Hackers linked to the Iranian government have been targeting critical U.S. infrastructure, resulting in operational disruption and financial loss, according to a joint U.S. government advisory. The hacking campaign started last month after the U.S. and Israel began carrying out air strikes against Iran.
The advisory — issued by agencies including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) — warns that computers used by energy and water utilities are being actively exploited.
Download the SAN app today to stay up-to-date with Unbiased. Straight Facts™.
Point phone camera here
“The authoring agencies assess a group of Iranian-affiliated advanced persistent threat (APT) actors is conducting this activity to cause disruptive effects within the United States,” the advisory says. “The group has targeted devices spanning multiple U.S. critical infrastructure sectors, including Government Services and Facilities (to include local municipalities), Water and Wastewater Systems (WWS) and Energy Sectors.”
The advisory does not specify which utility companies were affected or whether the attacks prevented them from delivering services to customers.
While details are scarce, such attacks could result in anything from system downtime to serious damage to critical equipment. In some instances, according to sources speaking to CNN, the hackers attempted to deploy destructive malware designed to wipe data from victim computers. It’s unclear if any such attacks were successful.
However, the advisory specifically mentioned impacts on programmable logic controllers, or PLCs, which are specialized computers designed to control machines in industrial settings.
Information has been altered on displays connected to PLCs from the Milwaukee-based manufacturer Rockwell Automation, the advisory says, and project files used to dictate device configurations were also “maliciously” targeted.
Although the advisory doesn’t name a specific hacker group, it says the attacks share the same hallmarks as those of the Iranian-linked group CyberAv3ngers. The group, which is believed to work for the Iranian Revolutionary Guard Corps, previously caused disruptions at water utilities in the U.S. and in Israel in late 2023.
The advisory outlines a range of mitigations organizations can implement to improve their cybersecurity posture, such as temporarily disconnecting their PLCs from the public internet.
The agencies issued the advisory hours after President Donald Trump threatened devastating attacks on Iran, saying that a “whole civilization will die.” Trump announced Tuesday evening that the U.S. and Iran had agreed to a temporary ceasefire.
It remains unclear what effect, if any, the ceasefire will have on Iran’s hacking campaigns.
Aside from targeting critical infrastructure, Iranian-linked hackers have also targeted companies and individuals in the U.S. and Israel since the war began Feb. 28. The hacker group Handala, for example, carried out a crippling cyberattack last month against the U.S.-based medical equipment company Stryker.
Handala has also breached the email accounts of numerous political analysts in Israel, as well as FBI Director Kash Patel.
