U.S. security agencies on Monday urged critical infrastructure operators to stay alert for possible cyberattacks by Iranian state-sponsored or affiliated threat actors, while also identifying and disconnecting OT (operational technology) and ICS (industrial control system) assets from the public internet. Given current geopolitical tensions, these groups could target U.S. networks and devices in the near term. The agencies also highlighted the heightened risks for defense industrial base (DIB) companies with ties to Israeli research or defense firms. While officials have not identified a coordinated Iranian cyber campaign in the U.S. so far, they stressed the importance of proactive security measures.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) issued guidance titled ‘Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest,’ encouraging critical organizations to strengthen their defenses.
“Hacktivists and Iranian-government-affiliated actors routinely target poorly secured U.S. networks and internet-connected devices for disruptive cyberattacks,” the fact sheet detailed. “Iranian-affiliated cyber actors and aligned hacktivist groups often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures (CVEs) or the use of default or common passwords on internet-connected accounts and devices.”
They added that these malicious cyber actors commonly use techniques such as automated password guessing, cracking password hashes using online resources, and inputting default manufacturer passwords. “When specifically targeting operational technology (OT), these malicious cyber actors also use system engineering and diagnostic tools to target entities such as engineering and operator devices, performance and security systems, and vendor and third-party maintenance and monitoring systems.”
Over the past several months, Iranian-aligned hacktivists have increasingly conducted website defacements and leaks of sensitive information exfiltrated from victims. These hacktivists are likely to significantly increase distributed denial of service (DDoS) campaigns against U.S. and Israeli websites due to recent events. Iranian-affiliated cyber actors may also conduct ransomware attacks in collaboration with other cybercriminal groups. These actors have been observed working directly with ransomware affiliates to conduct encryption operations, as well as steal sensitive information from these networks and leak it online.
The agencies also flagged previous cyber campaigns between November 2023 and January 2024, when Iranian Islamic Revolutionary Guard Corps (IRGC)-affiliated hackers targeted and breached Israeli-made programmable logic controllers (PLCs) and human-machine interfaces (HMIs) during the Israel-Hamas conflict. This global campaign included dozens of U.S. victims in the water and wastewater, energy, food and beverage manufacturing, and healthcare and public health sectors.
The document added that the hackers leveraged public internet-connected ICS that used factory-default passwords, or no passwords, and default Transmission Control Protocol (TCP) ports. Following the onset of the Israel-Hamas conflict, Iranian-affiliated cyber actors conducted several hack-and-leak operations to protest the conflict in Gaza. The campaign combined hacking and theft of data with information operations such as online amplification through social media or threats and harassment using direct messaging.
Furthermore, these operations resulted in financial losses and reputational damage for victims. The purpose of these campaigns was to undermine public confidence in the security of victim networks and data, as well as embarrass targeted companies and countries. While hacktivists primarily targeted Israeli companies, one instance involved a U.S. internet protocol television (IPTV) company.
Amidst the move by the government agencies, Censys reported Monday on the recent internet exposure of four device types previously targeted or of interest to Iranian threat actors, including Unitronics Vision PLCs, Orpak SiteOmat, Red Lion equipment, and the Tridium Niagara framework. Apart from Unitronics devices, which are somewhat more common in Australia, these systems are most frequently found in the U.S.
Between January and June 2025, exposure rose between 4.5 and 9.2 percent for all devices studied except Orpak SiteOmat, which saw a drop of nearly 25 percent, amounting to around 35 fewer systems online. SiteOmat remains the least common of the four. Furthermore, at least two of these systems — Unitronics and Orpak SiteOmat — ship or previously shipped with default credentials that are easily searchable online, making them trivial targets for attackers.
The authoring agencies strongly urge critical infrastructure asset owners and operators to put in place several key mitigations to strengthen their defenses against malicious actors. They advise identifying and disconnecting OT and ICS assets from the public internet, with particular attention to remote access technologies such as virtual network computing, remote desktop protocol, Secure Shell, and web management interfaces tied to human-machine interfaces or virtual private networks. If remote access cannot be removed, they recommend adopting a deny-by-default allowlist policy to block unauthorized connections.
Asset owners should also ensure that devices and accounts are secured with strong, unique passwords if multifactor authentication is not being used, and they should immediately replace weak or default credentials. Applying role-based access controls (RBAC) and conditional access policies for cloud or managed service providers is also essential.
In addition, the agencies recommend implementing phishing-resistant multi-factor authentication for accessing OT networks from any other network, and strategically requiring multi-factor authentication for making changes to high-value controllers that are hard to replace or could cause serious harm if compromised.
Operators should apply the manufacturer’s latest software patches for any internet-facing systems to address known vulnerabilities. It is also critical to monitor user access logs for remote connections into the OT network, as well as for any firmware or configuration changes.
To reduce the impact of a breach, organizations should establish OT processes that block unauthorized changes, prevent loss of visibility, and maintain control. This could include keeping PLCs in run mode instead of program mode, enabling hardware or software interlocks, activating safety systems, and deploying redundant sensors. Agencies also stress the importance of having solid business continuity and incident response plans in place to ensure rapid recovery. Full system and data backups should be implemented to support these efforts.
Critical infrastructure organizations were also called upon to consider how exfiltrated data, such as leaked credentials, could be leveraged to conduct further malicious activity against the network, and ensure security mechanisms are in place to reduce the impact of a potential leak.
