TL;DR: On April 7, 2026, the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command issued a joint advisory warning that Iranian IRGC-linked hackers, operating as CyberAv3ngers, are actively breaking into Rockwell Automation programmable logic controllers at U.S. water plants, energy facilities, and government buildings. Some victims have already suffered operational disruptions and financial losses. The attackers aren't exploiting exotic vulnerabilities. They're logging into internet-exposed PLCs using legitimate Rockwell software, tampering with project files, and manipulating what operators see on their screens. This is the same group that hit 75 water facilities in 2023, but this time, the attacks are causing real damage.
Six Agencies, One Warning
Advisory AA26-097A doesn't mince words. Six federal agencies, FBI, CISA, NSA, EPA, DOE, and Cyber Command's Cyber National Mission Force, co-signed a warning that Iranian-affiliated hackers have been disrupting PLCs across multiple U.S. critical infrastructure sectors since at least March 2026.[1]
The targets: water and wastewater systems, energy facilities, and government services.
The result: "Some of the victims experienced operational disruption and financial loss."[1]
That's government-speak for: the hackers broke things that keep your water running and your lights on. And it already happened.
How They're Getting In
The attack method is embarrassingly simple. CyberAv3ngers aren't deploying zero-day exploits or nation-state-grade malware. They're using Rockwell Automation's own software, Studio 5000 Logix Designer, to connect directly to internet-exposed PLCs.[2]
These are CompactLogix and Micro850 controllers. The ones managing water treatment processes, power distribution, and building systems at facilities across the country.
The attackers lease third-party hosted infrastructure, fire up Studio 5000, and connect to PLCs that have:
- No authentication configured
- Default passwords still active
- Direct internet exposure with no firewall
Once inside, they extract project files, the blueprints that define how the PLC operates. Then they tamper with HMI and SCADA displays, changing what operators see on their screens.[2] They also deploy Dropbear SSH software on victim endpoints, opening port 22 for persistent remote access.[3]
Think about that for a second. The people watching the control screens at your local water treatment plant might see "everything normal" while the hackers are manipulating what the system actually does.
CyberAv3ngers: From Defacement to Disruption
CyberAv3ngers, also tracked as Shahid Kaveh Group, Hydro Kitten, Storm-0784, and UNC5691, is affiliated with Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC).[1]
They first hit U.S. headlines in November 2023, when they compromised at least 75 Unitronics Vision Series PLCs at water and wastewater facilities across the country. The Municipal Water Authority of Aliquippa, about 30 miles outside Pittsburgh, was the most publicly visible victim. CyberAv3ngers took control of a booster station and left a message on the HMI screen: "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target."[4]
At the time, CISA issued its own advisory (AA23-335A) noting the attackers exploited devices with default or no passwords. The 2023 campaign was mostly symbolic, defacement messages, no lasting damage.[5]
The 2026 campaign is different. They've graduated from Israeli-made Unitronics controllers to American-made Rockwell Automation systems. From defacement to operational disruption. From making a political statement to causing financial losses.
Security researchers call it an "accelerating" threat. That's accurate. In three years, CyberAv3ngers went from spray-painting digital graffiti to breaking the systems that treat your drinking water.
The War Connection
The timing matters. The advisory explicitly links this escalation to the U.S.-Israel military campaign against Iran that began on February 28, 2026, when coordinated strikes under Operation Epic Fury targeted Iran's nuclear facilities, military infrastructure, and leadership.[6]
Iran's cyber response was immediate. The Handala group, another IRGC-linked operation, hit Michigan medical technology company Stryker with a wiper attack that destroyed 200,000 devices.[6] CyberAv3ngers pivoted to critical infrastructure.
This is what cyber warfare actually looks like. Not theoretical scenarios from think-tank white papers. Iranian state hackers, retaliating for military strikes, breaking into the programmable logic controllers that manage American water treatment and power systems.
President Trump has threatened severe consequences if Iran doesn't agree to reopening the Strait of Hormuz.[6] Iran's response, at least in part, is hitting the infrastructure that Americans depend on every day.
How Bad Is It?
The advisory doesn't name specific victims or give exact counts. The FBI confirmed attacks caused "diminished PLC functionality, manipulation of display data and, in some cases, operational disruption and financial loss."[3]
That vagueness is itself telling. When agencies won't name victims, it usually means the list is long or the affected organizations demanded anonymity. Or both.
What we know: the 2023 Unitronics campaign hit at least 75 devices. Rockwell Automation's installed base is vastly larger, hundreds of thousands of PLCs deployed across U.S. infrastructure. And the attack vector, internet-exposed PLCs with weak or no authentication, is a known, widespread problem that the industry has failed to fix for years.
Wiz researchers noted indications that "credentials and secrets stolen in supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data."[7] The attackers aren't just tampering with individual PLCs, they're mapping networks and grabbing credentials to go deeper.
What Should You Do?
If you run critical infrastructure (water utilities, energy, municipal systems):
- Disconnect PLCs from the internet immediately. There is no good reason for a PLC controlling water treatment to be directly reachable from the public internet. None.
- Enable multi-factor authentication on all remote access to OT systems
- Deploy firewalls or network proxies between IT networks and PLC/SCADA systems
- Check for Dropbear SSH, if port 22 is open on a PLC endpoint that shouldn't have SSH, you may already be compromised
- Audit Studio 5000 Logix Designer connections, look for connections from unfamiliar IP addresses, especially overseas-hosted infrastructure
- Update Rockwell firmware and disable unused authentication features
If you're a regular person who drinks tap water and uses electricity (that's everyone): push your local utility to answer one question. Are any of their industrial control systems accessible from the internet? If the answer is yes, or if they don't know, that's a problem.
Municipal water boards are public entities. Many have public meetings. Show up and ask.
The Bigger Picture
CyberAv3ngers hitting American water and energy systems is part of a broader pattern we've been tracking. Iran's Handala group wiped 200,000 Stryker devices. FBI Director Kash Patel's email was hacked by Iranian actors. Iran deployed Russian-made FindFace facial recognition against its own citizens.
The connecting thread: Iran's cyber capabilities are growing fast, its targets are getting more consequential, and its attacks are shifting from symbolic to destructive.
The U.S. government just told you that foreign state hackers are inside the systems that treat your drinking water. Pay attention.
References
- CISA, Advisory AA26-097A: Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure (April 7, 2026)
- CyberScoop, Iranian Hackers Launching Disruptive Attacks at U.S. Energy, Water Targets (April 7, 2026)
- The Hacker News, Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs (April 7, 2026)
- CBS Pittsburgh, Municipal Water Authority of Aliquippa Hacked by Iranian-Backed Cyber Group (November 2023)
- CISA, Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors (December 2023)
- NBC News, Iranian Hackers Are Breaking Into U.S. Industrial Systems, Agencies Warn (April 7, 2026)
- SecurityWeek, Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks (April 7, 2026)