The United States has warned of an escalation in cyberattacks by Iran-linked hackers targeting critical infrastructure. In a joint advisory issued on Tuesday, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Energy said Iranian government-backed actors are exploiting vulnerabilities in internet-facing systems across sectors including water utilities, energy networks, and local government facilities.The agencies said the attacks are designed to cause “disruptive effects within the United States” and have already led to operational disruptions and financial losses, although specific targets were not disclosed.According to the advisory, hackers have focused on programmable logic controllers and supervisory control and data acquisition (SCADA) systems — technologies that underpin industrial operations and manage essential infrastructure. Officials said the attackers were able to manipulate system interfaces and tamper with project files that store critical configurations, raising concerns about the integrity and safety of these systems. “Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss,” said advisory. The alert asks US companies to urgently review security infrastructure, said, “US organizations should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the Mitigations section of this advisory to reduce the risk of compromise.”The activity marks a notable escalation in tactics, with US agencies linking the surge in attacks to the ongoing conflict between the United States, Israel and Iran. The war, which began on February 28 following air strikes that killed Iran’s leader, has triggered a broader confrontation spanning both physical and cyber domains.The warning comes hours after US President Donald Trump issued a stark threat to Iran on social media, saying “a whole civilization will die tonight” if Tehran failed to agree to terms on reopening the Strait of Hormuz, a crucial route for global oil shipments.Cybersecurity officials have also tied recent high-profile incidents to a group known as Handala, believed to be backed by the Iranian government. The group has been linked to a disruptive breach at US medical technology firm Stryker, where attackers used the company’s own security tools to remotely wipe thousands of employee devices.
Immediate steps US companies need to take to prevent attacks:
* Disconnect the PLC from the public-facing internet [CPG 3.S]. Follow the joint guidance Secure connectivity principles for OT to safely allow remote access. Specifically, “remove inbound port exposure,” so the OT system is never directly exposed to the internet or external networks, and to ensure all access is mediated, monitored, and controlled. Do this through a secure gateway (jump host) that brokers the connection.* Ensure cellular modems, used for remote field connectivity and access, are secured with strong authentication and updated.* Enable logs for the connected modems to detect intrusion and improve incident response speed.* For controllers with a physical mode switch, place the physical mode switch into run position to prevent remote modification. Devices should only be in the program or remote position when updating or downloading software online and immediately switched back to the run position when complete.* For devices that allow for software key switching, enable programming protection in PLC configuration software (S7 Totally Integrated Automation [TIA] Portal) to limit who can modify PLCs remotely. (See Siemens’ Cybersecurity for Industry Operational Guidelines for the manufacturer’s instructions.)* Create and test strong backups of the logic and configurations of PLCs. Store backup files offline and secure the physical removal media to enable fast recovery.
