Industry News
From CyberAv3ngers to Today: Iran’s Escalating War on U.S. PLCs
AKMSecure
·
May 06, 2026
·
7 min read
In November 2023, a group of hackers affiliated with Iran’s Islamic Revolutionary Guard Corps compromised 75 programmable logic controllers manufactured by Unitronics across U.S. water and wastewater systems. The group, known as CyberAv3ngers (also tracked as Shahid Kaveh Group, Hydro Kitten, Storm-0784, and APT Iran), defaced HMI screens and disrupted operations at multiple facilities.
It was supposed to be the inflection point for OT security. Two and a half years later, the April 7, 2026 joint advisory from six federal agencies confirms that Iran’s campaign against U.S. industrial control systems has not only continued but significantly escalated.
The 2023 Campaign: Proof of Concept
The CyberAv3ngers campaign targeted Unitronics Vision Series PLCs, devices widely deployed in water and wastewater treatment facilities. These PLCs shipped with default credentials and were accessible from the public internet, a combination that required no sophisticated exploit to breach.
The attackers defaced HMI displays with anti-Israel messaging and disrupted facility operations. CISA, FBI, and partner agencies responded with a joint advisory documenting the tactics and urging operators to change default passwords, disconnect PLCs from the internet, and implement basic network segmentation.
The attack was relatively unsophisticated. It targeted a single vendor’s devices in a single sector. But it proved something critical: U.S. critical infrastructure was running internet-exposed PLCs with no meaningful authentication, and a nation-state actor was willing to exploit that.
January 2025 to March 2026: The Staging Period
The April 2026 advisory includes a detail that deserves close attention. Seven of the eight IP addresses listed as indicators of compromise were first associated with threat actor activity in January 2025, a full 14 months before the advisory was published. An eighth IP appeared in March 2026.
This timeline suggests the current campaign was not a sudden escalation. The infrastructure was staged deliberately over more than a year. While the security community processed the lessons of CyberAv3ngers, the IRGC’s cyber units were building the next iteration.
The authoring agencies assess this escalation is likely connected to rising hostilities between Iran, the United States, and Israel, a geopolitical context that makes further escalation probable rather than hypothetical.
March 2026: Multi-Sector, Multi-Vendor Disruption
The current campaign represents a qualitative leap from CyberAv3ngers in three dimensions.
Vendor expansion. The 2023 campaign targeted Unitronics exclusively. The 2026 campaign targets Rockwell Automation/Allen-Bradley devices, specifically CompactLogix and Micro850 PLCs. The advisory also flags malicious traffic on ports associated with Siemens S7 (port 102) and Modbus (port 502) protocols, indicating the targeting may extend to additional vendors.
Sector expansion. CyberAv3ngers focused on water and wastewater. The current campaign spans water, energy, and government services sectors, including local municipalities. The blast radius has tripled.
Impact escalation. The 2023 attacks primarily defaced HMI screens. The 2026 campaign involves extraction of PLC project files containing ladder logic and configuration data, manipulation of SCADA displays, deployment of persistent SSH backdoors via Dropbear software, and in some cases, operational disruption resulting in financial loss.
The Attack Method Has Not Changed
What is striking about both campaigns is how consistent the attack methodology remains. In 2023, the attackers exploited default credentials on internet-exposed PLCs. In 2026, they used overseas-hosted infrastructure running the manufacturer’s own configuration software (Studio 5000 Logix Designer) to connect to internet-exposed PLCs.
No zero-day vulnerabilities. No advanced malware. No elaborate supply chain compromises. The attack surface is the same: PLCs connected directly to the public internet without device-level authentication or session verification.
The advisory’s recommended mitigations, disconnect PLCs from the internet, place physical mode switches in run position, implement MFA, deploy firewalls and VPNs, are the same class of perimeter-focused controls recommended after CyberAv3ngers. These are necessary, but they have not prevented the problem from worsening because they do not address the device-level gap.
The Gap That Keeps Getting Exploited
Both the 2023 and 2026 campaigns exploit the same architectural void: OT devices that cannot cryptographically verify who is connecting to them. A legitimate engineer using Studio 5000 from a plant workstation looks identical to an IRGC operator using the same software from an overseas server. The PLC has no way to distinguish between them.
PKI was never a viable option for these environments. The certificate overhead, the CA dependency, the manual lifecycle management, none of it was designed for a Micro850 controller running in a water treatment plant or a CompactLogix in an energy facility. The result is an entire class of critical infrastructure devices operating without any form of cryptographic identity.
Autonomous Key Management™ was designed specifically to close this gap. AKM’s symmetric-key architecture runs in under 50KB, requires no certificate authority, operates in air-gapped and semi-connected environments, and refreshes session credentials autonomously. Every session is independently verified with no persistent credentials and no standing privileges. It delivers encryption where PKI was never viable, bringing Zero Trust authentication to the device layer for the first time.
What Comes Next
The escalation pattern from 2023 to 2026 is clear: broader vendor targeting, more sectors affected, deeper operational impact, and longer sustained campaigns. The IRGC’s Cyber Electronic Command is not experimenting. It is operationalizing.
The question for OT operators and critical infrastructure owners is whether the next advisory will document the same fundamental vulnerability being exploited, internet-exposed PLCs with no device-level authentication, at an even larger scale. The geopolitical conditions driving these attacks are intensifying, not subsiding.
Perimeter controls are a necessary first step. Closing the encryption gap at the device layer is the step that actually changes the trajectory.
About AKMSecure
AKMSecure delivers a patented Autonomous Key Management™ protocol built to replace outdated PKI approaches with a dynamic, quantum-secure, air-gapped-capable architecture. Instead of relying on persistent credentials that can be stolen, reused, or abused, AKM enables independently verified sessions with no standing privileges left behind. The result is a model that better aligns with Zero Trust principles, reduces certificate-based risk, and supports resilient operations across enterprise IT, OT and Tactical Edge environments. Built to NSA-grade security standards and deployable as a lightweight SDK, AKMSecure helps organizations modernize trust at the protocol layer without rebuilding everything around it.