Skip to content
Back to Home
a padlock on top of a laptop computer

Photo by Sasun Bughdaryan on Unsplash

Iranian Hackers Target US Critical Infrastructure

By ProjectZyper AI 5 min read
LinkedIn X
iranian-hackerscritical-infrastructurepassword-sprayingmicrosoft-365rockwell-allen-bradley-plcs
Executive Summary

Iranian hackers have launched nation-state cyberattacks on US critical infrastructure, targeting Internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) and conducting password-spraying campaigns against Microsoft 365 environments in Israel and the U.A.E. Compromise of these devices could lead to severe disruptions or even physical damage to targeted infrastructure. To mitigate these threats, organizations should ensure that all Internet-exposed PLCs are properly secured and monitored, and implement strong password policies and multi-factor authentication (MFA) for Microsoft 365 environments.

Introduction

A recent wave of nation-state cyberattacks has set its sights on US critical infrastructure, with Iranian hackers targeting Internet-exposed Rockwell/Allen-Bradley programmable logic controllers (PLCs) and launching a password-spraying effort against Microsoft 365 environments in Israel and the U.A.E. According to reports by BleepingComputer, these attacks highlight the vulnerabilities in our digital defenses and the evolving nature of cybersecurity threats.

The implications of such attacks are far-reaching, with potential consequences including disruption of essential services, compromise of sensitive data, and even physical harm to infrastructure and individuals. As noted by The Hacker News, the ongoing conflict in the Middle East adds a layer of complexity to these cyberattacks, making it imperative for organizations to be vigilant and proactive in their security measures.

The critical infrastructure targeted by Iranian hackers includes systems that are fundamental to the operation of modern society, such as power generation and distribution, water treatment facilities, and transportation systems. These systems often rely on industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, which can be vulnerable to cyberattacks due to their complexity and the need for remote access.

Iranian Cyberattacks on Critical Infrastructure

The Iranian hackers' targeting of Internet-exposed Rockwell/Allen-Bradley PLCs on US critical infrastructure networks is a cause for significant concern. PLCs are crucial components in ICS, responsible for controlling and monitoring industrial processes. They are essentially small computers that can be programmed to perform specific tasks, such as controlling the flow of water or electricity. Compromise of these devices could lead to severe disruptions or even physical damage to the targeted infrastructure.

A password-spraying campaign, suspected to be linked to an Iran-nexus threat actor, was carried out in three distinct attack waves on March 3, March 13, and March 23, 2026. This campaign primarily targeted Microsoft 365 environments in Israel and the U.A.E., with over 300 organizations affected, as reported by Check Point. The use of password spraying, a technique where attackers attempt to login to multiple accounts using commonly used passwords, highlights the importance of robust password policies and multi-factor authentication (MFA) in preventing such attacks.

The Iranian threat actor's tactics, techniques, and procedures (TTPs) in these campaigns demonstrate a sophisticated understanding of their targets' vulnerabilities. By exploiting weaknesses in Internet-exposed PLCs and leveraging password-spraying attacks against Microsoft 365 environments, these actors aim to achieve significant disruptive effects with relatively minimal effort.

Furthermore, the fact that these attacks were carried out against organizations in Israel and the U.A.E. suggests a geopolitical motivation behind the campaigns. The Iranian threat actor may be seeking to disrupt the operations of critical infrastructure in these countries, potentially as a form of retaliation or to gain a strategic advantage.

Technical Details and Affected Systems

The Rockwell/Allen-Bradley PLCs targeted by the Iranian hackers are widely used in industrial control systems across various sectors, including energy, water, and transportation. These devices are typically connected to the internet for remote monitoring and control, which can create vulnerabilities if not properly secured.

In addition to the PLCs, the password-spraying campaign against Microsoft 365 environments also poses a significant threat. Microsoft 365 is a cloud-based productivity suite that includes popular applications such as Office, Outlook, and SharePoint. The fact that over 300 organizations in Israel and the U.A.E. were affected by this campaign highlights the importance of robust security measures for cloud-based services.

The technical details of the password-spraying campaign are also noteworthy. According to reports, the attackers used a combination of commonly used passwords and brute-force techniques to attempt to login to Microsoft 365 accounts. This highlights the importance of using strong, unique passwords and enabling MFA to prevent such attacks.

Mitigation Guidance

Given the severity and sophistication of these cyberattacks, it is crucial for organizations to take immediate and proactive measures to secure their critical infrastructure. Key recommendations include:

  • Securing Internet-exposed PLCs: Ensure that all Rockwell/Allen-Bradley PLCs exposed to the internet are properly secured and monitored by:
    • Implementing robust firewall rules to restrict incoming traffic
    • Keeping firmware up-to-date with the latest security patches
    • Regularly conducting vulnerability assessments to identify potential weaknesses
    • Using secure communication protocols, such as HTTPS or SFTP, for remote access
  • Enhancing Microsoft 365 Security: Organizations in Israel and the U.A.E., particularly those using Microsoft 365, should be on high alert for password-spraying campaigns. Recommendations include:
    • Enabling MFA for all users to prevent unauthorized access
    • Implementing strong password policies, including password length and complexity requirements
    • Monitoring for unusual login attempts and suspicious activity
    • Regularly reviewing and updating user permissions to ensure least privilege access
  • Nation-state Attack Vigilance: The threat of nation-state cyberattacks on critical infrastructure is ongoing and evolving. Security practitioners must remain vigilant, staying informed about the latest TTPs used by threat actors and continually assessing and improving their organization's defenses.

In addition to these technical measures, organizations should also consider implementing incident response plans and conducting regular security awareness training for employees. This can help ensure that all personnel are aware of the potential threats and know how to respond in the event of a cyberattack.

Recommendations and Takeaways

The recent Iranian hacker campaigns targeting US critical infrastructure and Microsoft 365 environments in Israel and the U.A.E. serve as a stark reminder of the persistent threats faced by our digital ecosystems. By understanding these threats and taking proactive, informed measures to mitigate them, organizations can significantly reduce their risk exposure and contribute to a more secure cyber environment for all.

As emphasized by cybersecurity experts, the importance of robust security measures cannot be overstated, and ongoing vigilance is crucial in the face of evolving nation-state cyber threats. By prioritizing cybersecurity and implementing effective mitigation strategies, organizations can protect themselves against these sophisticated attacks and ensure the continuity of their operations.

Key takeaways from this article include:

  • The Iranian threat actor is a sophisticated and persistent adversary that poses a significant threat to critical infrastructure and cloud-based services
  • Internet-exposed Rockwell/Allen-Bradley PLCs are vulnerable to cyberattacks and require robust security measures to prevent compromise
  • Password-spraying campaigns against Microsoft 365 environments can be highly effective, highlighting the importance of strong password policies and MFA
  • Organizations must remain vigilant and proactive in their cybersecurity efforts, staying informed about the latest TTPs used by threat actors and continually assessing and improving their defenses.

To prioritize cybersecurity effectively, organizations should:

  • Allocate dedicated resources for continuous security monitoring and incident response planning
  • Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses
  • Implement a culture of cybersecurity awareness among all employees, ensuring they understand the risks and their roles in mitigating them
  • Stay updated with the latest threat intelligence and adapt security strategies accordingly

By following these recommendations and prioritizing cybersecurity, organizations can reduce their risk exposure and contribute to a more secure cyber environment for all.

Sources
US warns of Iranian hackers targeting critical infrastructure Iran attempting cyberattacks against U.S. critical infrastructure Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations
Related Articles
ProjectZyper AI ProjectZyper AI

AI-powered cybersecurity threat intelligence. Aggregated, analyzed, and published daily.

Powered by AI

Status

Live threat monitor Monitoring threat feeds — updated hourly

AI-generated content. Verify critical information independently.

© 2026 ProjectZyper AI. All rights reserved.