Pro-Iran hackers have disrupted some industrial-control systems, US says

Iran-aligned hackers have exploited and disrupted operational technology control systems embedded in U.S. critical infrastructure, according to a federal advisory issued Tuesday.

“The authoring agencies assess a group of Iranian-affiliated advanced persistent threat (APT) actors is conducting this activity to cause disruptive effects within the United States.” the advisory reads. “The group has targeted devices spanning multiple U.S. critical infrastructure sectors, including Government Services and Facilities (to include local municipalities), Water and Wastewater Systems (WWS), and Energy Sectors.”

The assessment was signed by the Cybersecurity and Infrastructure Security Agency, FBI, NSA, EPA, the Department of Energy, and U.S. Cyber Command’s Cyber National Mission Force.

It says hackers are especially targeting Rockwell Automation's Allen-Bradley line of programmable logic controllers, or PLCs, which monitor and automate the equipment used in industrial processes such as water treatment, power generation, and manufacturing.

It says that the hackers have manipulated data on human-machine interfaces and on supervisory control and data acquisition, or SCADA, displays, and had harmful interactions with project files.

The advisory is the latest signal that Iran-aligned hacker groups have impeded U.S. systems since the United States and Israel went to war against Iran on Feb. 28. 

It comes after an apparent Tehran-backed hacker group carried out a cyberattack against medical technology giant Stryker last month, which wiped employees’ phones and prevented workers from accessing their computers.

A request for comment sent to Rockwell Automation’s media relations email bounced back.

Pro-Iran hackers have made a habit of targeting any computer systems tied to nations deemed foreign adversaries by Tehran, especially the U.S. and Israel. In late 2023, amid the Israel-Hamas war, one hacker group defaced the interfaces of water treatment systems in Pennsylvania, which had Israel-made Unitronics equipment built inside.

In 2020, Rockwell Automation acquired Israel-based Avnet Data Security, aiming to bolster the cyber posture of its industrial control systems and operational technology.

The assessment urged organizations to keep PLCs off the open internet, review logs for suspicious activity and lock down affected Rockwell devices to prevent unauthorized access. Unsecured internet-connected operational technology can expose industrial systems to remote access, giving attackers a pathway to disrupt or manipulate functions.

The Iran war has been widely expected to test the strength of U.S. cyberdefenses, and experts have warned that exposed devices would be a potential target for pro-Iran hackers.

President Donald Trump escalated his threats against Tehran on Tuesday, saying a “whole civilization will die tonight” if Iran doesn’t open the Strait of Hormuz by an 8 p.m. ET deadline. 

Trump has promised to attack “every bridge” and power station in the country if a deal isn’t reached. Iran has promised a “devastating” response if such an attack occurs. Any sharp escalation could heighten the risk of retaliatory cyberattacks.