Iran-linked CyberAv3ngers targets water utilities and industrial controllers across the US
5 min. read 
Published on
Iranian-affiliated cyber actors tied to CyberAv3ngers are actively targeting internet-exposed programmable logic controllers across U.S. critical infrastructure, including water, wastewater, energy, food and beverage, and government facilities. In a joint advisory published on April 7, CISA, FBI, NSA, EPA, DOE, and U.S. Cyber Command said the activity has already caused operational disruption and financial loss.
The agencies identify the activity as linked to Iranian cyber actors associated with the Islamic Revolutionary Guard Corps Cyber-Electronic Command, or IRGC-CEC. They also note that the threat cluster is tracked by multiple vendors under different names, including CyberAv3ngers, Storm-0784, and UNC2428 or related reporting labels depending on the campaign.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This is not just another noisy hacktivist operation. The advisory says the actors have moved beyond website defacements and propaganda, and are now pursuing disruptive access to real industrial systems, especially exposed PLCs used in essential services.
Why Unitronics and Rockwell systems remain in focus
The most visible early wave involved Unitronics Vision Series PLCs in late 2023. CISA previously warned that IRGC-affiliated actors compromised Unitronics devices in the United States and elsewhere by abusing default passwords on internet-connected controllers.
That campaign included the well-known incident in Aliquippa, Pennsylvania, where a water authority was forced to switch to manual operations after a Unitronics device was targeted. U.S. officials have repeatedly used that case as a warning about internet-exposed OT devices with weak authentication.
The newer concern involves Rockwell Logix controllers. The April 2026 joint advisory says Iranian-affiliated actors are attempting to exploit CVE-2021-22681, an authentication bypass flaw that affects multiple Rockwell Logix families. Rockwell’s advisory says the issue can allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with controllers if they have network access.
Rockwell’s flaw has mitigations, but not a normal software patch
One detail matters here. The sample article says no software patch exists for CVE-2021-22681, which is directionally true but incomplete. Rockwell says CIP Security, when properly deployed, remediates the risk by requiring authenticated controller connections with stronger cryptographic protections.
That means defenders should not read this as “nothing can be done.” Rockwell’s own guidance points admins toward CIP Security and other hardening measures, while CISA’s joint advisory urges operators to isolate exposed PLCs, remove public internet access, and enforce strong remote access controls.
The affected families listed by Rockwell include CompactLogix, ControlLogix, GuardLogix, DriveLogix, FlexLogix, and SoftLogix product lines. That gives the threat real reach across industrial environments that still rely on legacy connectivity and weak segmentation.
IOCONTROL shows the group has moved beyond simple defacement
CyberAv3ngers has also been tied to IOCONTROL, a custom malware platform for Linux-based IoT and OT devices. Claroty’s Team82 said IOCONTROL was built to target routers, PLCs, HMIs, cameras, firewalls, and fuel management systems from multiple vendors, including D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.
Claroty described IOCONTROL as a nation-state cyberweapon used against civilian critical infrastructure. The researchers also said the malware uses MQTT over TLS and other techniques to blend into expected IoT traffic, making detection harder in poorly monitored OT environments.
That evolution matters because it shows CyberAv3ngers is no longer limited to opportunistic access on badly exposed controllers. The group, or the broader ecosystem around it, now appears capable of combining public device exposure, controller-specific weaknesses, and purpose-built malware for persistent access.
Sanctions have not stopped the activity
The U.S. Treasury sanctioned six IRGC-CEC officials in February 2024 for cyber activity linked to CyberAv3ngers. The State Department also announced a reward offer of up to $10 million for information on IRGC-linked malicious cyber actors targeting U.S. critical infrastructure.
Even so, U.S. agencies say the threat remains active in 2026. The latest advisory makes clear that operators should treat this as a live risk, not a historical campaign that faded after the Unitronics headlines.
For utilities and industrial operators, the message is blunt. If PLCs are reachable from the internet, protected by default credentials, or exposed through weak remote access paths, Iranian-affiliated actors may already be looking for them.
What organizations should do now
| Priority | Action | Why it matters |
|---|---|---|
| Immediate | Remove PLCs and HMIs from direct internet exposure | The joint advisory says the actors actively target internet-facing controllers |
| Immediate | Change default passwords and review all controller authentication settings | Earlier Unitronics compromises relied on default credentials |
| High | Deploy CIP Security where supported on Rockwell environments | Rockwell says it mitigates CVE-2021-22681 |
| High | Restrict remote access to enterprise VPNs with MFA | Remote access tools and weak exposure expand the attack surface |
| High | Monitor OT segments for unusual MQTT over TLS and suspicious outbound activity | Claroty says IOCONTROL uses these channels to blend in |
| Ongoing | Back up controller logic and configurations offline | Recovery depends on trusted backups if devices are altered |
The actions above reflect the joint U.S. advisory, Rockwell’s own guidance, and Claroty’s IOCONTROL research.
FAQ
CyberAv3ngers is an Iranian-affiliated threat group that U.S. agencies link to the IRGC-CEC. It has targeted industrial control systems and critical infrastructure, especially internet-exposed PLCs.
Water and wastewater systems, energy organizations, government facilities, and other operators with exposed PLCs or weakly protected remote access face the highest risk, according to the April 2026 joint advisory.
Rockwell does not describe this as a normal software patch scenario. Instead, it points customers to CIP Security and hardening steps to prevent abuse of the authentication bypass.
IOCONTROL is a modular malware platform tied to Iranian operators and designed for Linux-based IoT and OT devices. Claroty says it can target a wide range of industrial and edge systems.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages