By Mark Jaffe, EUCI energy writer
Iranian hackers have increased their targeting of water and electric utilities since the U.S. and Isreal launched their war against Iran, according to an advisory by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
“Iranian government-affiliated actors routinely target poorly secured U.S. networks and internet-connected devices,” the agency said.
“Recent Iranian state-sponsored activity includes malicious cyber operations against operational technology devices by Islamic Revolutionary Guard Corps-affiliated … cyber actors,” the advisory said.
The North American Electric Reliability Corp. (NERC) said it is “actively monitoring the grid” and has issued an “all-points bulletin” to members to be vigilant.
NERC, which is responsible for grid reliability, said it is coordinating with the U.S. Department of Energy and the Electricity Subsector Coordinating Council.
The Achilles heel the hackers are targeting is programmable logic controllers, or PLCs, computers used to automate processes. They are critical in power grid management, water and wastewater plants, and government services.
“This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data,” the CISA said.
Attacks on PLCs in the past have been linked to the CyberAv3ngers, also known as the Shahid Kaveh Group, hackers affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command.
The agency said U.S. organizations should “urgently review” their tactics, techniques, and procedures looking for compromised systems.
The U.S. electricity sector includes more than 6,413 power plants with 1,075 gigawatts of generating capacity. There are about 152,000 public drinking water systems, including 50,000 community water systems, and more than 16,000 wastewater treatment systems.
In November 2023, CyberAv3ngers began hitting and compromising Israeli-made Unitronics Vision Series PLCs in several countries including the U.S. “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target,” the hackers announced.
In December 2025, the CISA updated its initial 2023 advisory to include other PLCs as a result of “new investigative and analytic insights for network defenders on malicious cyber activities conducted by advanced persistent threat cyber actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps.”
In March, as the U.S. and Isreal attacked Iran, the CISA detected an increase in hacking, this time focused on PLCs manufactured by Rockwell Automation/Allen-Bradley, although the CISA said other brands of programmable logic controllers could be at risk.
The U.S. and Iran agreed to a two-week ceasefire on April 8. It isn’t clear what the impact is on cyber-attacks.
Jon Lindsay, a professor at the School of Cybersecurity and Privacy at the Georgia Institute of Technology, said in a New York Times column that Iranian cyberwar capacity may have been overrated or degraded.
Iranian-linked hackers had hit other targets, as well. They broke into FBI Director Kash Patel’s personal email inbox, publishing photographs and other material on the website of the hacker group Handala Hack Team.
The FBI said in a statement that “all necessary steps to mitigate potential risks associated with this activity” were taken, and the data was “historical in nature and involves no government information.”
Processing…please wait
