Iranian attacks on US critical infrastructure puts 3,900 devices in crosshairs | CyberScoop<\/title> <meta name=\"description\" content=\"Censys researchers warned that thousands of devices are exposed to the Iranian government\u2019s campaign targeting energy, water, and U.S. government services and facilities.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/iran-attackers-industrial-ot-government-energy-water-censys\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Iranian attacks on US critical infrastructure puts 3,900 devices in crosshairs\"> <meta property=\"og:description\" content=\"Censys researchers warned that thousands of devices are exposed to the Iranian government\u2019s campaign targeting energy, water, and U.S. government services and facilities.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/iran-attackers-industrial-ot-government-energy-water-censys\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-04-09T21:29:16+00:00\"> <meta property=\"article:modified_time\" content=\"2026-04-09T21:29:19+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-2.jpg\"> <meta property=\"og:image:width\" content=\"1743\"> <meta property=\"og:image:height\" content=\"1720\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1774626878g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1775074092g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1775068334g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/88552\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=88552\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Firan-attackers-industrial-ot-government-energy-water-censys%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Firan-attackers-industrial-ot-government-energy-water-censys%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-88552 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/iran-attackers-industrial-ot-government-energy-water-censys\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.951986754967\">\n<div class=\"single-article__header-content\" readability=\"32.926829268293\">\n<p> Censys researchers warned that thousands of devices are exposed to the Iranian government\u2019s campaign targeting energy, water, and U.S. government services and facilities. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"632\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs.jpg?resize=640%2C632&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-2.jpg 1743w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-2.jpg?resize=300,296 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-2.jpg?resize=768,758 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-2.jpg?resize=1024,1010 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-2.jpg?resize=1536,1516 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-2.jpg?resize=600,592 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-2.jpg?resize=170,168 170w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-2.jpg?resize=342,337 342w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-2.jpg?resize=684,675 684w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-2.jpg?resize=854,843 854w\" sizes=\"(max-width: 684px) 100vw, 684px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"32.677925211098\"><body readability=\"68.252532561505\"><\/p>\n<p>The fallout and potential exposure from Iran\u2019s state-backed targeting of U.S. critical infrastructure extends to more than 5,200 internet-connected devices, researchers at Censys said in a <a href=\"https:\/\/censys.com\/blog\/iranian-affiliated-apt-targeting-rockwell-allen-bradley-plcs\/\">threat intelligence brief<\/a> Wednesday. <\/p>\n<p> Of the programmable logic controllers manufactured by Rockwell Automation\/Allen-Bradley that Censys identified as potentially exposed to Iranian government attackers, nearly 3,900, or about 3 out of every 4, are based in the United States. <\/p>\n<p>The cybersecurity firm identified the devices based on details multiple federal agencies shared in a <a href=\"https:\/\/cyberscoop.com\/iranian-hackers-cyberattacks-us-energy-water-infrastructure-plc-scada-warning\/\">joint alert<\/a> Tuesday, and published additional indicators of compromise, including operator IPs and other threat hunting queries.<\/p>\n<p>Federal authorities earlier this week warned that Iranian government attackers have exploited devices that control industrial automation processes and <a href=\"https:\/\/cyberscoop.com\/iranian-hackers-cyberattacks-us-energy-water-infrastructure-plc-scada-warning\/\">disrupted multiple sectors<\/a> during the past month. Some victims also experienced financial losses as a result of the attacks, officials said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The operational technology devices are deployed across the energy sector, water and wastewater systems, and U.S. government services and facilities. <\/p>\n<p>Censys scans spotted 5,219 internet-exposed Rockwell Automation\/Allen-Bradley PLC hosts shortly after the joint alert was issued by the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and U.S. Cyber Command. <\/p>\n<p>Researchers at Censys determined most of the exposed devices are connected via cellular systems, posing a significant risk to remote field deployments. Nearly half of the devices globally are connected to Verizon\u2019s wireless network and 13% are connected to AT&T\u2019s infrastructure.<\/p>\n<p>\u201cThese devices are almost certainly field-deployed in physical infrastructure (pump stations, substations, municipal facilities) with cellular modems as their sole internet path,\u201d Censys researchers wrote in the report. <\/p>\n<p>The potential attack surface is also amplified by additional services exposed in other ports on these devices, a discovery that Censys warned could allow attackers to gain direct paths to operations beyond PLC exploitation. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Researchers fingerprinted MicroLogix and CompactLogix models exposed to the latest threat campaign and published a list of the 15 most-exposed products. Many of the most prominent devices are running end-of-life software, a compounding risk that could allow attackers to prioritize unpatched devices upon scanning, according to Censys.<\/p>\n<p>The attacks date back to at least March, following the U.S. and Israel\u2019s war against Iran, and were underway as other Iranian government-backed attackers claimed other victims, including <a href=\"https:\/\/cyberscoop.com\/medtech-giant-stryker-says-its-back-up-after-iranian-cyberattack\/\">Stryker<\/a> and local governments.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.2667876588022\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/iran-attackers-industrial-ot-government-energy-water-censys\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Iranian attacks on US critical infrastructure puts 3,900 devices in<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[750,999,78,579,302,117,578,513,874,6373,256,6374,288,1066],"tags":[755,1002,86,581,306,119,580,517,876,6375,262,6376,294,1067],"class_list":["post-8516","post","type-post","status-publish","format-standard","hentry","category-automation","category-censys","category-cybersecurity","category-energy","category-geopolitics","category-government","category-industrial-control-systems-ics","category-iran","category-operational-technology","category-programmable-logic-controllers","category-research","category-rockwell-automation","category-threats","category-water-sector","tag-automation","tag-censys","tag-cybersecurity","tag-energy","tag-geopolitics","tag-government","tag-industrial-control-systems-ics","tag-iran","tag-operational-technology","tag-programmable-logic-controllers","tag-research","tag-rockwell-automation","tag-threats","tag-water-sector"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/automation\/\" rel=\"category tag\">automation<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/censys\/\" rel=\"category tag\">Censys<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/energy\/\" rel=\"category tag\">energy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/industrial-control-systems-ics\/\" rel=\"category tag\">industrial control systems (ICS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/iran\/\" rel=\"category tag\">Iran<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/operational-technology\/\" rel=\"category tag\">operational technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/programmable-logic-controllers\/\" rel=\"category tag\">programmable logic controllers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/rockwell-automation\/\" rel=\"category tag\">Rockwell Automation<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/water-sector\/\" rel=\"category tag\">water sector<\/a>","tag_info":"water sector","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8516"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8516\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8516,"date":"2026-04-09T16:29:16","date_gmt":"2026-04-09T21:29:16","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=88552"},"modified":"2026-04-09T16:29:16","modified_gmt":"2026-04-09T21:29:16","slug":"iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/04\/09\/iranian-attacks-on-us-critical-infrastructure-puts-3900-devices-in-crosshairs\/","title":{"rendered":"Iranian attacks on US critical infrastructure puts 3,900 devices in crosshairs"},"content":{"rendered":"