Federal cybersecurity agencies issued a joint advisory Tuesday warning that hackers affiliated with Iran have disrupted operations at multiple U.S. oil and gas facilities, as well as water and wastewater systems and government sites. The attacks targeted internet-exposed programmable logic controllers, or PLCs, manufactured by Rockwell Automation, including CompactLogix and Micro850 models, leading to shutdowns and forcing some sites to switch to manual operations.

The FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, Department of Energy, Environmental Protection Agency, and U.S. Cyber Command detailed how the Iranian advanced persistent threat actors exploited vulnerabilities in these industrial control systems. The hackers gained initial access using overseas IP addresses and Rockwell's Studio 5000 Logix Designer software, then deployed tools like Dropbear SSH for remote control. They manipulated project files and altered data on human-machine interfaces and supervisory control and data acquisition displays, causing PLC malfunctions. In some instances, the actors attempted to deploy destructive wiper malware, though success remains unclear.

Impacts included operational disruptions and financial losses for affected organizations, but no physical damage or safety incidents were reported. The activity began at least in March 2026 and has escalated amid heightened tensions in the U.S.-Israeli war against Iran. Agencies linked the tactics to prior campaigns by the IRGC-affiliated CyberAv3ngers, also known as the Shahid Kaveh Group, which has targeted similar systems since late 2023, including a U.S. oil and gas company in 2024.

The disruptions come as President Trump has threatened strikes on Iranian infrastructure, including power plants, prompting what officials describe as asymmetric retaliation through cyberspace. Iran lacks the missile range to strike the U.S. homeland directly, turning to cyber operations instead. A fragile two-week ceasefire took effect hours before Trump's deadline Tuesday evening.

"Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran and the United States and Israel," the advisory stated. Cybersecurity expert Joe Slowik noted the hacks could enable modification of operating parameters, posing safety risks beyond mere disruption.

Agencies urged immediate actions: disconnect PLCs from the internet, enable programming protections, test offline backups, and monitor for suspicious traffic on ports like 44818 and 22. Rockwell Automation advised setting physical switches to "run" mode and applying patches for known vulnerabilities. The North American Electric Reliability Corporation confirmed it is monitoring the power grid closely.

This follows recent Iran-linked hacks, including leaks from FBI Director Kash Patel's emails last month and an attack on a major U.S. medical device maker. U.S. intelligence has long assessed Iran's persistent cyber intent against America and its allies.