Iranian-affiliated cyber actors have moved from noisy defacements to realistic probes of U.S. operational technology. The incidents we can point to are not science fiction. They are avoidable failures in basic cyber hygiene and proof that determined actors will pair crude access methods with custom toolsets when it suits them.
The clearest example came in late 2023 when IRGC-affiliated actors using the persona CyberAv3ngers compromised internet-exposed Unitronics Vision Series programmable logic controllers that are used in water and wastewater systems and other industrial environments. Those intrusions exploited default or weak credentials on internet-facing PLC/HMI equipment and left a political defacement on the screens. Operators were able to restore systems, and there is no public evidence of long-term disruption to water delivery, but the operation demonstrated a direct path from exposed OT devices to real-world control and manipulation.
Do not mistake the relative simplicity of that operation for lack of capability. Iran-affiliated groups have been observed using bespoke backdoors and multi-component toolchains for years. Public reporting and government advisories catalog multiple malware families and backdoors linked to Iranian state-aligned actors — tools for command and control, credential harvesting, lateral movement, and data exfiltration. Those tradecraft items range from PowerShell-based implants to compiled backdoors and bespoke loaders that can be adapted against both IT and OT targets. The presence of custom malware in the Iranian toolbox means they can tailor access and persistence to the target environment when they can get initial access.
That two-track picture is the reality defenders face. On one track you have low-cost, high-return attacks that exploit default passwords, exposed management ports, and unpatched devices. On the other you have actor-specific tooling and playbooks that are used after initial access is obtained. A vulnerability or an internet-exposed controller gives the attacker a beachhead. From there, commodity techniques can be swapped for custom implants and living-off-the-land operations designed to hide activity and maintain persistence in network segments that matter. Microsoft and others have documented how internet-exposed OT devices and poor segmentation accelerate that handoff from simple compromise to campaign-level access.
Why this matters for U.S. critical infrastructure: the impact surface is large, and the weakest link is often the smallest operator. Many PLCs, HMIs, and remote telemetry units were designed for convenience and remote access long before the current threat environment existed. Default credentials, exposed ports, and flat networks remain common in small utilities, manufacturing sites, and remote installations. Those are precisely the places a nation-state actor or an ideologically aligned hacktivist will look first. Federal advisories and sector partners have repeatedly urged operators to inventory internet-connected OT devices and to assume any exposed controller is a likely target.
Operational risk is twofold. First, there is immediate damage: a manipulated set point, a disabled pump, or a wiped operator screen can cause local outages and safety incidents. Second, there is strategic access: footholds in municipal or industrial networks can be sold, shared, or repurposed by other criminal actors, amplifying the downstream threat. Whoever holds the credentials and access can choose the tempo. They can sit and observe for months or escalate to destructive actions in seconds.
What defenders must do now is obvious and nonnegotiable. Inventory every internet-facing OT asset. Remove direct internet access to controllers and HMIs or place them behind jump hosts and strong remote access solutions. Enforce unique, nondefault credentials and multifactor authentication for any administrative access. Patch and update vendor firmware, and where vendors ship devices with default credentials insist they be changed before commissioning. Segment OT networks from business and internet-facing networks. Establish logging and hunt for anomalous connections to unusual ports and unexpected geolocations. Back up logic and configuration for controllers so restoration is rapid and forensic windows remain intact. Engage federal partners early when an intrusion is suspected. The recommendations from CISA and sector ISACs are tactical and implementable; they are not optional.
Prepare for the next phase. Expect Iranian-aligned actors to continue scanning for and exploiting exposed infrastructure. Expect some operators to be targeted because they use specific vendor equipment. Expect attackers to blend commodity exploitation with custom implants when the target is valuable enough. That means detection capability must improve. Detection is not just endpoint AV. It is network telemetry, authentication logs, outbound DNS and TLS anomaly detection, and baseline behavior profiling. If you cannot see the attacker moving laterally, you will never know whether the compromise is a political defacement or the prelude to a more serious operation.
Finally, act like your organization matters. Small utilities, local governments, and manufacturers are not collateral in modern cyber operations. They are targets of opportunity. The cost of basic hardening is tiny compared to the operational and reputational cost of being compromised. Replace default passwords. Turn off remote access when not in use. Segment networks. Patch devices. And have a tested playbook to isolate and recover OT systems under attack.
If you run or protect critical infrastructure, treat the November 2023 Unitronics incidents as a wake-up call and not an outlier. The adversary toolkit includes both low-skill exploitation and tailored malware. Your defenses must address both.