Iranian hackers shift from espionage to sabotage, disrupting US power and water systems

Iranian-affiliated cyber actors have disrupted industrial control systems across US critical infrastructure since at least March 2026, targeting programmable logic controllers that manage power distribution, water treatment, and oil and gas operations, according to a joint advisory released April 7 by the FBI, CISA, NSA, EPA, DOE, and US Cyber Command.

The campaign represents a qualitative shift from network reconnaissance to operational sabotage. Iranian threat groups including Handala and CyberAv3ngers—also known as the Shahid Kaveh Group—have caused industrial processes to shut down, forcing manual operation and testing safety systems designed to protect human life, per CNN. Some victims experienced financial losses alongside operational disruption.

From Network Access to Physical Disruption

The attackers used overseas-based IP addresses and leased, third-party hosted infrastructure running Rockwell Automation’s Studio 5000 Logix Designer software to access programmable logic controllers, according to CISA advisory AA26-097A. The activity led to PLC disruptions through malicious interactions with project files and manipulation of data displayed on human-machine interfaces and SCADA systems.

CISA added CVE-2021-22681—a vulnerability related to insufficiently protected cryptographic keys in Rockwell’s Studio 5000 Logix Designer—to its Known Exploited Vulnerabilities catalog in March 2026, per Picus Security. The timing suggests Iranian actors exploited this weakness during the initial compromise phase.

The distinction matters. Previous Iranian campaigns focused on network persistence and data exfiltration. The current activity demonstrates willingness to manipulate physical processes—shutting down pumps, altering pressure readings, disabling safety interlocks—during an active geopolitical conflict.

Geopolitical Escalation Meets Infrastructure Vulnerability

The campaign escalated following coordinated US-Israeli military strikes under Operation Epic Fury that began February 28, 2026, targeting Iran’s nuclear facilities, military infrastructure, and leadership, according to Prism News. Iranian-affiliated APT targeting campaigns against US organisations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel, per the joint federal advisory.

The timing exposed a critical structural weakness: approximately 60 percent of CISA’s workforce was furloughed beginning February 14, 2026, leaving the agency that coordinates national cybersecurity defense significantly diminished at the moment the threat level rose most sharply. The furloughs preceded the Iranian campaign by less than two weeks.

Iran maintains persistent intent to target the US and its allies with cyber operations despite challenges it faced during the 12-Day War in 2025, during which Tehran struggled to defend itself against Israeli cyberattacks and to respond in kind, according to the 2026 Annual Worldwide Threat Assessment released in March by US intelligence agencies.

Strategic Doctrine Shift

Iran’s approach to cyber conflict is no longer episodic or symbolic, reflecting a sustained, strategic posture treating cyberspace as an extension of state power against critical infrastructure, per analysis from the Center for Strategic and International Studies. The shift from opportunistic disruption campaigns to coordinated targeting during active military operations indicates a doctrinal change—cyber operations are now integrated into Iran’s retaliation calculus rather than treated as standalone harassment.

Sergey Shykevich, threat intelligence group manager at Check Point Research, told The Register that the FBI advisory confirms what researchers have observed for months: Iran’s cyber escalation follows a known playbook. The CyberAv3ngers group previously compromised 75 Unitronics devices in 2023, demonstrating capability against water and energy systems before the current campaign.

The difference now is scale and intent. The FBI assesses Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to US critical infrastructure organisations, according to CISA advisory AA26-097A.

What to Watch

NERC has activated emergency monitoring protocols for the electric sector, though details on enhanced defensive measures remain classified. Energy infrastructure serves 330 million people through 7,300 power plants and 600,000 miles of transmission lines—a vast attack surface with minimal segmentation between internet-facing systems and operational technology in many facilities.

Monitor CISA and FBI alert systems for updates on victim count expansion, additional threat actor tactics, or evidence of pre-positioned access in sectors beyond those currently confirmed. The advisory recommends immediate network segmentation, disabling unnecessary external connections to PLCs, and implementing multi-factor authentication for remote access—mitigations that require capital investment many utilities and municipal water systems lack budget for.

The gap between threat capability and defensive capacity has widened. Iranian actors demonstrated willingness to cross the threshold from espionage to sabotage during kinetic conflict. The question is not whether additional compromises exist across critical infrastructure, but how many, and whether they remain dormant or activate during the next escalation cycle.