Lede: An Iranian-affiliated advanced persistent threat group has disrupted programmable logic controllers at US critical infrastructure sites across several sectors since at least March 2026, according to a joint advisory (FBI, CISA, NSA, EPA, DOE, Cyber Command via Ars Technica, 2026).

The advisory highlights operational disruptions and financial losses in government services, wastewater systems, and energy sectors, with attackers leveraging a Windows engineering workstation running Rockwell Automation tools to interface with Allen-Bradley PLCs (Ars Technica, 2026). Censys Internet scans identified 5,219 exposed Rockwell devices, three-quarters of which are located in the United States (Censys via Ars Technica, 2026).

This activity follows established patterns of Iranian state-sponsored cyber operations, including APT34's targeting of industrial entities documented in FireEye's 2019 report and more recent intrusions noted in Dragos' 2024 Year in Review focusing on OT threats from Middle Eastern actors (FireEye, 2019; Dragos, 2024).

Original reporting omitted analysis of how these threats converge with AI-driven tools for enhanced targeting, as outlined in a 2025 RAND Corporation study on AI-enabled cyber operations by nation-states and the necessity for AI-augmented defensive measures per NIST and CISA guidelines (RAND, 2025; NIST, 2023).