U.S. Agencies Say Iran-Linked Hackers Are Striking At Utilities And Local Systems

A joint alert from four federal cyber offices warns that operators tied to Iran have expanded efforts to penetrate and interfere with American utility and municipal control systems.

The Federal Bureau of Investigation, the National Security Agency, the Cybersecurity and Infrastructure Security Agency and the Department of Energy issued the advisory Tuesday, saying actors backed by Iran are exploiting devices and services that are reachable from the public internet. Officials said the intrusions have targeted systems that support water treatment, electricity providers and local government operations, and have produced service interruptions and monetary harm for some organizations.

Investigators say the attackers have focused on the control equipment and supervisory platforms that run industrial gear and store vital configuration data. By breaching those externally exposed assets, adversaries were able to tamper with what operators saw on consoles and to alter or damage configuration and project files that keep equipment running. The bulletin describes a pattern of direct interaction with the operational technology that governs facilities, rather than only siphoning information.

U.S. officials characterized the campaign as an escalation, tying the surge in activity to recent hostilities between the United States, Israel and Iran that began Feb. 28 after air strikes that killed Iran’s top leader. The advisory arrived on the same day President Donald Trump posted a social-media warning demanding Iran reopen the Strait of Hormuz by a deadline, saying harsh consequences would follow if Tehran failed to comply.

The bulletin also points to a shadowy hacking cell known as Handala, which U.S. authorities say has been responsible for several disruptive intrusions since the conflict began. Handala has been linked to an incident at a major medical-device maker in which thousands of employee endpoints were remotely wiped using management tools, and to the leak of portions of the personal email account of FBI Director Kash Patel. In addition to cyber operations, Iranian forces have reportedly struck some U.S.-linked data centers in the region with missiles and air attacks, contributing to instability in cloud services there.

Cybersecurity specialists say the new advisory should be a wake-up call for local utilities and municipal IT teams. "Operators need to treat every externally reachable control interface as compromised until proven otherwise," said a former utility cyber manager who reviewed the bulletin. Agencies urge immediate steps such as inventorying internet-exposed devices, applying vendor patches, isolating operational networks from business networks and increasing logging and monitoring to detect suspicious activity. They warned that further intrusions remain possible and urged constant vigilance.