Iranian APT Target US Critical Infrastructure

The advisory confirms that several U.S. critical infrastructure sectors have already experienced operational disruption. In response, CISA urges organizations to actively assess their environments against the published tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to determine whether they are currently affected or have been compromised in the past. [1]

U.S. authorities assess the activity to be conducted by Iranian‑affiliated advanced persistent threat (APT) actors. Impacted sectors include government services and facilities, water and wastewater management, and energy. Similar PLC‑focused activity has previously been attributed to CyberAv3ngers, also known as the Shahid Kaveh Group, which has established links to Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC). [1]

The context is relevant. The activity coincides with a period of heightened geopolitical tension, occurring just days ahead of a Pakistani‑brokered ceasefire involving the U.S., Israel, and Iran, with further negotiations scheduled in Islamabad on April 11. At the same time, tensions in the Strait of Hormuz remain elevated, with limited maritime traffic despite public statements that the route is open, and reports of transit restrictions and significant tolls imposed by Iran. [2]

Assessment

This activity fits a long‑standing Iranian cyber approach, where OT and critical infrastructure environments are used as leverage during periods of geopolitical pressure. Based on historic targeting patterns and current intelligence, the United States and Israel remain the primary focus of Iranian threat actors.

That said, European organizations should not view this activity as geographically contained. OT environments often rely on shared vendors, similar architectures, and comparable exposure models. As a result, European organizations operating the same PLC platforms face overlapping technical risk, even when they are not the primary strategic target.

Organizations in Europe using Rockwell Automation / Allen‑Bradley PLCs or other internet‑accessible OT components should follow the actions recommended by CISA. [1] This includes reviewing external exposure, validating segmentation and access controls, and ensuring adequate monitoring and logging for OT‑specific activity. With U.S. and Iranian negotiations expected to continue over the weekend, maintaining situational awareness is prudent.

For critical infrastructure operators, understand your OT attack surface, confirm visibility across industrial environments, and be ready to act on relevant indicators tied to the published TTPs. A measured, intelligence‑led response remains the most effective course of action.

References

[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
[2] https://www.bbc.com/news/articles/cp3l4yk5rlgo