
Federal agencies sound the alarm as Iran-linked hackers hit water, energy, and beyond
The warning could not be more urgent. A coalition of the government’s most powerful cybersecurity and intelligence agencies released a joint advisory on Tuesday, confirming what security researchers had long feared — Iranian-affiliated hackers have moved well beyond reconnaissance and are now actively disrupting critical infrastructure systems on domestic soil.
The FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, the Environmental Protection Agency, the Department of Energy, and the military’s Cyber National Mission Force collectively issued the alert, identifying a pattern of escalating intrusions targeting the industrial control systems that keep water flowing, power on, and local governments running.
How the Hackers Got In
The attackers, believed to be skilled hackers, have been zeroing in on programmable logic controllers and supervisory control and data acquisition systems — industrial hardware used to operate and manage physical infrastructure like water treatment facilities, electrical grids, and energy plants. These are not obscure back-end systems. They are the mechanical nerve centers of everyday life.
The intrusions have already caused measurable harm. The advisory confirmed the following impacts across affected organizations
- Manipulation of data displayed on human machine interfaces and SCADA screens
- Unauthorized access to and extraction of critical device project files
- Disruption of programmable logic controller functions across multiple infrastructure sectors
- Operational shutdowns resulting in financial losses at victim organizations
- Confirmed breaches across water and wastewater utilities, energy, and local government facilities
Agencies specifically flagged Rockwell Automation and Allen-Bradley manufactured controllers as primary targets, urging organizations running those systems to immediately review the manufacturer’s security guidance and disconnect internet-facing devices where possible. These hackers continue to refine their methods, making vigilance against potential hacks essential.
Handala — The Hacker Group Behind the Chaos
At the center of the most destructive attacks is a group known as Handala — formally identified by federal prosecutors as a front for Iran’s Ministry of Intelligence and Security. The group presents itself publicly as a pro-Palestinian hacktivist collective, but Western cybersecurity researchers widely regard it as a state-operated cyber weapon dressed in activist clothing.
Handala’s most devastating confirmed strike to date was against Stryker, the Michigan-based medical technology giant. On March 11, the group claimed responsibility for wiping tens of thousands of employee devices using the company’s own security management tools — a particularly chilling method that turned an organization’s defenses against itself. Stryker later confirmed the breach was contained, but the attack marked the first confirmed destructive wiper operation against a Fortune 500 company in the current conflict.
The FBI subsequently seized several of Handala’s domains — a move the group publicly mocked before relaunching on new ones. Days later, Handala escalated further, breaching the personal Gmail account of FBI Director Kash Patel and publishing over 300 emails and personal photographs online. The FBI confirmed the breach, describing the leaked material as historical in nature and containing no government information. A $10 million reward has been offered for information leading to members of the group.
A War Being Fought on Two Fronts
The cyber escalation runs parallel to a geopolitical crisis that has been intensifying since late February, when a series of air strikes — carried out jointly by the United States and Israel — killed Iran’s head of state. What followed was an aggressive Iranian response across both physical and digital theaters.
Iran has since launched missile strikes against data centers across the Middle East operated by Western entities, triggering instability in cloud infrastructure across the region. On the diplomatic front, President Donald Trump issued a stark ultimatum via social media on Tuesday, warning that catastrophic consequences would follow if Iran did not reach a deal to reopen the Strait of Hormuz.
Cybersecurity analysts warn that the Handala attacks and the broader infrastructure intrusions are not isolated incidents. This hacker activity represents a deliberate, coordinated strategy to inflict economic damage, erode public confidence, and embarrass high-profile targets.
What Organizations Must Do Right Now
Federal agencies are pressing organizations across all sectors to immediately implement defensive measures. The advisory outlines the following priority actions
- Disconnect all internet-facing operational technology devices that do not require remote access
- Enforce phishing-resistant multi-factor authentication across all systems, especially Microsoft environments
- Apply the principle of least privilege — restrict administrative access to only those who need it
- Enable multi-admin approval in platforms like Microsoft Intune for any sensitive configuration changes
- Immediately patch or isolate Rockwell Automation and Allen-Bradley PLC systems
- Report any suspicious activity to CISA’s 24/7 Operations Center or the FBI’s Internet Crime Complaint Center
Infrastructure Has Never Been More Vulnerable
What makes this moment distinct is not just the sophistication of the attacks — it is the audacity. Handala’s willingness to target a sitting FBI director’s personal accounts, wipe a Fortune 500 company’s data, and simultaneously probe water treatment plants and energy systems signals a threat actor operating with very little restraint.
For communities that depend on these systems — hospitals drawing on municipal water, families relying on local power grids, cities running on interconnected government networks — the stakes of a successful infrastructure hack are not abstract. They are immediate and potentially life-threatening.
The joint advisory makes clear that this is no longer a matter of preparation. The intrusions have already happened. The disruptions have already been felt. The only question now is how far it goes — and how fast organizations move to close the door before it swings open any wider.