Iranian CyberAv3ngers Target Unitronics PLCs in Critical Infrastructure
Iran-linked CyberAv3ngers activity targeting Unitronics Vision PLCs in internet-exposed operational technology environments is the clearest common security event in the provided material. The reporting describes campaigns against critical infrastructure, especially water and wastewater systems, with attackers exploiting default credentials, weak segmentation, and exposed OT assets to gain access and potentially disrupt operations or manipulate industrial processes. The activity is framed as part of broader Iranian state-linked cyber operations aligned with regional geopolitical tensions, with emphasis on U.S. and allied infrastructure at risk of operational and possible physical consequences.
One reference provides technical and threat-context detail on the CyberAv3ngers/IRGC-linked targeting of Unitronics devices, while another discusses the wider cyber dimension of conflict involving Iranian groups pre-positioning in U.S. networks and threatening sectors such as water, hospitals, finance, and power. That second piece is relevant as contextual support for the same Iran-linked critical infrastructure threat environment, though it is broader and less specific to the Unitronics PLC intrusion pattern. The remaining references cover unrelated topics including malicious npm packages, GitHub repository compromise, Ivanti EPMM exploitation, a Ukraine-focused backdoor campaign, AI security commentary, and vendor detection updates, and do not describe the same incident or disclosure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
U.S. and allied agencies warn on Iranian critical infrastructure threats
U.S. agencies including CISA, FBI, and NSA, along with the UK NCSC, warned that Iranian intrusions into Unitronics devices could cause operational disruption, data manipulation, and possible cyber-physical consequences. The advisories also urged mitigations such as firmware upgrades, removing internet exposure, replacing default passwords, and improving segmentation.
CyberAv3ngers compromises Unitronics PLCs in U.S. critical infrastructure
Iran-linked CyberAv3ngers targeted internet-exposed Unitronics Vision Series PLCs and HMIs in U.S. critical infrastructure by abusing default credentials and weak network segmentation. Confirmed incidents included compromises affecting facilities in Pennsylvania and Florida, with similar activity also observed in Israel and the United Kingdom.
Financial and insurance analysts warn of conflict-driven cyber fallout
Fitch, Moody’s, and CyberCube warned that cyberattacks tied to the Iran conflict could disrupt public services, damage credit profiles, and trigger disputes over war exclusions in cyber insurance. These assessments highlighted the broader economic consequences of the escalating cyber threat environment.
Researchers link Iran-aligned APT access to U.S. and Israeli-linked networks
Researchers reported that Iran-aligned actors, including Seedworm/MuddyWater, had established access in networks tied to the United States and Israel across sectors such as banking, aviation, defense-related software, and nonprofits. The reporting suggested these intrusions formed part of a broader retaliatory cyber posture connected to the conflict.
U.S. and Israeli strikes on Iran trigger sharp cyber risk escalation
On February 28, 2026, U.S. and Israeli strikes on Iran marked a major escalation in the conflict and were followed by heightened concern over retaliatory cyber activity. Subsequent analysis argued that Iranian cyber operations against U.S. and Israeli-linked targets had likely been pre-positioned before the kinetic attacks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Iranian CyberAv3ngers Target Unitronics Vision PLCs in US Critical Infrastructure Amid Rising Geopolitical Tensions
rescana.com
Open sourceTHE DIGITAL FRONTLINES OF THE IRAN WAR: - Center for Cyber Diplomacy and International Security
cybercenter.space
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cyber Av3ngers Exploited Unitronics PLCs at Water Utilities in the U.S. and Ireland
A cyberattack on the Municipal Water Authority of Aliquippa in Pennsylvania exposed a broader campaign targeting **Unitronics Vision Series PLCs** used in water and wastewater operations. Attackers linked to the pro-Iran **Cyber Av3ngers** group reportedly defaced facility screens and disrupted a remote water pressure station, prompting operators to take affected equipment offline and switch to manual or backup processes; officials said drinking water quality and core service were not affected because the compromised system was isolated from the main treatment plant. Reporting also cited a separate incident at a North Texas utility, underscoring concern that internet-exposed industrial control systems are being actively targeted across the sector. U.S. and Irish authorities later tied similar activity to exploitation of weakly secured or internet-accessible Unitronics controllers, including default or poor password practices and the vulnerability tracked as `CVE-2023-6448`, which was added to CISA's Known Exploited Vulnerabilities catalog. In Ireland, attackers disrupted water service to about 160 households in County Mayo after compromising a PLC at a private group water scheme. CISA warned water operators to remove PLCs from direct internet exposure, change default credentials, enforce multifactor authentication where possible, and back up device configurations as officials and experts warned that undersecured operational technology poses an ongoing risk to critical infrastructure.
May 27, 2026
US Offers Reward for Iranian Hackers Behind Unitronics Water Utility Intrusions
The U.S. State Department offered up to **$10 million** for information on six Iranian government hackers allegedly linked to the Islamic Revolutionary Guard Corps Cyber-Electronic Command and the **CyberAv3ngers** campaign targeting **Unitronics Vision Series PLCs** used in critical infrastructure, including U.S. water utilities. U.S. officials said the group exploited internet-exposed devices with default credentials and, in late 2023, defaced compromised systems with anti-Israel messages while claiming the attacks were retaliation for Israel’s actions in Gaza. One of the most visible incidents hit the Municipal Water Authority of Aliquippa, Pennsylvania, which temporarily shifted to manual operations after an intrusion reached a pressure-regulating pump, though officials said water treatment and safe drinking water were not affected. In response, **CISA** began directly contacting water utilities with exposed Unitronics devices and urged operators to change default passwords, while the FBI and EPA said only a small number of utilities were known to be impacted but warned that exposed PLCs could provide a foothold for deeper network access and potential physical damage.
Apr 1, 2026
Iranian-Linked Actors Exploit Internet-Facing Rockwell PLCs in US Critical Infrastructure
A joint U.S. government advisory said Iranian-affiliated cyber actors are actively exploiting internet-facing operational technology devices across multiple U.S. critical infrastructure sectors, with a particular focus on **Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs)**. The activity has affected organizations in Government Services and Facilities, Water and Wastewater Systems, and Energy, where attackers maliciously interacted with project files and manipulated data displayed on **HMI** and **SCADA** systems, causing operational disruption and financial losses for some victims. The campaign has been observed since at least March 2026 and shows similarities to prior **CyberAv3ngers** activity linked to the IRGC Cyber Electronic Command. According to the advisory, the actors used overseas IP infrastructure, **Rockwell Studio 5000 Logix Designer**, OT-related ports including `44818`, `2222`, `102`, `22`, and `502`, and **Dropbear SSH** for remote access. U.S. authorities urged operators to remove PLCs from direct internet exposure, harden remote access, enable logging, place controllers in run mode where appropriate, and review published indicators of compromise and ATT&CK-mapped TTPs alongside Rockwell Automation security guidance.
Apr 17, 2026