Pro-Iranian hackers have breached critical U.S. infrastructure, according to a joint warning issued Tuesday by several federal agencies.
The advisory came only hours ahead of President Donald Trump’s Tuesday deadline for Iran, warning that “a whole civilization will die tonight” if Iran refuses to open the Hormuz Strait to oil traffic. Trump later suspended the attack following negotiations mediated by Pakistan.
Iranian cyberattacks targeting U.S. organizations have increased recently with the ongoing war against Iran, the advisory said.
In the latest breach, hackers caused disruptions through “malicious interactions” on project files and data displays in organizations across multiple U.S. critical infrastructure sectors, including government services and facilities, local municipalities, water and waste systems, and energy infrastructure.
Hackers exploited vulnerabilities in internet-connected devices used to control machinery in the key U.S. sectors.
“In a few cases, this activity has resulted in operational disruption and financial loss,” reads the advisory, which was issued by the FBI, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Environmental Protection Agency, the Department of Energy, and U.S. Cyber Command’s Cyber National Mission Force.
U.S. entities that use the impacted devices, including programmable logic controllers (PLCs) from Rockwell Automation’s Allen Bradley brand, are advised to check their cyber defenses, apply safety measures listed in the warning, and review activity on their networks for indications that they were compromised to avoid the risk of further breaches.
Although the agencies specifically named the Rockwell Automation devices, they said other brands could have been affected as well.
“Due to the widespread use of these PLCs and the potential for additional targeting of other branded [operational technology] devices across critical infrastructure, the authoring agencies recommend U.S. organizations urgently review the tactics, techniques, and procedures and indicators of compromise in this advisory,” the advisory reads.
If U.S. organizations discover they were breached, they are advised to contact appropriate federal agencies for support, risk mitigation, and investigation assistance.
The joint notice Tuesday listed IP addresses that hackers used within specific time frames. The IP addresses were provided so U.S. companies can check against their own logs for indications of a breach by Iranian-backed threat actors.
“The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance,” the warning reads.
This latest breach is not the first time Iran-backed hackers have breached critical U.S. infrastructure. In November 2023, a cyber group called “CyberAv3ngers” compromised at least 75 U.S.-based PLC devices.
Iran has also engaged in “malicious cyber activity” against key U.S. government officials and others involved in political campaigns, according to a September 2024 advisory.
“The cyber actors working on behalf of the IRGC gain access to victims’ personal and business accounts using social engineering techniques, often impersonating professional contacts on email or messaging platforms,” the 2024 notice reads.
Additionally, Iran-backed hackers targeted Trump during his 2024 presidential campaign and tried to deliver information they extracted to former President Joe Biden’s campaign.
The FBI and other agencies said in a statement that the hackers also tried sending the stolen Trump data to media organizations.
