Iranian Hackers Are Inside US Water and Energy Systems, Six Federal Agencies Warn

What Happened

On April 7, 2026, six U.S. federal agencies published a joint cybersecurity advisory warning that Iranian government affiliated hackers have been exploiting internet facing operational technology across American critical infrastructure since at least March 2026.

The advisory came from the FBI, NSA, CISA, the Environmental Protection Agency, the Department of Energy, and U.S. Cyber Command. That six agencies coordinated a single alert underscores how seriously the government is treating this campaign.

Some of the targeted facilities have already experienced operational disruption and financial loss, though the FBI has withheld specific details about how many sites were affected.

How the Attacks Work

The hackers are targeting programmable logic controllers (PLCs) manufactured by Rockwell Automation and Allen Bradley. These industrial controllers are the hardware that directly manages physical processes: opening valves at water treatment plants, regulating pressure in pipelines, and controlling electrical distribution at power facilities.

The attackers exploit internet facing devices to gain access, then manipulate project files and alter data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) systems. In practical terms, this means operators could be looking at dashboard readings that no longer reflect reality while the attackers change what the physical equipment actually does.

The advisory flagged four network ports to monitor for suspicious activity: 44818, 2222, 102, and 502, particularly for traffic originating from overseas hosting providers.

Who Is Behind It

The advisory attributes the campaign to "Iranian affiliated advanced persistent threat actors" without naming a specific group. However, the tactics closely mirror those of CyberAv3ngers, an Islamic Revolutionary Guard Corps (IRGC) affiliated group that attacked Unitronics PLCs at a Pennsylvania water facility in late 2023 using default passwords.

The agencies linked the escalation directly to the U.S. and Israeli military strikes against Iran's nuclear facilities and military infrastructure that began on February 28, 2026 under Operation Epic Fury. The cyber campaign appears designed to cause disruptive effects within the United States as retaliation.

The Sectors at Risk

The advisory identifies multiple critical infrastructure sectors under active threat:

• Water and wastewater systems: Treatment plants that manage drinking water quality and sewage processing
• Energy facilities: Power grids, oil refineries, and natural gas distribution
• Food production: Processing plants with automated industrial controls
• Local government: Municipal systems that manage public utilities

Both U.S. and Israeli facilities have been targeted, but the advisory focuses on domestic risks. The common thread is internet connected industrial controllers that were never designed to face the open internet.

Why This Matters for Everyone

Critical infrastructure attacks are not abstract. When hackers manipulate water treatment PLCs, they can alter chemical dosing levels that affect the safety of tap water. When they target energy SCADA systems, they can trigger blackouts or equipment damage.

This advisory arrives while CISA itself is operating with drastically reduced capacity, having lost 60% of its workforce. The agency that is supposed to coordinate the nation's cyber defense is issuing warnings about threats it may not have the staff to help remediate.

The geopolitical context adds urgency. Unlike financially motivated ransomware groups that want payment, state sponsored attackers targeting infrastructure aim to cause disruption and demonstrate capability. The goal is not money but leverage.

Recommended Protections

The joint advisory includes specific mitigations for organizations running industrial control systems:

• Disconnect PLCs from the internet: Industrial controllers should never be directly accessible from the public internet
• Enable multi factor authentication on all remote access to operational technology networks
• Apply vendor patches: Follow Rockwell Automation's latest security guidance for Allen Bradley controllers
• Monitor network traffic on ports 44818, 2222, 102, and 502 for connections from unfamiliar or overseas IP addresses
• Review project files for unauthorized modifications to PLC logic and HMI configurations

The Pattern Keeps Repeating

This is not the first time Iranian hackers have targeted American infrastructure, and the pattern is accelerating. The December 2024 campaign deployed custom malware against similar targets. The 2023 Pennsylvania water facility attack used default passwords on internet facing PLCs. Each incident reveals the same structural weakness: critical systems connected to the internet without adequate segmentation or authentication.

Until operators treat internet exposure of industrial controls as the emergency it is, these advisories will keep coming. The question is whether the next one will describe disruption or damage.