US and Iran Trade Threats Over Critical Infrastructure Cyberattacks

U.S. Intelligence agencies issued a joint advisory on April 7, 2026, warning private-sector companies nationwide that Iranian-affiliated actors are conducting cyber operations targeting critical U.S. Infrastructure. The government notice stated that these exploitation activities have already resulted in disruptions across several critical infrastructure sectors.

The advisory was issued jointly by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Environmental Protection Agency (EPA), the Department of Energy, and Cyber Command.

Targeting of Industrial Automation

The joint warning specifically highlights the exploitation of operational technology (OT) devices. According to the notice, Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.

Rockwell Automation’s Allen-Bradley is identified as one of the most widely used industrial automation brands. The exploitation of these programmable logic controllers allows attackers to target the hardware that manages essential industrial processes across the United States.

The Environmental Protection Agency has highlighted the specific risks to water utility systems. Jeffrey A. Hall of the EPA stated that Cyberattacks on drinking water and wastewater systems directly threaten public health and community resilience.

Geopolitical Context and Escalation

These cyber operations are occurring amidst escalating hostilities between the United States, Israel, and Iran. President Donald Trump has threatened to target Iranian critical infrastructure, specifically its power plants and bridges.

The current escalation follows coordinated military actions conducted on February 28, 2026, identified as Operation Epic Fury and Operation Roaring Lion. These operations involved U.S. And Israeli military operatives against Iran.

Following the February 28 strikes, state-sponsored and Islamic Revolutionary Guard Corps (IRGC)-aligned threat actors significantly increased their reconnaissance, espionage, and disruptive cyber operations. These targets include digital assets in the U.S., Israel, the United Kingdom, and the Gulf Cooperation Council.

Iranian Cyber Tactics

Iranian APT actors are described as patient and methodical in their operations. Their primary method of network entry involves targeting internet-facing systems, such as firewalls, VPNs, remote access tools, and industrial controllers.

To maintain distance and deniability, Iranian state actors routinely operate through proxy organizations and hacktivist groups. This strategy means that initial indicators of an attack in security logs may not immediately appear to be the work of a nation-state.

The threat landscape varies by industry, with different risks facing financial organizations compared to pharmaceutical companies. However, the targeting of operational technology poses a broad risk to energy and water infrastructure.

Defensive Recommendations

The joint advisory urges U.S. Organizations to immediately review tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to identify current or historical activity on their networks.

Security guidance for affected organizations focuses on hardening the network edge. This includes identifying all assets sitting at the perimeter and removing any internet-facing systems that are unpatched or have reached end-of-support status.

The government notice warns that the targeting campaigns against U.S. Organizations have escalated in response to the ongoing hostilities between Iran, the United States, and Israel.