On April 7, 2026, the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command’s Cyber National Mission Force issued a joint advisory (AA26-097A) warning that Iranian-affiliated cyber actors have been actively targeting internet-exposed Rockwell Automation programmable logic controllers (PLCs) deployed across critical U.S. infrastructure sectors. Security researchers at Censys simultaneously reported discovering 5,219 internet-exposed Rockwell/Allen-Bradley devices, the majority located in the United States — each a potential entry point for the attackers.
Who Is Behind the Attacks?
The advisory attributes the campaign to actors affiliated with Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC), operating under the persona CyberAv3ngers. The group is also tracked by the security community under several other aliases, including Shahid Kaveh Group, Hydro Kitten, Storm-0784, and UNC5691. CyberAv3ngers has a documented history of targeting water utilities, energy providers, and government facilities, particularly those using Israeli-made or Western industrial hardware.
Palo Alto Networks’ Unit 42 noted in an updated threat brief that the group’s activity has escalated significantly since late March 2026, coinciding with heightened geopolitical tensions. The actors appear to be motivated by both espionage and the potential to cause operational disruption at scale.
How the Attacks Work
Rather than exploiting a single software vulnerability, the attackers leverage the fundamental risk of internet-facing industrial control systems. Using overseas-based IP addresses and leased third-party hosted infrastructure, the actors scan for and connect directly to exposed Rockwell Automation PLCs. Once a connection is established, they use legitimate Rockwell configuration software — specifically Studio 5000 Logix Designer — to interact with and modify PLC project files.
The attacks have resulted in:
- Manipulation of HMI and SCADA displays, causing operators to see false or misleading data about industrial processes.
- Alteration of PLC ladder logic and project files, potentially changing how physical processes are controlled.
- Operational disruption and financial loss at multiple victim organizations across the water, energy, and government services sectors.
The ability to alter PLC logic is particularly alarming because it can cause physical consequences — incorrect valve positions, pump failures, or other malfunctions — that go beyond purely cyber effects.
Scale of Exposure
Censys researchers identified 5,219 Rockwell Automation/Allen-Bradley devices directly reachable from the public internet. While not all of these have been targeted, each represents a potential attack surface. The majority of exposed devices are located in the United States, though exposed systems were also found in Europe and Asia. Rockwell Automation has repeatedly issued guidance — most recently in advisory SD1771 — urging customers to disconnect PLCs from the internet and implement robust network segmentation, but many operators have not complied.
Sectors at Risk
The CISA advisory identifies the following sectors as primary targets:
- Water and Wastewater Systems — water treatment plants and distribution networks
- Energy — electrical grid substations and oil & gas facilities
- Government Services and Facilities — including municipal infrastructure
Attacks on water treatment plants are of particular concern given their direct impact on public health. A successful manipulation of chemical dosing systems, for example, could have serious consequences for drinking water safety.
Immediate Mitigations
The joint advisory provides a detailed list of recommended mitigations. The most critical steps include:
- Remove PLCs from direct internet exposure immediately. No PLC should be directly reachable from the public internet. Place all OT/ICS assets behind a properly configured industrial DMZ.
- Implement multi-factor authentication (MFA) for all remote access to operational technology networks.
- Audit and restrict remote access tools — ensure only authorized personnel can use software like Studio 5000 Logix Designer.
- Monitor OT network traffic for anomalous connections, particularly from unexpected geographic locations.
- Apply available firmware updates from Rockwell Automation and review the manufacturer’s hardening guidance.
- Conduct integrity checks on PLC project files to detect unauthorized modifications to ladder logic or configurations.
A Persistent and Escalating Threat
The CyberAv3ngers campaign is not a new phenomenon — the group drew international attention in late 2023 after targeting Unitronics PLCs at U.S. water utilities. However, the April 2026 advisory marks a significant escalation in both the scope and sophistication of the campaign, with the shift to Rockwell Automation hardware indicating the group’s expanding target selection and technical capabilities.
For critical infrastructure operators, the message is clear: the threat from Iranian state-affiliated actors targeting ICS is real, active, and growing. Disconnecting OT assets from the internet and implementing defense-in-depth strategies is no longer optional — it is an urgent operational necessity.