Search
April 16, 2026
CISA: Iranian Hackers Targeting U.S. Energy Sector

Listen to this Story Listen to this story

Shutterstock
Apr 13, 2026 | Holden Mann
U.S. security agencies reported an escalation of attacks against critical infrastructure by Iranian threat actors since the beginning of the war in February 2026.

The attack on Iran by the United States and Israel is drawing retaliation against critical infrastructure cyber assets in the energy sector, according to an advisory issued by the Cybersecurity and Infrastructure Security Agency and other federal organizations.

CISA joined the FBI, Department of Energy, Environmental Protection Agency, National Security Agency and U.S. Cyber Command to warn that “Iran-affiliated” hackers have targeted programmable logic controllers (PLC) used by organizations in multiple critical infrastructure sectors including government services and facilities, water and energy.

The agencies identified similarities with a previous campaign by a pro-Iran hacking group that cybersecurity firms have given various names, such as CyberAv3ngers, Shahid Kaveh and Bauxite, and said a recently observed escalation of Iran-linked campaigns against the U.S. was “likely in response” to the conflict begun by the U.S. and Israel on Feb. 28. (See Dragos: Attacks on ICS Increased in 2024.)

PLCs are computer systems that constantly monitor the state of input devices and control the state of output devices. Controllers manufactured by Rockwell Automation under the Allen Bradley brand are known to have been targeted by the attackers, specifically the CompactLogix and Micro850 device lines. Other brands and manufacturers may have been targeted as well, according to the agencies, based on the directing of malicious traffic to network connection points used by companies other than Rockwell.

Intruders were observed to access the PLCs through “overseas-based IP addresses [using] leased, third-party hosted infrastructure” with Rockwell’s configuration software, which allowed them to create accepted connections to the targeted equipment. The advisory includes a list of IP addresses used by the threat actors and when they were observed.

According to the FBI, attackers used their access to extract the devices’ project files and manipulate data on human machine interface and supervisory control and data acquisition displays, causing “operational disruption and financial loss.”

The agencies provided a list of recommended mitigations to reduce the impact of intrusion attempts, corresponding with CISA’s recently updated cybersecurity performance goals. (See CISA Updates Critical Infrastructure Cyber Goals.)

Advice for defending organizations partly focused on reactions to suspected attacks. These include:

    • Disconnecting the affected PLC from the public-facing internet.
    • Switching the controller to “run” mode rather than “program” or “remote” to prevent modification, if possible.
    • Enabling programming protection to limit remote modification permissions, if available.
    • Backing up PLC logic and configurations offline in a secure location.

The authors also mentioned steps to strengthen the general security posture, such as implementing multifactor authentication for external access to the organization’s operational technology network, and tools like network proxies, gateways and virtual private networks to control access to the PLCs. Additional measures include keeping PLCs updated with the manufacturers’ latest software patches, disabling unused authentication measures and monitoring network traffic for suspicious content.

Despite the advice to network defenders, CISA and the other agencies emphasized “it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default.” To accomplish this goal, they urged manufacturers to follow the principles in CISA’s Secure by Demand guidance, including changing default settings to prevent inadvertent exposure to the public internet, supporting phishing-resistant MFA methods and providing basic security features without additional fees.

The authors also recommended organizations test their security programs against threat behaviors identified in the ATT&CK matrix developed by engineering and information technology consultancy MITRE. They suggested testing security programs “at scale in a production environment to ensure optimal performance.”

FERC & Federal
KeywordscybersecurityCybersecurity and Infrastructure Security Agency (CISA)Federal Bureau of Investigation (FBI)Iran WarU.S. Department of Energy (DOE)U.S. Enviromental Protection Agency (EPA)
Holden Mann
Expert Warns Quantum Horizon Closer than Expected
More From This Author

We Recommend

1
NERC SC Agrees to Shutter Standards Grading Process
Apr 15, 2026Standards/ProgramsHolden Mann
2
Expert Warns Quantum Horizon Closer than Expected
Apr 14, 2026Regional EntitiesHolden Mann
3
CISA: Iranian Hackers Targeting U.S. Energy Sector
Apr 13, 2026FERC & FederalHolden Mann
4
CIP Specialists Warn Compliance not Enough for Security
Apr 2, 2026Regional EntitiesHolden Mann
5
NERC Pushes Back on GIC Complaint
Mar 31, 2026FERC & FederalHolden Mann

Popular Stories

1
Report: Poor Voltage Control, Lack of Regs Drove Iberian Grid Collapse
Mar 26, 2026ERO InsiderMichael Brooks
2
MISO: NERC to Dial Down RTO’s Risk Level; Members Create Large Load Working Group
Mar 25, 2026NERC & CommitteesAmanda Durish Cook
3
Georgia Power to Pay $175K in NERC Penalties
Mar 30, 2026Regional EntitiesHolden Mann
4
CIP Specialists Warn Compliance not Enough for Security
Apr 2, 2026Regional EntitiesHolden Mann
5
NERC Pushes Back on GIC Complaint
Mar 31, 2026FERC & FederalHolden Mann

Industry Gatherings


Upcoming Event

Upcoming Event

Upcoming Event