United States government agencies have issued a warning that hackers linked to Iran have conducted cyberattacks against critical infrastructure sectors within the country. The activity, which includes operational technology systems, has targeted organizations in the water and energy sectors. This development comes amid heightened geopolitical tensions and public threats against Iranian infrastructure by former President Donald Trump.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Israel National Cyber Directorate (INCD) jointly released an advisory detailing the threat. The advisory states that a group of hackers, known as CyberAv3ngers and affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), is responsible for the attacks.
Scope and Method of the Attacks
The cyber intrusions have specifically focused on programmable logic controllers (PLCs) manufactured by Unitronics. These devices are commonly used in water and wastewater systems, as well as in other critical industrial settings. The attackers exploited internet-exposed PLCs with default passwords to gain unauthorized access.
Upon gaining access, the hackers defaced the human-machine interfaces of these systems. Their actions displayed anti-Israel messages and rendered the equipment inoperable. While the attacks have primarily impacted water sector organizations, the advisory notes that other critical infrastructure sectors using the same equipment are also at risk.
Official Response and Guidance
In response to these incidents, CISA and its partner agencies have urged all critical infrastructure organizations, particularly those in the water sector, to take immediate defensive actions. The recommended steps include changing default passwords on all operational technology devices, disconnecting PLCs from the public internet, and implementing multifactor authentication.
The agencies have also provided technical indicators of compromise to help network defenders identify and mitigate the threat. CISA has contacted all known affected entities to offer support and ensure they are aware of the available resources for remediation.
Geopolitical Context
The warning emerges against a backdrop of ongoing regional conflict and escalating rhetoric. The advisory explicitly links the CyberAv3ngers group to the IRGC, a designated foreign terrorist organization. The group’s messaging has cited grievances related to the conflict between Israel and Hamas.
This series of cyberattacks represents a tangible escalation in tactics, moving from espionage and data theft to disruptive actions against physical control systems. Security experts consider such attacks on operational technology to be particularly concerning due to their potential to cause real-world damage and public safety risks.
Government officials have consistently warned that nation-state actors view US critical infrastructure as a target for retaliation and coercion. The water sector has been identified as especially vulnerable due to its often decentralized nature and the widespread use of legacy technology with limited security features.
Looking ahead, US cybersecurity agencies are expected to continue monitoring this threat activity closely. Further advisories with updated technical details and defensive measures are likely if the campaign persists or evolves. Critical infrastructure operators are advised to maintain heightened vigilance, report any suspicious activity immediately, and implement the recommended security controls to protect their systems from similar intrusions.
