Full Report
As Trump threatens Iranian infrastructure, the US government warns that Iran has carried out its own digital attacks against US critical infrastructure.
Analysis Summary
# Threat Actor: CyberAv3ngers (Shahid Kaveh Group)
## Attribution & Identity
* **Affiliation:** Iranian Government, specifically linked to the Islamic Revolutionary Guard Corps (IRGC).
* **Known Aliases:** Shahid Kaveh Group.
* **Associations:** Believed to be operating in service of the IRGC to conduct retaliatory and disruptive cyber operations against adversaries.
## Activity Summary
According to a joint advisory from the CISA, FBI, NSA, and DOE (April 2026), this actor is conducting a digital sabotage campaign hitting United States critical infrastructure. The group has successfully compromised Industrial Control Systems (ICS) to cause operational disruptions and financial losses. These activities are framed as reciprocation for escalating geopolitical tensions and kinetic threats against Iranian infrastructure.
## Tactics, Techniques & Procedures
* **Exploitation of Operational Technology (OT):** Direct targeting of Programmable Logic Controllers (PLCs) to gain digital control over physical machinery.
* **HMI Manipulation:** Unauthorized access to and modification of information on industrial control system displays (Human-Machine Interfaces).
* **Service Disruption:** Engaging in activities designed to cause system downtime, physical damage, or dangerous operational conditions.
* **Supply Chain/Vendor Targeting:** Specifically seeking out vulnerabilities in hardware sold by specific industrial tech firms to gain a foothold in broader networks.
* **MITRE ATT&CK IDs (Inferred from text):**
* T0813 (Modifying Parameter)
* T0831 (Manipulation of Control Relays)
* T0849 (External Business Services)
## Targeting
* **Sectors:** Energy, Water and Wastewater Utilities, and unspecified Government Facilities.
* **Geography:** Primarily Israel (historically) and the United States (current focus).
* **Victims:**
* Users of **Rockwell Automation** PLCs.
* Users of **Unitronics** devices (historically over 100 devices).
* US critical infrastructure facilities in the energy and water sectors.
## Tools & Infrastructure
* **Malware/Exploits:** Targeting of Rockwell Automation PLCs and Unitronics industrial control technology.
* **Infrastructure:** Not explicitly listed by IP in the article, but the advisory points to security advisories published at:
* hxxps[://]www[.]rockwellautomation[.]com/en-us/trust-center/security-advisories/advisory[.]SD1771[.]html
* hxxps[://]www[.]rockwellautomation[.]com/en-fi/trust-center/security-advisories/advisory[.]PN1550[.]html
## Implications
The transition from information theft to active sabotage of critical infrastructure indicates a high-risk strategic shift. By targeting sectors like water and energy, the actor demonstrates the capability to cause real-world physical consequences, financial damage, and potential threats to public safety. This suggests that Iran views cyber sabotage as a viable and proportionate response to kinetic or political pressure.
## Mitigations
* **Secure PLC Configurations:** Follow vendor-specific hardening guides, particularly for Rockwell Automation and Unitronics devices.
* **Network Segmentation:** Isolate Industrial Control Systems and PLCs from the public-facing internet.
* **Access Control:** Implement strong authentication and change default credentials on all OT devices.
* **Monitoring:** Use specialized ICS monitoring tools to detect unauthorized changes to logic or HMI displays.
* **Advisory Compliance:** Review and implement recommendations from the AA26-097A joint advisory issued by CISA and the FBI.