Executive Summary

Nearly 4,000 industrial control devices in the United States, primarily Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs), have been exposed to and targeted by Iranian state-backed cyberattacks since March 2026. These attacks have resulted in operational disruptions, forced manual operation at affected sites, and financial losses. The threat actors, attributed to Iranian advanced persistent threat (APT) groups affiliated with the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security, exploited internet-exposed PLCs to extract project files, manipulate Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) displays, and attempt destructive actions using malware known as “wipers.” The sectors most affected include oil and gas, water and wastewater, energy, and government services. Multiple U.S. federal agencies have issued joint advisories urging immediate defensive actions, including disconnecting PLCs from the internet, enforcing multifactor authentication, and monitoring for suspicious activity. All findings in this report are based on direct evidence from primary sources published between April 7 and April 10, 2026.

Technical Information

The Iranian-linked cyberattacks have targeted a significant portion of the U.S. industrial control system (ICS) landscape, focusing on Rockwell Automation/Allen-Bradley PLCs. These devices are critical components in industrial environments, responsible for automating and controlling machinery in sectors such as water treatment, power generation, and manufacturing. The attacks leveraged the EtherNet/IP (EIP) protocol, which is commonly used for industrial device communication. According to Censys data, 5,219 internet-exposed hosts globally responded to EIP and self-identified as Rockwell Automation/Allen-Bradley devices, with 74.6% (3,891 hosts) located in the United States. Many of these devices were deployed on cellular carrier networks, indicating field use and potentially limited physical security controls (BleepingComputer, April 10, 2026).

The attackers gained initial access by exploiting publicly accessible PLCs, a technique mapped to MITRE ATT&CK’s Exploit Public-Facing Application (T1190) and External Remote Services (T1133). Once inside, they extracted sensitive project files and manipulated operational data displayed on HMI and SCADA systems. This manipulation impaired process control, mapped to Impair Process Control (T0813) and Stored Data Manipulation (T1565.001), and in some cases, forced facilities to switch to manual operation, increasing the risk of human error and safety incidents (CNN, April 7, 2026; Defense One, April 7, 2026).

The campaign also included attempts to deploy destructive malware, or “wipers,” intended to delete data from victim organizations. While it remains unclear if these attempts were successful in this specific campaign, similar tactics were confirmed in previous attacks, such as the March 2026 incident against Stryker, a U.S. medical technology company, where approximately 80,000 devices were wiped (CNN, April 7, 2026; BleepingComputer, April 10, 2026).

The technical sophistication of these attacks is notable for their ability to not only disrupt operations but also potentially modify operating parameters, which could have direct physical impacts on industrial processes and safety systems. The attackers’ methods demonstrate a clear understanding of industrial protocols and device configurations, as well as the operational environments in which these PLCs function.

Affected Versions & Timeline

The primary devices affected are Rockwell Automation/Allen-Bradley PLCs accessible via the EtherNet/IP protocol. The exposure was identified in over 3,800 U.S.-based devices, with global exposure exceeding 5,200 devices. The campaign began escalating in March 2026, coinciding with increased hostilities between Iran, the United States, and Israel. Prior related campaigns by Iranian-affiliated groups targeted Unitronics PLCs between November 2023 and January 2024, compromising at least 75 devices, half of which were in water and wastewater systems. The most recent destructive attack attributed to the same threat ecosystem occurred in March 2026 against Stryker, resulting in the wiping of approximately 80,000 devices (BleepingComputer, April 10, 2026; Defense One, April 7, 2026).

The timeline of the current campaign is as follows: - March 2026: Escalation of attacks against U.S. critical infrastructure, specifically targeting internet-exposed Rockwell Automation/Allen-Bradley PLCs. - April 7, 2026: Joint federal advisory issued, warning of ongoing attacks and urging immediate defensive actions. - April 10, 2026: Public reporting confirms the scale of exposure and ongoing threat activity.

Threat Activity

The threat actors behind these attacks are attributed to Iranian state-backed APT groups, with high confidence based on joint advisories from the Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, EPA, Department of Energy, and U.S. Cyber Command’s Cyber National Mission Force. The attackers have demonstrated the capability to exploit internet-facing PLCs, extract sensitive configuration and operational data, and manipulate process control systems. Their activities have resulted in operational disruptions, forced manual operation, and financial losses for affected organizations.

The attackers’ tactics, techniques, and procedures (TTPs) include scanning for exposed PLCs, exploiting remote access protocols, extracting project files, manipulating HMI and SCADA data, and attempting to deploy destructive malware. The campaign is opportunistic, targeting any accessible device rather than focusing on specific organizations, which increases the risk to all entities operating vulnerable PLCs.

The sectors most affected are oil and gas, water and wastewater, energy, and government services, including local municipalities. The attackers’ ability to manipulate operational data and potentially modify safety parameters raises significant concerns about the risk of physical damage and threats to human safety. The use of wipers in previous campaigns, such as the attack on Stryker, demonstrates a willingness to cause widespread disruption and data loss.

Mitigation & Workarounds

The following mitigation actions are recommended, prioritized by severity:

Critical: Immediately disconnect all Rockwell Automation/Allen-Bradley PLCs and other industrial control devices from the public internet. Where disconnection is not feasible, place devices behind properly configured firewalls and restrict remote access to authorized personnel only.

High: Enforce multifactor authentication (MFA) for all access to operational technology (OT) networks and devices. Regularly update PLC firmware and software to the latest versions provided by the vendor. Disable all unused services and authentication methods on PLCs and associated systems.

Medium: Continuously monitor network and device logs for signs of suspicious activity, particularly connections from overseas IP addresses or hosting providers. Review and update incident response plans to ensure rapid containment and recovery in the event of a compromise.

Low: Conduct regular security awareness training for staff responsible for OT environments, emphasizing the risks of internet exposure and the importance of following security best practices.

These recommendations are based on direct guidance from federal advisories and primary sources (BleepingComputer, April 10, 2026; Defense One, April 7, 2026).

References

BleepingComputer, April 10, 2026: https://www.bleepingcomputer.com/news/security/nearly-4-000-us-industrial-devices-exposed-to-iranian-cyberattacks/

CNN, April 7, 2026: https://www.cnn.com/2026/04/07/politics/iran-linked-hackers-disrupt-us-industrial-sites

Defense One, April 7, 2026: https://www.defenseone.com/threats/2026/04/pro-iran-hackers-have-disrupted-some-industrial-control-systems-us-says/412684/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks in their supply chain and operational technology environments. Our platform enables continuous visibility into exposed assets, supports rapid detection of vulnerabilities in industrial control systems, and facilitates evidence-based risk mitigation. For questions or further information, please contact us at ops@rescana.com.