Iranian government-affiliated cyber actors have moved beyond espionage into disruption and ransom operations that directly threaten U.S. critical infrastructure. These actors have exploited widely known vulnerabilities and poorly configured operational technology to gain access, encrypt data, or deface industrial control devices. The result is not theoretical. It is a pattern of low-cost tradecraft producing outsized physical risk.
What we saw in late 2023 provides the playbook. IRGC-affiliated operators and personas associated with them targeted Unitronics Vision Series programmable logic controllers that were publicly reachable and using default credentials. That exploitation produced device defacement, loss of automated control at a booster pump station, and at least temporary operational impacts to small water utilities. Those incidents were large enough to trigger a joint advisory from CISA, FBI, NSA, EPA, and Israel’s cyber directorate. The root causes were not exotic. Internet-facing OT, unchanged default passwords, and a failure to segment critical control networks made the attacks possible.
This is not new for Iranian-aligned actors. U.S. authorities and partners have documented IRGC-affiliated campaigns that exploit old, unpatched vulnerabilities for initial access and then use disk encryption and data extortion techniques consistent with ransom operations. The Treasury Department previously sanctioned identified IRGC-affiliated individuals and companies for roles in ransomware and related disruptive cyber activity. Those government findings show a sustained capability and a willingness to weaponize access against infrastructure, not just to collect intelligence.
Operationally the threat is attractive to Tehran. It is low cost, deniable, and scalable. The actors do not need a zero-day exploit or remote kinetic means to create disruption. They find internet-exposed control gear or leverage unpatched enterprise services, move laterally, and either encrypt critical systems or hand off access to criminal extortion operators. Even when the immediate effect is limited to a single pump or a defaced HMI, the broader consequence is strategic: operators lose confidence in automation, emergency procedures are stretched, and small utilities face costs they are not budgeted to absorb.
If you run infrastructure, the immediate checklist is short and non-negotiable. Inventory every internet-facing OT asset. Change all defaults and force unique strong passwords. Remove direct internet access to PLCs and HMIs by placing them behind authenticated VPNs or jump hosts. Enforce multifactor authentication for remote access. Segment IT and OT so ransomware or credential theft in the corporate network cannot cascade into control systems. Patch known exploited vulnerabilities on a prioritized schedule and apply vendor-recommended firmware updates for controllers. These steps are basic, fast, and effective at reducing the attack surface Iranian-affiliated actors have exploited.
Policy and resourcing decisions must reflect the asymmetric economics of this threat. Small water and wastewater authorities, public utilities, and local hospitals are high value to attackers because they often operate legacy OT with constrained budgets. Federal and state programs must pair threat intelligence and advisories with direct, funded assistance: grants or rapid response teams that can perform inventory, segmentation, and patching on behalf of under-resourced operators. Vendor accountability also matters. Manufacturers that ship controllers with default passwords or lack secure-by-design requirements should face procurement consequences.
Finally, treat these incidents as part of a blended campaign, not isolated nuisance hacks. The IRGC and affiliated groups have demonstrated a toolbox that mixes defacement, exploitation of internet-exposed devices, and destructive disk encryption. That toolbox can be turned toward larger targets or coordinated campaigns if geopolitical tensions escalate. Defense posture should therefore emphasize prevention, but also rapid isolation, manual operations training, and continuity plans that assume automation can be lost without warning. The margin between annoyance and public harm is thin. Closing that margin is a national priority that requires clear technical fixes, funded remediation, and consequences for state-enabled cyber disruption.