US authorities warn Iranian hackers are targeting critical US infrastructure.
On April 7, 2026, several U.S. government agencies issued a joint warning that Iranian-backed hacker groups are escalating tactics aimed at sabotaging critical U.S. infrastructure systems.
Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure | CISA
Iranian hackers are targeting American critical infrastructure, US agencies warn | TechCrunch
https://techcrunch.com/2026/04/07/iranian-hackers-are-targeting-american-critical-infrastructure-us-agencies-warn/
The primary targets of the attacks are critical infrastructure sectors directly related to people's lives, such as water supply and wastewater treatment plants, energy facilities, and local government facilities. These facilities use PLCs and SCADA (Supervisory Control and Data Acquisition) products, particularly Rockwell Automation/Allen-Bradley PLCs, which are used to control and manage industrial equipment, and these are the targets of the hackers.
Authorities analyzed the attack as a retaliatory measure following the war between the United States, Israel, and Iran that began with an airstrike on February 28, 2026, and as a significant escalation of tactics.
The Iranian government-backed hacking group 'Handala' has been identified as a specific perpetrator of the attacks. This group is alleged to have infiltrated the network of Stryker, a major American medical technology company, and used the company's security tools to remotely erase data from thousands of employee devices. The FBI has also determined that this group was responsible for the partial leak of content from Director Kash Patel's personal email account .
Hackers are reportedly attempting to gain access to PLCs from overseas IP addresses, exploiting legitimate engineering software such as Studio 5000 Logix Designer. The targets are not only Rockwell products, but also communication ports related to Siemens' S7 PLCs, suggesting that devices from other manufacturers are likely also being attacked. Furthermore, it has been revealed that hackers have installed SSH software called Dropbear within the victims' systems, creating a foothold to enable continuous remote control.
U.S. authorities are urging organizations to take immediate action to prevent further damage. The top priority should be to completely disconnect PLCs from the public internet. If remote access is unavoidable, it is recommended to use a VPN or jump host and to always implement multi-factor authentication (MFA). For controllers with physical switches, such as Rockwell products, fixing the physical key in the 'RUN' position is a very effective defense against remote program rewriting.
Finally, authorities are urging device manufacturers to take responsibility, emphasizing the 'secure by design' approach where products are already secure from the moment they leave the factory, and strongly urging them to change default settings that expose management interfaces to the internet and not charge extra for basic security features. They also conclude that in order to protect critical infrastructure, it is essential that manufacturers provide robust products that do not burden users, in addition to daily monitoring by operational organizations.
Related Posts:
in Security, Posted by log1i_yk