Iranian CyberAv3ngers Intensify Attacks on U.S. Water Utilities and Industrial Control Systems
The Iranian-backed cyber threat group known as CyberAv3ngers has escalated its operations, targeting critical infrastructure across the United States, with a particular focus on water utilities and industrial control systems. This group, formally linked to Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), has been active since at least 2020, progressively enhancing its capabilities and posing a significant threat to national security.
On April 7, 2026, a joint advisory was issued by six U.S. agencies—including the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy, and U.S. Cyber Command. This advisory, designated AA26-097A, confirmed that Iranian-affiliated actors are actively exploiting internet-facing programmable logic controllers (PLCs) within water and wastewater systems, energy infrastructure, and government facilities. The advisory documented instances of operational disruption and financial losses at multiple U.S. organizations, directly attributing these activities to CyberAv3ngers.
CyberAv3ngers, also tracked as Storm-0784 by Microsoft, Bauxite by Dragos, and UNC5691 by Mandiant, has demonstrated a methodical approach to building its cyber capabilities. In late 2023, the group compromised at least 75 Unitronics Vision Series PLCs across the U.S., United Kingdom, and Ireland by exploiting factory-default passwords on internet-exposed devices. Notably, the Municipal Water Authority of Aliquippa, Pennsylvania, was among the victims, with its PLC accessible from the open internet without any authentication safeguards. In Ireland, a separate attack left residents without running water for several days.
By mid-2024, CyberAv3ngers introduced IOCONTROL, a custom-built malware platform designed for Linux-based Internet of Things (IoT) and operational technology environments. This malware is modular and capable of running on a wide range of Linux-based devices, including routers, human-machine interfaces (HMIs), IP cameras, firewalls, and fuel management systems from various vendors. IOCONTROL’s command-and-control architecture utilizes the MQTT protocol over TLS on port 8883 and DNS-over-HTTPS for domain resolution, enabling the malware to blend seamlessly into legitimate IoT network traffic, thereby evading detection.
In early 2026, CyberAv3ngers shifted its focus to Rockwell Automation Logix controllers, exploiting CVE-2021-22681—a critical authentication bypass vulnerability with a CVSS score of 9.8. This flaw allows an attacker who intercepts a single cryptographic key to connect to affected PLCs without valid credentials. Rockwell Automation has confirmed that no software patch exists for this vulnerability, and affected controller families include CompactLogix, ControlLogix, GuardLogix, DriveLogix, and SoftLogix.
The U.S. Treasury sanctioned six IRGC-CEC officials tied to CyberAv3ngers in February 2024, and the State Department is offering up to ten million dollars for information on the group. Despite these measures, CyberAv3ngers continues to operate, with a new channel called Cyber4vengers surfacing in January 2026 after a prior one was removed. The group’s industrial control system (ICS) exploitation techniques have since spread to approximately 60 affiliated hacktivist groups, creating a decentralized threat that is challenging to neutralize.
