas infrastructure, and check for unusual activity on key OT ports.
More broadly, the guidance reinforces a set of practical steps: removing PLCs from direct internet exposure, routing access through secure gateways, enabling stronger authentication controls, and maintaining offline backups of PLC logic and configurations.
In some cases, even operational settings matter, such as ensuring controllers remain in “run” mode to prevent unauthorized remote changes.
A Shift in Cyber Threat Priorities
The bigger takeaway is the shift in attacker focus. By targeting PLCs, threat actors are going straight to the systems that control physical processes.
This marks a move from cyber intrusion to potential real-world disruption.
The advisory also highlight the role of manufacturers, urging a stronger push toward “secure-by-design” systems that are not exposed by default.
For now, the warning is clear: as long as industrial systems remain exposed, campaigns like Iranian-affiliated APT targeting PLCs are likely to continue, and could become more disruptive over time.
