The FBI and several other federal agencies said in a joint report released on April 7 that Iran-linked hackers were behind disruptions to internet access to U.S. gas, oil, and water companies.
“The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions to U.S. critical infrastructure organizations,” the FBI and CISA report stated, using an acronym for advanced persistent threat groups that are considered well-funded and sophisticated.
“Targeting campaigns against (US) organizations have recently escalated, likely in response to hostilities between Iran, the United States, and Israel.”
Iranian-linked groups are targeting programmable logic controllers made by Rockwell Automation, the report said, adding that this has led to “disruptions across several U.S. critical infrastructure sectors.”
The hackers gained access to the platforms in January 2025, according to the report. Access to the compromised platforms was stopped in March this year, it added.
Specifically, the groups have broken into Rockwell’s 5000 Logix Designer, a program that is used to control industrial systems, according to the advisory. The Epoch Times contacted Rockwell for comment on Thursday.
Companies across the United States should now “urgently review the tactics, techniques, and procedures and indicators of compromise in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed” in the report, the agencies said.
The Cybersecurity and Infrastructure Security Agency (CISA), Environmental Protection Agency, Department of Energy, National Security Agency, and U.S. Cyber Command were also involved in producing the report, which did not identify which companies were affected.
The report also did not provide the names of any of the hacker groups that were allegedly involved in the attacks or whether it was linked to the U.S.–Israeli war with Iran.
The federal government has accused groups working for Iran of targeting American wastewater and water systems in the past. For example, in 2023, a hacking group called “CyberAv3nger” that CISA said is associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) broke into around 75 devices, according to a CISA advisory.
It also comes as FBI Director Kash Patel was personally hacked last month, with photographs of the director and other documents published online.
On its website, hacker group Handala Hack Team said Patel “will now find his name among the list of successfully hacked victims.” The hackers published a series of personal photographs of Patel smoking cigars, riding in an antique convertible, and taking various selfies.
Cybersecurity organization SocRadar says that Handala is associated with the Iranian Ministry of Intelligence and Security and should not be considered “a spontaneous movement” since it emerged in December 2023. The group, according to SocRadar, has carried out attacks on Israeli and Western targets, including U.S. corporations.
An alert released by the FBI on March 20 said that Iran’s regime has used the Telegram messaging app and social media platform to “push malware” targeting dissidents, journalists, and other opposition groups around the world.
The Handala group was involved in other operations to hack individuals voicing concerns about the Iranian regime and has published sensitive data online, according to the report.
The FBI has, for years, said that the Chinese regime, Iran, Russia, and North Korea are the main countries that have carried out cyber intrusions against U.S. entities.
Reuters contributed to this report.
