Iranian Hackers Target U.S. Water, Energy, and Government Systems, Agencies Warn

Four federal agencies issued a joint advisory Tuesday warning that Iranian government-affiliated hackers have escalated attacks against U.S. water and wastewater utilities, energy facilities, and local government systems, targeting the internet-exposed industrial control devices that keep those systems running.

The advisory, designated CISA AA26-097A and signed by the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the U.S. Department of Energy, describes a campaign by Iranian advanced persistent threat actors to compromise Programmable Logic Controllers, the embedded computers that automate everything from water treatment chemical dosing to power grid switching. The FBI assessed the group's intent as causing "disruptive effects within the United States," including manipulating the Human Machine Interface and SCADA displays that operators rely on to monitor and control physical processes. Organizations running Rockwell Automation's Allen-Bradley PLCs were specifically directed to review manufacturer guidance.

The agencies linked the escalation to the U.S.-Israel war with Iran that began February 28, 2026, when coordinated military strikes under Operation Epic Fury targeted Iran's nuclear facilities, military infrastructure, and leadership. Supreme Leader Ayatollah Ali Khamenei was killed the following day. The advisory also came shortly after President Donald Trump threatened Iran in a social media post.

The threat extended well beyond the advisory's immediate focus on industrial control systems. Researchers at Symantec and Carbon Black found evidence that Iranian hackers installed backdoors on the networks of several U.S. companies as early as late February 2026. Iranian state-linked media published a list of major U.S. technology companies, reportedly including Apple, as potential targets. The Iran-linked hacktivist group Handala claimed responsibility for a March 11 cyberattack on Stryker Corp., the Portage, Michigan-based medical device manufacturer, disrupting its internal Microsoft software systems.

Tuesday's warning follows a documented pattern of Iranian infrastructure targeting. Beginning November 22, 2023, IRGC cyber actors compromised at least 75 Unitronics Vision Series PLC devices across U.S. water and wastewater facilities by exploiting devices with default or no passwords. The Municipal Water Authority of Aliquippa, Pennsylvania, was among the confirmed victims; compromised devices displayed defacement messages reading "You have been hacked." The U.S. responded by sanctioning six IRGC officials on February 2, 2024. In a subsequent 2024 campaign, the IRGC-affiliated group CyberAv3ngers deployed custom malware called IOControl to remotely control U.S. and Israeli water and fuel management systems. The Rewards for Justice program has offered up to $10 million for information attributing attacks to that group, which analysts noted deliberately selected Unitronics PLCs in 2023 because they are Israeli-made.

The Center for Strategic and International Studies assessed that Iran has shifted from episodic cyberattacks to a sustained campaign against U.S. critical infrastructure. Data from the European Repository of Cyber Incidents found that from 2010 to 2024, politically motivated cyberattacks on U.S. energy infrastructure ranked second only to telecommunications in frequency.

The federal response capacity is itself under strain. Approximately 60 percent of CISA's workforce was furloughed beginning February 14, 2026, leaving the agency that coordinates national cybersecurity defense significantly diminished at the moment the threat level has risen most sharply. The Trump administration has publicly downplayed indications of imminent risk while simultaneously urging energy companies to strengthen both physical and cyber defenses, a contradiction that smaller utilities with limited IT staff will find difficult to resolve on their own.