Domain: Tech-Geopolitics

The Development

On 7 April 2026, the FBI, CISA, NSA, EPA, Department of Energy, and US Cyber Command issued a joint advisory (AA26-097A) confirming that Iranian-affiliated advanced persistent threat actors are actively exploiting internet-facing programmable logic controllers across US critical infrastructure.[1] The advisory identified disruptions in the Government Services, Water and Wastewater Systems, and Energy sectors, with some victims experiencing operational disruption and financial loss.[1]

The attackers used overseas IP addresses and leased third-party hosting infrastructure to connect to internet-exposed Rockwell Automation/Allen-Bradley PLCs, including CompactLogix and Micro850 controllers.[1] They used Rockwell’s own Studio 5000 Logix Designer software to establish connections, extracted and modified project files containing ladder logic and configuration settings, manipulated data displayed on human-machine interface and SCADA systems, and deployed Dropbear SSH on victim endpoints for persistent access via port 22.[1] Malicious traffic was observed on ports 44818, 2222, 102, 22, and 502, with patterns suggesting interest in Siemens S7 PLCs as well.[1]

The advisory links this campaign to the CyberAv3ngers group, affiliated with Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), also tracked as Shahid Kaveh Group, Storm-0784, Hydro Kitten, Bauxite, and UNC5691.[1] The same ecosystem compromised at least 75 Unitronics PLC devices across US water and wastewater systems during a similar campaign beginning in November 2023.[1][2] That earlier campaign relied on factory default passwords. The current campaign exploits CVE-2021-22681, an authentication bypass vulnerability in Rockwell Logix controllers for which no vendor patch exists; only defence-in-depth mitigations are available.[1][3]

The escalation coincides with the US-Israeli military campaign against Iran that began on 28 February 2026 (Operation Epic Fury).[4] Strikes targeted Iranian nuclear facilities, military infrastructure, and senior leadership, including Supreme Leader Ali Khamenei.[4][5] Iran experienced a near-total domestic internet blackout shortly after, and a conditional ceasefire was declared on 8 April.[4] The UK’s National Cyber Security Centre issued an advisory on 2 March 2026 warning UK organisations of a heightened risk of indirect cyber threats, particularly for those with supply chains or operations in the Middle East.[6] The NCSC assessed that Iranian state and Iran-linked cyber actors “almost certainly currently maintain at least some capability to conduct cyber activity” despite the blackout.[6]

The broader Iranian cyber ecosystem has activated in parallel. Tenable reports that CyberAv3ngers’ ICS exploitation techniques have proliferated to an estimated 60 or more pro-Iranian hacktivist groups.[3] Handala, a group widely assessed to operate under Iranian intelligence protection, claimed a destructive attack against US medical technology firm Stryker in March 2026, asserting it wiped approximately 200,000 devices via a compromised Microsoft Intune environment; Stryker confirmed severe operational disruption, though the scale figures have not been independently verified.[7] MuddyWater was observed conducting coordinated intrusions against a US bank, an airport, NGOs, and an Israeli-linked defence supplier in late February, using newly built backdoors and cloud-based data exfiltration.[7] The Center for Strategic and International Studies published analysis in April characterising Iran’s cyber posture as a shift from episodic attacks to a sustained campaign treating cyberspace as an extension of state power.[8]

US financial regulators have also responded. FINRA issued a cybersecurity alert warning member firms of heightened risks from Iranian state-sponsored and aligned actors, specifically citing the exploitation of known vulnerabilities, default credentials, and brute-force techniques.[9]

In future issues, the following sections (Reality Check, Action Brief, CISO Governance Briefing, and Board Brief) will be available exclusively to paid subscribers. This issue is published in full so you can experience the complete Stratsec intelligence product.

The Reality Check

Assessment: Significant. This is a genuine escalation in Iranian intent to cause disruptive effects on Western critical infrastructure. It is not a novel capability or an insurmountable technical challenge.

The core issue is basic: exposed industrial control systems are being compromised through poor hygiene. In every documented case, the attackers are scanning the public internet for PLCs protected by default passwords, unpatched authentication bypasses, or no access controls at all. They are connecting using the manufacturer’s own legitimate engineering software. The sophistication is in the targeting and the intent, not in the technique.

Two things have changed since the 2023 Unitronics campaign. First, the attacks are causing confirmed operational disruption and financial loss. The 2023 campaign was largely symbolic: screens displaying political messages, limited real-world impact. The April 2026 advisory documents actual manipulation of control logic and process displays, with victims reporting genuine operational consequences.[1] Second, the geopolitical context has elevated the threat tempo. The February 2026 military campaign against Iran triggered the largest single-event activation of Iranian-aligned cyber actors ever documented, according to threat intelligence firms.[7] With conventional military options constrained, cyber operations against US and allied infrastructure become a more attractive asymmetric response for Tehran.[8]

Three realities temper the alarm.

First, the technical barrier remains low. These attacks work because defenders have not implemented measures that have been recommended for years: remove OT from the public internet, change default passwords, segment networks, enforce authentication. Organisations that have already done this are far less attractive targets. The NCSC’s assessment is instructive: there is no significant change in the direct cyber threat to the UK, but the risk of indirect effects and opportunistic exploitation has increased.[6]

Second, the Iranian cyber apparatus has been degraded by the conflict. The 2026 ODNI Annual Threat Assessment assessed that Iran’s ability to conduct and defend against cyber operations was constrained by the 2025 war and subsequent military pressure.[10] The IRGC command structure has been significantly weakened. The domestic internet blackout limits coordination. But degraded is not neutralised. The proxy ecosystem, cultivated over a decade, now operates with greater autonomy. CyberAv3ngers’ techniques have spread to dozens of affiliated groups.[3] The threat has become more distributed, less predictable, and in some ways harder to defend against because there is no single adversary with a single playbook.

Third, geographic distance offers no protection. Iranian-affiliated groups scan globally for exposed OT devices. Any organisation running internet-connected industrial control systems is a potential target, regardless of sector or location. European organisations fall under additional pressure via NIS2 obligations to manage emerging threats proportionately. The UK NCSC’s advisory and FINRA’s alert both confirm that allied nations and financial regulators treat this as requiring organisational action now.[6][9]

The central message: the nature of the Iranian cyber threat to Western critical infrastructure has not changed. What has changed is the operational tempo, the willingness to cause real disruption, and the number of actors involved. Defenders retain a structural advantage, but only if they treat internet-exposed OT as the urgent hygiene failure it is.

The Action Brief

Remove OT devices from the public internet. If a PLC, HMI, RTU, or SCADA component does not require public internet connectivity to perform its function, disconnect it. If remote access is operationally necessary, place it behind a secure gateway or VPN with phishing-resistant multifactor authentication. Conduct an external scan this week to verify no OT devices are directly reachable. This is the single most effective action you can take.

Inventory your Rockwell Automation Logix controllers. CyberAv3ngers are actively exploiting CVE-2021-22681, for which there is no vendor patch. Implement Rockwell’s recommended mitigations: network segmentation isolating engineering workstations from untrusted networks, strict access controls, and continuous monitoring for unauthorised engineering sessions. Ensure physical mode switches on applicable controllers are locked in the run position to prevent remote logic modifications.

Audit third-party and vendor remote access. The Stryker compromise and the advisory’s own TTPs confirm that trusted third-party pathways remain a primary attack vector. Review every vendor maintenance gateway, remote support portal, and contractor access account touching your OT environment. Remove anything that cannot be justified. Enforce MFA on everything that remains. Enable logging.

Search your network logs for the advisory’s indicators. Direct your SOC to query firewall and IDS logs for inbound connections to ports 44818, 2222, 102, 22, and 502 from overseas hosting providers. Look for the IP addresses listed in the CISA STIX package (AA26-097A). Check for unauthorised Dropbear SSH installations and unexpected modifications to Rockwell project files (.ACD, .L5X).

Test offline backups of PLC logic and configurations. If an attacker manipulates your control logic, your recovery speed depends on having verified, offline backups of PLC programmes, HMI configurations, and historian data. Test restorability now, before you need it.

CISO Governance Briefing

Enterprise Risk Management

This development does not create a new risk category. It changes the likelihood and velocity parameters for OT compromise scenarios that should already be in your risk register.

Update the likelihood rating for exploitation of internet-facing OT devices. Where previous assessments assumed that ICS targeting by state actors was rare, opportunistic at most, and focused primarily on geographically proximate adversaries, the evidence now shows sustained, globally scoped campaigns causing confirmed operational damage.[1] For organisations running internet-exposed PLCs, HMIs, or SCADA components in water, energy, government services, or manufacturing, move the likelihood assessment up by at least one tier.

If you use a quantitative model, revisit the time-to-exploit assumption. The advisory documents connection and manipulation within hours of device discovery. If you use a qualitative model, the relevant shift is from “possible” to “likely” for any externally facing OT system without gateway-mediated access controls.

Budget and Resourcing

This does not require a large new technology investment for most organisations. The primary spend implications are in process discipline and targeted hardening of existing OT environments.

Reallocate resources from deferred OT segmentation projects. If your organisation lacks dedicated OT visibility or monitoring capability, budget for one to two targeted hires or external support to accelerate network segmentation and logging improvements over the next two quarters. The tools are largely available; the gap in most organisations is adoption.

For organisations with legacy OT where patching is impractical (and CVE-2021-22681 has no patch), compensating controls are capital investments: hardware-enforced unidirectional gateways at IT/OT boundaries, managed switches with documented access control lists, and independent monitoring of OT traffic. If these investments have been deferred, the case for acceleration is now stronger.

Policy and Procedure Updates

Review and update four areas.

Network architecture and remote access: explicitly prohibit direct internet exposure of OT devices. Mandate gateway-mediated access with MFA for all remote OT connections.

Vulnerability and asset management: include all internet-facing OT devices in scanning and patching cycles. Where patching is impractical, document approved compensating controls and review them quarterly.

Incident response: incorporate OT-specific playbooks for PLC manipulation and HMI data alteration scenarios, including rapid isolation procedures, offline restoration from backups, and coordination with OT engineering teams. The window between initial access and operational disruption may be hours, not days.

Third-party risk management: extend supplier assurance to cover OT security controls explicitly (see Supplier Assurance Questions below).

Regulatory Exposure

NIS2 and DORA require boards to oversee proportionate management of emerging threats. Regulators increasingly view unmitigated internet exposure of critical control systems as evidence of inadequate risk management. The April 2026 CISA advisory, combined with the UK NCSC guidance, provides contemporary benchmarks against which post-incident regulatory scrutiny will be judged.[1][6]

No regulator has formally changed its expectations. But the practical defensibility of a 90-day patching cycle for an internet-exposed PLC has weakened considerably when six government agencies are jointly warning of active exploitation causing financial loss. European organisations subject to NIS2’s board-level accountability provisions (with fines of up to 2% of global turnover) should document their board’s awareness and the specific hardening actions taken. FINRA’s alert to financial services firms signals that sector regulators are watching this space closely.[9]

Team Skills

The capability gap this exposes is at the IT/OT boundary. Your security team needs people who can identify and secure internet-exposed industrial devices, configure secure remote access gateways, interpret vendor-specific logs (Rockwell Studio 5000 activity, for example), and distinguish legitimate engineering traffic from anomalous lateral movement.

Most organisations already have the necessary personnel. What they lack is focused training and clear policy direction. Prioritise upskilling in OT network segmentation and basic ICS protocol monitoring over the next 12 months. Cross-train process control engineers in security fundamentals and security analysts in OT basics.

Second-Line and Third-Line Oversight

Risk management (second line) should verify that OT exposure has been mapped and remediated across the estate, and that risk register updates reflect current threat velocity and the demonstrated Iranian willingness to act against exposed devices.

Internal audit (third line) should include internet-exposed OT devices and remote access controls in its next cyber risk review scope. The audit should verify that the organisation maintains a current inventory of internet-facing OT assets and that compensating controls for unpatchable vulnerabilities are documented and tested.

Supplier Assurance Questions

Send these to critical OT/ICS technology suppliers, system integrators, and remote-service providers this quarter.

1. Are any of the PLCs, HMIs, or SCADA components you supply or support configured for direct internet access? If yes, what controls prevent unauthorised programming or data manipulation?

2. What is your process for ensuring programming protection, mode-switch settings, and offline backup capabilities are enabled by default or during deployment?

3. Do you use or recommend secure gateway/jump-host architectures for any remote access to our OT environments? How is MFA enforced at the network layer?

4. Have you reviewed the April 2026 CISA/FBI advisory (AA26-097A) for applicability to the equipment and services you provide to us?

5. What monitoring and logging do you maintain for vendor software (e.g., Studio 5000) access to our systems?

6. In the event of detected manipulation of project files or HMI data, what is your compressed notification and restoration support timeline?

7. Do your contracts include liability provisions for breaches originating from internet-exposed OT devices or remote-access pathways you manage?

Team Readiness Checklist

Use these questions with your OT/security leadership team:

OT exposure and segmentation

• Have we identified and documented every internet-facing PLC, HMI, or SCADA component across the estate?

• Which devices remain directly reachable from the internet, and what is the plan to remove them?

• Is the boundary between corporate IT and OT governed by strict, hardware-enforced segmentation?

Remote access controls

• Are all remote OT connections mediated through MFA-enforced gateways rather than direct exposure?

• Have we audited third-party and vendor remote-access privileges in the last 90 days?

• Have cellular modems and other remote field devices been secured and logged?

Backup and recovery

• Do we have tested, offline backups of all critical PLC logic and configurations?

• Can we restore a manipulated PLC within operational recovery time objectives?

Monitoring

• Are we logging and alerting on anomalous vendor software connections, unexpected OT port activity, or project file changes?

• Has our SOC ingested the IOCs from CISA advisory AA26-097A?

Incident response

• Has the IR team rehearsed an OT manipulation scenario involving HMI/SCADA data alteration?

• Can we execute containment actions (network isolation, mode-switch lockdown, credential rotation) within one hour of detection?

Second-Line and Third-Line Assurance Questions

For risk management (second line):

• Has the first-line team mapped all internet-exposed OT devices and implemented compensating controls or removal?

• Have risk register entries for OT compromise been updated to reflect current Iranian TTPs and threat velocity?

• Is there evidence of MFA-enforced gateway access for all remote OT pathways?

• Has the incident response playbook been tested against an OT manipulation scenario in the last 90 days?

For internal audit (third line):

• Does the organisation maintain a current inventory of internet-facing OT assets, and have exposure risks been addressed?

• Are there documented, tested procedures for rapid PLC restoration following manipulation?

• Has the supplier assurance programme been extended to cover OT/ICS security controls?

• Is the board receiving accurate, timely reporting on geopolitically driven cyber threats to OT environments?

Tabletop Exercise: OT Manipulation Scenario

Hand this scenario to your incident response team. It requires no additional preparation. Allow 90 minutes.

Scenario:

It is 08:30 on a Wednesday. Your water treatment plant’s SCADA system begins displaying anomalous readings on several HMI screens. Operators report that set points for chemical dosing appear to have been altered remotely. Initial triage confirms unauthorised access to a CompactLogix PLC via an unexpected external IP address using Rockwell programming software. The system remains operational but critical process parameters are changing. Plant safety systems have not yet triggered, but the window for safe containment is narrowing.

At 09:15, the incident response team discovers that the attackers used credentials belonging to a trusted third-party maintenance contractor. The contractor’s access was not enrolled in multifactor authentication. The attackers are actively modifying ladder logic on a second controller responsible for pressure regulation.

Discussion questions:

1. What is our immediate containment action, and can we execute it within 15 minutes of detection?

2. Who in the organisation has the authority to physically isolate the OT network, and are they available now?

3. How do we restore the manipulated controllers from offline backups while maintaining partial manual operations?

4. The same third-party contractor has access to four other sites in our estate. How do we check and protect those systems while responding to the active compromise?

5. Under NIS2, what are our immediate regulatory notification obligations and timeline? Who needs to be notified internally within the first hour?

6. What post-incident changes to remote access policy and network segmentation are non-negotiable?

What to Tell Your Board

A board-ready slide summarising this briefing is available as a separate PPTX file for inclusion in your next risk committee deck.

Board-Ready Slide [.pptx]

Iranian-affiliated cyber actors are actively targeting internet-connected industrial control systems in Western critical infrastructure. US government agencies have confirmed that these attacks have caused operational disruptions and financial losses at water, energy, and government facilities. The attackers are exploiting basic security weaknesses in systems that should never have been connected to the public internet.

For our organisation, this means three things.

First, any remaining internet exposure of our operational technology must be eliminated or tightly controlled. We are conducting an emergency audit to verify that no industrial control systems are directly reachable from the internet, and are reviewing and hardening all remote-access pathways and PLC configurations this quarter.

Second, our OT environments require the same disciplined segmentation and monitoring long applied to corporate IT networks. We are accelerating existing segmentation projects and ensuring offline backups of critical control system logic are in place and tested.

Third, we are extending our supplier assurance and third-party risk processes to cover OT/ICS security controls explicitly. A breach through a supplier’s remote access now moves at machine speed.

This is not a new threat category, but it is a clear demonstration that previously tolerable exposures are now actively exploited. The appropriate response is to close long-standing gaps in our OT security posture. We recommend the board receive a detailed OT exposure assessment and remediation plan at the next risk committee meeting, with implementation targeted for completion before end of Q3 2026.

Indicator Watch

Stratsec is tracking the potential proliferation of PLC exploitation techniques beyond Rockwell and Unitronics devices to other common industrial control system vendors. The April 2026 advisory explicitly notes actors probing ports associated with Siemens S7 protocols, and the pattern of scanning activity suggests interest in any internet-exposed industrial controller regardless of manufacturer.[1]

We are also monitoring for increased targeting of European CNI operators via supply-chain pathways or indirect spillover effects, consistent with UK NCSC guidance on heightened regional risk.[6] If exploitation tools and techniques continue to spread across the 60-plus affiliated hacktivist groups identified by threat intelligence firms, the volume of opportunistic attacks against exposed industrial control systems will increase over the next two quarters.[3]

References

[1] FBI, CISA, NSA, EPA, DOE, and CNMF, “Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure,” AA26-097A, 7 April 2026. https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a

[2] CISA, “IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities,” AA23-335A, updated December 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a

[3] Tenable, “CyberAv3ngers: FAQ About Iran-Linked Threat Group Targeting U.S. Critical Infrastructure,” April 2026. https://www.tenable.com/blog/what-to-know-about-cyberav3ngers-the-irgc-linked-group-targeting-critical-infrastructure

[4] House of Commons Library, “Israel/US-Iran conflict 2026: Background and UK response,” Research Briefing CBP-10521, updated April 2026. https://commonslibrary.parliament.uk/research-briefings/cbp-10521/

[5] The Record, “British organizations urged to be alert to threat of Iranian cyberattacks,” 2 March 2026. https://therecord.media/iran-britain-cyber-threats-warning

[6] UK NCSC, “NCSC advises UK organisations to take action following conflict in the Middle East,” 2 March 2026. https://www.ncsc.gov.uk/news/ncsc-advises-uk-organisations-take-action-following-conflict-in-middle-east

[7] Sapphire, “What the 2026 Iran Conflict Means for UK Cyber Risk,” March 2026. https://www.sapphire.net/blogs-press-releases/what-the-2026-iran-conflict-means-for-uk-cyber-risk/

[8] Center for Strategic and International Studies, “The Iranian Cyber Threat to U.S. Critical Infrastructure,” April 2026. https://www.csis.org/analysis/iranian-cyber-threat-us-critical-infrastructure

[9] FINRA, “Cybersecurity Alert: Heightened Threats From Iranian Cyber Actors,” March 2026. https://www.finra.org/rules-guidance/guidance/cybersecurity-alert-heightened-threats-iranian-cyber-actors

[10] Office of the Director of National Intelligence, “2026 Annual Threat Assessment of the U.S. Intelligence Community,” 2026. Referenced in CSIS analysis.

Stratsec: Emerging technology threats, without the hype.