Iran-linked hackers are shutting down US oil, gas, and water facilities, six federal agencies warn
A joint FBI/CISA/NSA advisory says Iranian cyber actors are exploiting Rockwell Automation PLCs at energy and water sites, causing operational shutdowns and forcing manual operations -- an escalation of the cyber front of the Iran war.
Six federal agencies issued an urgent joint advisory on April 7 warning that Iran-linked hackers are actively disrupting U.S. critical infrastructure by targeting the industrial controllers that run oil, gas, and water facilities.
The advisory (AA26-097A), co-authored by the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command, describes an ongoing campaign against programmable logic controllers (PLCs) -- the computers that directly control physical equipment like pumps, valves, and treatment systems.
Some sites have been forced to shut down and operate manually.
What's being attacked
The hackers are targeting Rockwell Automation/Allen-Bradley PLCs, specifically CompactLogix and Micro850 models, across three sectors:
- Energy -- oil and gas facilities
- Water and wastewater -- treatment plants and distribution systems
- Government services -- local municipal infrastructure
The advisory documents "diminished PLC functionality, manipulation of display data and, in some cases, operational disruption and financial loss."
The attackers use leased third-party infrastructure running Rockwell's Studio 5000 Logix Designer software to connect to victim PLCs. Once inside, they install Dropbear SSH on endpoints via port 22 for persistent remote access, then extract project files and manipulate the data shown on human-machine interface (HMI) and SCADA displays -- the screens operators use to monitor what the facility is doing.
Manipulating those displays means operators may not see what's actually happening to the equipment they control.
Who's behind it
The advisory attributes the campaign to multiple Iranian government-affiliated groups:
| Group | Also known as |
|---|---|
| Cyber Av3ngers | Hydro Kitten, Shahid Kaveh Group, UNC5691 |
| Handala Hack | -- |
| Homeland Justice | -- |
| Karma / KarmaBelow80 | -- |
Cyber Av3ngers, linked to Iran's Islamic Revolutionary Guard Corps (IRGC), previously compromised at least 75 Unitronics PLC devices across U.S. critical infrastructure in late 2023, including the Municipal Water Authority of Aliquippa, Pennsylvania. The current campaign, which has identified new victims since March 2026, represents an escalation in both scope and impact.
Separately, the Handala group has been linked to a breach at U.S. medical technology company Stryker since the war began.
The cyber front
The advisory explicitly connects the attacks to the broader conflict. Since the U.S.-Israeli war with Iran began, Iranian cyber operations against American targets have escalated from espionage and defacement to attacks that test safety systems at industrial facilities.
This is a different kind of escalation than missile strikes or Hormuz closures. A compromised PLC at a water treatment plant can alter chemical dosing. A manipulated display at an oil facility can mask dangerous pressure levels. The advisory warns that "other vendors may also be at risk" beyond Rockwell Automation.
The six agencies recommend that operators of industrial control systems immediately audit internet-exposed PLCs, change default credentials, segment OT networks from IT networks, and monitor for unauthorized Studio 5000 connections.