FBI, Pentagon warn of Iran hacking groups targeting operational technology

Steven

FBI, Pentagon warn of Iran hacking groups targeting operational technology

Summary

Federal agencies — including the Defense Department, FBI and NSA — have issued an advisory saying Iranian-affiliated threat actors are targeting internet‑facing operational technology (OT) devices. The campaign, active since at least March 2026, has disrupted multiple US critical infrastructure sectors (notably local municipal governments, water and wastewater systems, and energy) by tampering with PLC project files and manipulating HMI/SCADA displays.

Attackers are observed targeting PLCs made by Rockwell Automation/Allen‑Bradley and potentially Siemens devices. The advisory highlights exploitation of CVE‑2021‑22681 and echoes earlier Iran‑linked campaigns in 2023–24 that defaced utility systems — with officials now warning the activity could escalate to deeper network access or physical damage. Agencies urge organisations to remove OT from direct internet exposure, patch known vulnerabilities and review logs for suspicious activity.

Key Points

  • Iran‑affiliated actors have disrupted operational technology across multiple US critical infrastructure sectors since at least March 2026.
  • Targets include internet‑facing PLCs (Rockwell/Allen‑Bradley and possibly Siemens) and associated HMI/SCADA interfaces.
  • The advisory calls out CVE‑2021‑22681 affecting Rockwell OT products; CISA previously ordered federal patching for Rockwell bugs.
  • Known affected sectors: municipal governments, water/wastewater systems and the energy sector; specific incidents include the Minot, North Dakota water plant and a county government in Indiana.
  • Federal agencies compare this activity to Iran‑linked campaigns in 2023–24; at least 75 devices were compromised in the earlier campaign.
  • Recommended mitigations: remove OT from direct internet exposure, apply patches, monitor logs for suspicious traffic and isolate control networks.
  • US measures include a $10 million reward (State Department) for information on actors linked to the 2023 attacks.

Context and relevance

This advisory comes amid a broader kinetic conflict that has produced an uptick in Iran‑linked cyber activity against US targets. Where earlier incidents were often defacements, defenders now report the same groups gaining deeper understanding of control loops and physical processes — increasing the risk of actual physical disruption or damage. The focus on PLCs and HMI/SCADA means operators of water, energy and municipal systems must treat this as an active, operational threat rather than mere nuisance vandalism.

Why should I read this?

Quick heads up — if you run, secure or rely on industrial control systems, this matters. The advisory names specific vendors, a CVE and sectors being hit. Patch CVE‑2021‑22681 if relevant, pull OT off the internet, check your logs and isolate control networks. It’s not just noise: Iran‑linked actors are getting better at understanding how to mess with real‑world processes.

Author style

Punchy: this isn’t routine cybercrime. The details — affected device types, the CVE called out, and the sectors targeted — matter now. Read the advisory and act fast if you touch OT.

Source

Source: https://therecord.media/fbi-pentagon-warn-iran-hacking-groups-target-ot