The findings are drawn from active advisories issued by CISA, the FBI, NSA, US Cyber Command, and independent ICS security research through early 2026. The threat is active, the access is persistent, and the window for passive defense has closed.

Key Finding: As of April 2026, a joint advisory from the FBI, CISA, NSA, EPA, Department of Energy, and US Cyber Command confirmed that Iranian-affiliated APT actors are actively targeting internet-exposed PLCs across water, energy, and government facility sectors — with documented operational disruption and financial losses at victim organizations. ¹

1. THE OT EXPOSURE PROBLEM: STRUCTURAL, NOT INCIDENTAL

Before examining the two threat actor clusters in isolation, the underlying condition that enables both campaigns demands direct attention. Operational technology was conceived in an era of air-gapped networks.

PLCs from Rockwell Automation’s Allen-Bradley line — CompactLogix and Micro850 devices that now appear explicitly in active Iranian targeting — were engineered for process control in closed environments.

SCADA systems, HMIs, and industrial routers across water treatment facilities, power substations, and manufacturing floors were built on the assumption that physical access was the only credible attack surface.

That assumption collapsed gradually, then all at once. Remote monitoring requirements, budget-constrained IT-OT convergence projects, pandemic-era remote access expansions, and a persistent shortage of OT-qualified security staff produced a landscape in which thousands of industrial devices sit directly reachable from the public internet — many protected by factory-default credentials, unpatched firmware dating back years, and no multi-factor authentication. Shodan and Censys index this exposure in near real-time.

Iranian threat actors have been explicitly documented using open-source reconnaissance tools like Shodan to find vulnerable internet-facing devices, especially in ICS environments.

This is not a marginal statistic. It represents a qualitative shift: adversaries are no longer just probing for data. They are causing observable, physical-world consequences.

2. IRANIAN THREAT ACTORS: DISRUPTION AS DOCTRINE

2.1 CyberAv3ngers and the IRGC Campaign Lineage

The most operationally active Iranian group targeting US OT infrastructure is CyberAv3ngers, formally affiliated with Iran’s Islamic Revolutionary Guard Corps. Their targeting philosophy is not intelligence-driven in the traditional espionage sense — it is disruptive.

The group operates with political messaging, public attribution of claimed attacks, and a willingness to accept noisier TTPs that leave evidence, because the goal is effect and signal rather than silent persistence.

The campaign that drew international attention began in late 2023 amid the Israel-Hamas conflict. Between November 2023 and January 2024, IRGC-affiliated cyber actors actively targeted and compromised Israeli-made PLCs and human machine interfaces in a global campaign that included dozens of US victims in the water and wastewater, energy, food and beverage manufacturing, and healthcare sectors.

The actors leveraged public internet-connected industrial control systems that used factory-default passwords, or no passwords, and default TCP ports. ²

Between November 2023 and January 2024, CyberAv3ngers compromised at least 75 Unitronics PLC devices across multiple attack waves, half of which were in water and wastewater critical infrastructure networks.

There was no zero-day involved, no sophisticated exploit chain — just exposed credentials and indifferent configuration management.

2.2 The 2025–2026 Escalation

By June 2025, NSA, CISA, FBI, and the Department of Defense Cyber Crime Center issued a joint advisory documenting a new wave of Iranian cyber activity, noting that Iranian actors — including state-sponsored groups and aligned hacktivists — had a documented and expanding history of targeting poorly secured US systems.

The 2025 campaigns incorporated more structured credential exploitation, including hash-cracking, alongside continued default-password abuse and OT-specific diagnostic tool misuse.

By April 2026, a further joint advisory confirmed Iranian-affiliated APT actors were actively compromising Rockwell Automation CompactLogix and Micro850 PLCs across government facilities, water systems, and energy infrastructure.

Since the start of the US-Iran-Israel conflict in February 2026, Iranian-affiliated groups have claimed victims, including Stryker, local governments, and multiple critical infrastructure operators.

Unlike earlier campaigns that operated against niche vendor hardware, this campaign targeted widely deployed, mainstream industrial controllers — a deliberate expansion of attack surface.

Iranian actors are increasingly sharing intelligence and access across affiliated groups, accelerating the threat timeline for any organization with internet-exposed industrial systems.

The targeting of water systems is not accidental — water and wastewater infrastructure sit at the foundation of public health and are disproportionately operated by under-resourced municipal entities with minimal cybersecurity staff.

3. CHINESE THREAT ACTORS: PRE-POSITIONING FOR CONFLICT

3.1 Strategic Intent: The Quiet War Before the War

Where Iranian campaigns are operationally noisy and politically expressive, Chinese state-sponsored OT targeting is the mirror opposite. The defining characteristic of groups like Volt Typhoon — and its industrial subgroup VOLTZITE — is deliberate, patient, invisible persistence.

The strategic objective, assessed consistently by US government agencies, is pre-positioning: establishing durable access to US critical infrastructure that can be activated for destructive purposes during a crisis or military conflict.

FBI Director Christopher Wray stated it plainly: “China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict.”

The ODNI’s 2026 Annual Threat Assessment noted that Chinese APT actors such as Volt Typhoon and Salt Typhoon exhibit tactics and target selection that extend beyond traditional cyber espionage or intelligence-gathering operations. ³

3.2 VOLTZITE and the Electric Grid Intrusion

The most forensically documented case of Chinese OT intrusion involves VOLTZITE’s breach of the Littleton Electric Light and Water Departments (LELWD) in Massachusetts. The intrusion began in February 2023 and was not uncovered until the FBI alerted LELWD in November 2023 — over 300 days after initial compromise.

This marks the first documented case of this APT infiltrating a US power utility. The attackers had been gathering operational technology data, including SCADA-related information, geospatial intelligence, and other details critical to energy grid operations.

The Dragos platform confirmed server message block traversal maneuvers and remote desktop protocol lateral movement — deliberate, measured steps that mimicked legitimate administrator activity.

Dragos observed VOLTZITE in many cases exfiltrating GIS data containing critical information about the spatial layout of energy systems, warning that exfiltrated data and persistent access to OT systems could be employed as a means for actions on objectives in the future.

3.3 The Typhoon Ecosystem: Expanding OT Penetration

Volt Typhoon do not operate in isolation. Dragos’s annual report confirmed that in 2025, Voltzite continued embedding its malware inside strategic American utilities “to maintain long-term persistence.” Dragos CEO Robert M. Lee stated that “they weren’t just getting in and getting access — they were getting inside the control loop” — the system that manages utilities’ industrial processes.

A group that emerged in 2025, Sylvanite, exploits known vulnerabilities in internet-facing products from F5, Ivanti, and SAP to provide Voltzite access into electric power, water, sewage, and oil and gas organizations.

Within 48 hours of a vulnerability’s public disclosure, Sylvanite is reverse-engineering and deploying exploits against those devices — a tempo that renders conventional patch-management cycles operationally irrelevant.

A second group, Azurite, overlaps with China’s Flax Typhoon and focuses on gaining long-term access to OT engineering workstations. Compromise of engineering workstations doesn’t just yield data — it provides the capability to alter the industrial processes those workstations govern.

The broader Chinese APT ecosystem now includes Salt Typhoon, which focuses on espionage and intelligence collection through telecommunications, having compromised more than 200 organizations across 80 countries by August 2025.

Telecom compromise functions as an enabler layer — the surveillance and interception capabilities it provides inform and support broader critical infrastructure targeting.

Dragos CEO Robert Lee told reporters that Volt Typhoon remains “still very active” and “still absolutely mapping out and getting into embedding in US infrastructure.” When asked whether the group could ever be fully removed from all compromised US utilities, Lee assessed that there are sites in the US and NATO countries “we will never find.”

4. COMPARATIVE TTP ANALYSIS

Understanding the divergence in tactics between Iranian and Chinese threat clusters is operationally critical because detection and mitigation strategies for each are not identical.

Iranian TTPs: Iranian actors favor rapid exploitation of default and weak credentials, automated password-guessing, hash-cracking, and using default manufacturer passwords.

Attackers often start with reconnaissance tools like Shodan to find vulnerable internet-facing devices, then use system engineering and diagnostic tools to breach OT networks. Their operations are faster, louder, and tied to geopolitical events.

Chinese TTPs: Chinese APT groups like Volt Typhoon use living-off-the-land techniques, leveraging legitimate OS tools, and blend into normal network traffic. Volt Typhoon selectively clears Windows Event Logs, system logs, and other technical artifacts to further obfuscate its attacks. Their operations are slower, quieter, and designed to survive detection cycles measured in months. ⁵

Shared vector: Both clusters share a primary reliance on internet-exposed OT devices as the initial access point — specifically, VPN appliances, firewalls, and directly internet-facing PLCs and HMIs with inadequate authentication.

Shared gap: Both actively exploit the IT-OT convergence boundary where traditional IT security monitoring does not extend into OT environments, and OT operators lack tools to detect IT-style lateral movement.

5. SECTORS AT GREATEST RISK

Water and wastewater systems remain the highest-visibility target for Iranian actors. These facilities typically operate legacy industrial controllers, employ small IT/OT teams, carry significant public health implications, and the vast majority are municipal operations with no dedicated cybersecurity staff. The asymmetry between attacker capability and defender capacity is extreme.

Energy — particularly electric power generation, transmission, and distribution — is the primary domain of Chinese pre-positioning. VOLTZITE’s sustained campaign, the GIS exfiltration pattern, and the LELWD intrusion all point to a systematic effort to map and maintain access to the grid. The 300-day dwell time at a single small utility is representative of a broader campaign across many more targets, most unconfirmed.

Healthcare faces pressure from both clusters. Iranian actors compromised healthcare OT and ICS in the 2023–2024 Unitronics campaign. The sector carries compounded risk: critical physical safety implications if operational systems are disrupted, and high public impact that directly serves Iranian influence objectives.

Government facilities and municipal networks provide operational disruption value for Iranian actors and network access pathways for Chinese actors. Local municipalities often share infrastructure with utilities, emergency services, and other critical systems — making them a lateral movement bridge, not just an end target.

6. RECOMMENDED DEFENSIVE POSTURE

The following mitigations reflect combined guidance from CISA, NSA, FBI, and independent ICS security researchers, prioritized against documented attack vectors in active campaigns.

Conduct an immediate audit of all internet-facing OT assets. Any PLC, HMI, RTU, or SCADA component accessible from the public internet without explicit operational necessity should be disconnected or placed behind a firewall. The attack surface in active Iranian and Chinese campaigns is predominantly composed of devices that should not be directly internet-facing.

Eliminate default and factory-set credentials across all OT assets. Default passwords are not just a starting-point vulnerability — they are the primary exploitation mechanism in documented Iranian campaigns. Every device should be audited against vendor default credential databases.

Implement phishing-resistant multi-factor authentication for all remote access into OT networks. This is specifically recommended in the most recent CISA advisories and directly addresses the credential-based initial access observed across both threat clusters.

Patch internet-facing VPN appliances, firewalls, and edge devices on an emergency cycle. Sylvanite weaponizes newly disclosed vulnerabilities in these devices within 48 hours of public disclosure. Organizations operating on monthly or quarterly patch cycles are structurally exposed to this timeline.

Deploy OT-native network monitoring. IT-focused SIEM tools do not recognize OT-specific protocols or the lateral movement patterns documented in VOLTZITE intrusions. OT-aware monitoring is the difference between a 300-day dwell time and a 30-day dwell time.

Establish and exercise OT-specific incident response plans. The LELWD case demonstrated that FBI engagement and rapid forensic deployment can contain and attribute intrusions — but only when relationships, plans, and detection capabilities exist before the incident.

7. ANALYST ASSESSMENT

The threat to US critical infrastructure from Iranian and Chinese OT-focused actors is neither theoretical nor emerging — it is active, documented, and accelerating. The two clusters operate with different timelines, different noise tolerances, and different end objectives, but they are converging on the same target class: the exposed, under-defended OT environment that now forms the operational backbone of American utilities, water systems, and energy networks.

Iranian actors will continue to exploit geopolitical flashpoints as operational triggers. The escalation from Unitronics devices to mainstream Rockwell Automation PLCs in 2026 signals a deliberate broadening of scope, not a change in strategic intent.

The supply chain and cascading effects of utility disruption — hospitals, municipal services, public health infrastructure — are well understood by IRGC-affiliated planners, and that understanding is reflected in target selection.

Chinese state-sponsored groups are playing a longer, more dangerous game. VOLTZITE’s confirmed presence inside US electric grid assets — with some intrusions assessed by leading researchers as unrecoverable — represents a standing pre-positioned attack capability embedded within US national infrastructure.

The patient accumulation of GIS data, OT topology maps, and persistent access inside control systems is the preparation phase for a disruption campaign that has not yet been activated, but is being systematically built.

The structural condition enabling both threat clusters — mass exposure of OT devices never designed for internet-facing operation — is neither new nor unknown. What has changed is the operational tempo of exploitation and the escalating confirmation that theoretical risk has materialized into real-world compromise.

The organizations that address exposure, default credentials, and OT visibility now are the ones that will have options when the next advisory lands. Those that do not will be the next case study.

REFERENCES

1. CISA (2026) AA26-097A: Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure. Cybersecurity and Infrastructure Security Agency. Available at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a (Accessed: 21 May 2026).
2. FBI/CISA/NSA/DC3 (2025) Iranian Cyber Actors May Target Vulnerable US Networks. IC3 Joint Cybersecurity Advisory. Available at: https://www.ic3.gov/CSA/2025/250630.pdf (Accessed: 21 May 2026).
3. Office of the Director of National Intelligence (2026) Annual Threat Assessment of the US Intelligence Community. ODNI. Available at: https://www.dni.gov/files/ODNI/documents/assessments/ATA-2026-Unclassified-Report.pdf (Accessed: 21 May 2026).
4. NSA/CISA/FBI/DC3 et al. (2025) Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System. Joint Cybersecurity Advisory. National Security Agency, 27 August. Available at: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/article/4287371/nsa-and-others-provide-guidance-to-counter-china-state-sponsored-actors-targeti/ (Accessed: 21 May 2026).
5. SecurityWeek (2026) ‘3 threat groups started targeting ICS/OT in 2025: Dragos’. Available at: https://www.securityweek.com/3-threat-groups-started-targeting-ics-ot-in-2025-dragos/ (Accessed: 21 May 2026).