Ripple effect: The latest wave of Iranian-linked cyberattacks is targeting a device once considered too obscure for most hackers: the programmable logic controller. These compact devices, which serve as the digital backbone of automated industrial systems, are now the focus of a coordinated campaign disrupting US operations across critical infrastructure sectors.
Federal agencies, including the FBI, CISA, NSA, the Department of Energy, US Cyber Command, and the Environmental Protection Agency, issued an urgent joint advisory Tuesday, warning that an advanced persistent threat group linked to Iran has been exploiting vulnerabilities in programmable logic controllers since at least March 2026.
The agencies reported that the attacks have affected government facilities, wastewater systems, and the energy sector, causing operational disruptions and financial losses for impacted organizations.
The intrusion represents a troubling evolution in targeting methods. Rather than relying on zero-day exploits or sophisticated malware, the attackers are using legitimate industrial software tools to gain direct access to PLCs and manipulate system data. According to the advisory, the campaign involves interacting with internet-exposed controllers through Rockwell Automation's Studio 5000 Logix Designer, a widely used platform in industrial control environments.
Security firm Censys reported Wednesday that its internet scans identified more than 5,200 Rockwell Automation / Allen-Bradley PLCs exposed online, with roughly three-fourths located within US networks. The company said attackers are accessing these PLCs directly, allowing them to work with project files and alter HMI / SCADA display data without exploiting any zero-day vulnerabilities. Targeted device families include Rockwell's CompactLogix and Micro850 series.
The attackers are reportedly operating from a multi-home Windows workstation – identified by the common name "DESKTOP-BOE5MUC" – and leveraging Remote Desktop Protocol over the non-standard TCP port 43589. Analysis indicates that the infrastructure also exposes a full Windows protocol stack, including DCERPC / 135, MSMQ, and NetBIOS services, expanding the potential attack surface.
Officials warn that other operational technology protocols, such as Modbus / 502 and S7 / 102, are being probed, suggesting the threat extends beyond Rockwell hardware to controllers from additional manufacturers.
This is not the first time Iranian-linked actors have targeted US industrial systems. In 2023, a group calling itself CyberAv3ngers interfered with at least 75 PLCs and human-machine interfaces across multiple sectors. More recently, pro-Iran groups, including Handala, have expanded operations to include disruptive attacks on global targets, from multinational medical device maker Stryker to consumer platforms like Netflix and Pinterest.
For now, the US government has released the IP addresses and device signatures associated with the attackers, along with technical guidance for securing exposed PLCs. Officials say these digital attacks on critical automation systems are likely to escalate over time, both in scale and sophistication.