Skip to content
Chimera readability score 0.6489 out of 100, reading level.

As US President Donald Trump threatens wholesale demolition of Iran's infrastructure in the midst of an escalating war, Iran now appears to have already reciprocated with its own form of infrastructure sabotage: A hacking campaign hitting industrial control systems across the United States, including energy and water utilities, that US agencies say has had disruptive and costly effects.
In a joint advisory published Tuesday, a group of US agencies including the FBI, the National Security Agency, the Department of Energy, and the Cybersecurity and Infrastructure Security Agency warned that a group of hackers affiliated with the Iranian government has targeted industrial control devices used in a series of critical infrastructure targets including in the energy sector, water and wastewater utilities, and unspecified “government facilities.” According to the agencies, the hackers have targeted programmable logic controllers (PLCs)—a type of device designed to allow digital control of physical machinery—in those facilities, including those sold by industrial tech firm Rockwell Automation, with the apparent intention of sabotaging their systems.
By compromising those PLCs, the advisory warns, the hackers sought to change information on the displays of industrial control systems, which can in some scenarios cause system downtime, damage, or even dangerous conditions. “In a few cases, this activity has resulted in operational disruption and financial loss,” it reads, though it offers no details about the severity of those effects.
“It’s well documented that Iranian actors target industrial control systems and see them as a nexus to apply pressure,” says Rob Lee, the co-founder and CEO of Dragos, a cybersecurity firm that focuses on industrial control systems, who says that his firm has responded to multiple incidents targeting industrial systems since the war against Iran began last month. “We have seen both state and non-state actors in Iran pose real risk and show willingness to hurt people through compromising these systems. I fully expect them to keep up the pressure and target those sites they can get access to.”
When WIRED reached out to Rockwell Automation, a company spokesperson responded in a statement that it “takes seriously the security of its products and solutions and has been closely coordinating with government agencies in connection with” Tuesday's advisory, and pointed to documents it has published for customers on how to better secure their PLCs.
Though the advisory doesn’t specify a particular group responsible for the hacking campaign, it notes that the attacks are similar to those carried out in by the Iran-linked group known as CyberAv3ngers, or the Shahid Kaveh Group, starting in late 2023. That team of hackers, believed to work in the service of the Iranian Revolutionary Guard Corps, inflicted several waves of attacks against Israeli and US targets in recent years, including gaining access to more than a hundred devices sold by industrial control system technology firm Unitronics and most commonly used in water and wastewater utilities.
In that hacking campaign, CyberAv3ngers set the names of the Unitronics devices to read “Gaza”—in a reference to Israel’s invasion of the territory in retaliation for Hamas’s October 7 attacks—and changed the devices’ displays to show an image of the CyberAv3ngers logo. Despite the initial appearance of mere vandalism, industrial cybersecurity firms that tracked the attacks, including Dragos and Claroty, told WIRED that the hackers corrupted the Unitronics’ devices’ code deeply enough to disrupt services in water utility networks from Israel to Ireland to a Pittsburgh, Pennsylvania, facility in the US.
“The Unitronics attacks demonstrated the IRGC does have industrial control systems hacking capabilities,” says Grant Geyer, Claroty’s chief strategy officer. “If you look at the IRGC playbook, they know they can't compete on the traditional military field. So they attempt to cause disruption within the cyber domain using asymmetric warfare techniques.”
Despite the US State Department putting a $10 million bounty on the group and the US Treasury sanctioning six IRGC officials with links to it, CyberAv3ngers went on to breach a US oil and gas company in 2024, according to Dragos, and to infect industrial control and internet-of-things devices with a piece of malware known as IOControl. The group appeared to be transitioning from “opportunistic attackers where their whole goal was spreading a message into the realm of a persistent threat,” Claroty researcher Noam Moshe told WIRED last year. In that IOControl malware campaign, he said, “they wanted to be able to infect all kinds of assets that they identify as critical and just leave their malware there as an option for the future.”
The news that Iranian hackers have disrupted US infrastructure targets may signal that disruptive hacking operations from Iran are intensifying as the war extends into its second month. Ahead of the initial air strikes that the US and Israel carried out against Iran, US Cyber Command publicly took credit for disabling Iranian defenses through cyberattacks.
Iran's counterattacks have since largely been carried out by a group known as Handala—a “hacktivist” group widely believed to work on behalf of Iran's ministry of intelligence—which has launched scattershot attacks including a crippling breach of medical technology firm Stryker and a hack-and-leak operation targeting an older, personal Gmail account of FBI director Kash Patel.
Following Trump's hyper-aggressive message Tuesday morning that an “entire civilization will die tonight,” posted to his social media platform Truth Social in an apparent threat to indiscriminately destroy Iranian civilian infrastructure, Handala seemed to respond with threats of its own.
“Tonight, cyber and missile soldiers will fight side by side for one nation,” a message on Handala's Telegram posted Tuesday afternoon reads. “We have a spectacular night ahead!”
Updated at 5:09 pm ET, April 7, 2026: Added additional contextual information about Iran-linked cyberattacks and groups.
Updated at 5:45 pm ET, April 7, 2026: Added comment from Claroty's Grant Geyer.

Facts Only

US agencies, including the FBI, NSA, Department of Energy, and CISA, issued a joint advisory on April 7, 2026, warning of Iranian hacking campaigns targeting industrial control systems.
The hackers, affiliated with the Iranian government, targeted programmable logic controllers (PLCs) used in energy, water, and wastewater utilities, as well as government facilities.
The attacks involved compromising PLCs, including those manufactured by Rockwell Automation, to disrupt operations.
Some attacks resulted in operational disruptions and financial losses, though the severity was not specified.
The advisory noted similarities to previous campaigns by the Iran-linked group CyberAv3ngers, active since late 2023.
CyberAv3ngers has previously targeted Israeli and US infrastructure, including water utilities and an oil and gas company in 2024.
The group used malware named IOControl to infect industrial control and IoT devices.
Another Iran-aligned group, Handala, has conducted cyberattacks, including a breach of medical technology firm Stryker and a hack-and-leak operation targeting an FBI official’s personal email.
The US has sanctioned Iranian cyber groups and offered bounties for their leaders, but attacks have continued.
Tensions escalated following US and Israeli airstrikes against Iran and US Cyber Command’s cyber operations against Iranian defenses.
Iranian President Donald Trump issued a threat on April 7, 2026, suggesting indiscriminate destruction of Iranian infrastructure.
Handala responded with a Telegram message threatening coordinated cyber and missile attacks.

Executive Summary

US agencies, including the FBI, NSA, Department of Energy, and CISA, issued a joint advisory warning that Iranian government-affiliated hackers have targeted industrial control systems across critical infrastructure sectors, including energy, water utilities, and government facilities. The hackers compromised programmable logic controllers (PLCs), particularly those from Rockwell Automation, with the intent to disrupt operations. Some attacks have already caused operational disruptions and financial losses, though specifics remain undisclosed. The advisory highlights similarities to previous campaigns by the Iran-linked group CyberAv3ngers, which has targeted Israeli and US infrastructure, including water utilities and an oil and gas company. Concurrently, another Iran-aligned group, Handala, has conducted cyberattacks, including breaches of medical technology firms and leaks of sensitive data. These developments follow escalating tensions between the US and Iran, with both sides engaging in cyber and kinetic strikes. The situation suggests a broadening of Iran's cyber warfare capabilities, potentially as a response to US military threats and cyber operations.
The advisory underscores the growing risk of cyber-physical attacks on critical infrastructure, where digital intrusions can translate into real-world disruptions. While the full extent of the damage remains unclear, the involvement of state-backed actors and the targeting of essential services signal a dangerous escalation in cyber conflict. The US has previously sanctioned Iranian cyber groups, but these measures have not deterred further attacks. The current wave of cyber operations appears to be part of a broader asymmetric strategy by Iran, leveraging cyber capabilities to counter conventional military disadvantages. The interplay between cyber and kinetic warfare in this conflict raises concerns about the potential for further destabilization, particularly as both sides issue provocative threats.

Full Take

The strongest version of this narrative highlights a clear and present danger: state-sponsored cyberattacks on critical infrastructure are no longer theoretical but actively disruptive. The US advisory provides concrete evidence of Iranian hackers targeting industrial control systems, with documented operational and financial consequences. The involvement of groups like CyberAv3ngers and Handala, linked to Iran’s Revolutionary Guard Corps and Ministry of Intelligence, respectively, underscores the strategic integration of cyber warfare into Iran’s asymmetric response to US military pressure. The advisory’s timing—amid escalating kinetic conflict and provocative rhetoric from both sides—lends urgency to the threat. The source material deserves credit for detailing specific tactics, such as the corruption of PLCs and the use of malware like IOControl, which demonstrates a sophisticated understanding of industrial control vulnerabilities.
However, the narrative also exhibits patterns of emotional exploitation and authority games. The framing of Iran’s cyber operations as a direct response to US threats—particularly Trump’s hyperbolic statement about destroying "an entire civilization"—risks amplifying fear and moral panic. The article leans into the specter of cyber-physical harm, evoking images of sabotaged water utilities and crippled energy grids, without providing sufficient context on the actual scale of disruption. While the advisory acknowledges "operational disruption and financial loss," it omits critical details, such as the duration of outages or the monetary impact, leaving readers to fill in the gaps with worst-case scenarios. The inclusion of Handala’s Telegram message—"Tonight, cyber and missile soldiers will fight side by side for one nation"—serves as a dramatic crescendo, reinforcing the narrative of an imminent, existential cyber threat. This aligns with the pattern of weaponized fear appeals (ARC-0012) and semantic manipulation (ARC-0031), where ambiguity about the severity of attacks is exploited to heighten tension.
The root cause of this narrative is the paradigm of cyber warfare as an extension of conventional conflict, where nation-states leverage digital tools to compensate for asymmetries in military power. The unstated assumption is that Iran’s cyber operations are primarily retaliatory, driven by US aggression, rather than part of a long-standing strategy to project power regionally. This echoes historical patterns of proxy warfare, where weaker states use irregular tactics to challenge stronger adversaries. The implications for human agency are profound: critical infrastructure, once considered secure, is now a battleground where civilians bear the costs of state conflict. The second-order consequences include potential erosion of public trust in digital systems, overreaction in cybersecurity policies, and further militarization of cyberspace.
Bridge questions: How might the lack of specific details about the disruptions shape public perception of the threat? What alternative explanations exist for Iran’s cyber operations beyond retaliation—such as deterrence or signaling? If the US and Iran are engaged in a tit-for-tat cyber conflict, what guardrails could prevent escalation into broader kinetic war?
Counterstrike scan: A coordinated influence campaign would likely amplify the fear of cyberattacks to justify preemptive military action or expanded surveillance powers. The playbook would involve selective disclosure of technical details to create an illusion of transparency while omitting mitigating context (e.g., the effectiveness of defenses). It would also frame the adversary’s actions as uniquely malicious while downplaying similar US operations. The actual content partially matches this pattern, particularly in its emphasis on Iranian threats without equivalent scrutiny of US cyber operations. However, the inclusion of multiple perspectives—such as quotes from cybersecurity firms and acknowledgment of US Cyber Command’s role—mitigates the risk of outright propaganda. The alignment is concerning but not definitive, suggesting a mix of legitimate reporting and strategic framing.
Patterns detected: ARC-0012 Weaponized Fear Appeals, ARC-0031 Semantic Manipulation

Sentinel — Human

Confidence

This article shows signs of being human-written, demonstrating variable sentence length, idiosyncratic emphasis, personal voice, and detailed descriptions from experts.

Signals Detected
low severity: Variable sentence length
high severity: Idiosyncratic emphasis and personal voice
Human Indicators
Multiple quotes from experts
Detailed description of past cyberattacks
Narrative flow that evolves with new information
Iran-Linked Hackers Are Sabotaging US Energy and Water Infrastructure — Arc Codex