In a joint advisory published Tuesday, a group of U.S. agencies including the FBI, the National Security Agency, the Department of Energy and the Cybersecurity and Infrastructure Security Agency warned that a group of hackers affiliated with the Iranian government has targeted industrial control devices used in a range of critical infrastructure targets, including the energy sector, water and wastewater utilities and unspecified “government facilities.” According to the agencies, the hackers targeted programmable logic controllers (PLCs) – a type of device designed to allow digital control of physical machinery – in those facilities, including equipment sold by industrial technology firm Rockwell Automation, with the apparent intent to cause damage to their systems.
The advisory warns that by compromising those PLCs, hackers tried to alter information on the displays of industrial control systems, which could lead to system downtime, damage or dangerous situations in some scenarios. “In some cases, this activity has resulted in operational disruptions and financial losses,” it reads, though it does not provide any details about the severity of those impacts.
“It is well documented that Iranian actors target industrial control systems and view them as a nexus to exert pressure,” says Rob Lee, co-founder and CEO of Dragos, a cybersecurity firm that focuses on industrial control systems. He says his company has responded to several incidents targeting industrial systems since the war against Iran began last month. “We have seen both state and non-state actors in Iran take real risks and show a willingness to hurt people by compromising these systems. I fully expect them to keep up the pressure and target sites to which they may have access.”
When WIRED contacted Rockwell Automation, a company spokesperson responded in a statement that it “takes the security of its products and solutions seriously and is coordinating closely with government agencies regarding Tuesday’s advisory,” and pointed to documents published for customers on how to better secure their PLCs.
Although the advisory did not specify any specific group responsible for the hacking campaign, it noted that the attacks are similar to those carried out by an Iran-linked group known as CyberAV3ngers or Shahid Kaveh Group, which began in late 2023. The team of hackers, believed to be working in the service of the Iranian Revolutionary Guard Corps, carried out several attacks against Israeli and US targets in recent years, including gaining access to more than a hundred devices sold by the industrial control systems technology firm. Most commonly used in Unitronics and water and waste water utilities.
In that hacking campaign, CyberAV3ngers set the names of Unitronics devices to read “Gaza” – a reference to Israel’s invasion of the territory in retaliation for Hamas’ October 7 attacks – and changed the devices’ displays to show an image of the CyberAV3ngers logo. Despite the initial appearance of mere vandalism, industrial cybersecurity firms tracking the attacks, including Dragos and Claroty, told WIRED that the hackers corrupted the code of Unitronics’ devices so deeply that they disrupted services across water utility networks from Israel to Ireland to a Pittsburgh, Pennsylvania facility in the US.
“The Unitronics attacks demonstrated that the IRGC has industrial control system hacking capabilities,” says Grant Geyer, Claroty’s chief strategy officer. “If you look at the IRGC playbook, they know they can’t compete in the traditional military arena. So they try to cause disruption in the cyber domain using asymmetric warfare techniques.”
<a href