Iran attempting cyber attacks against U.S. critical infrastructure, officials say
WASHINGTON— U.S. intelligence agencies are “urgently warning” private sector companies across the country that Iranian actors are “conducting exploitative activities” that are causing “disruptions to many critical U.S. infrastructures,” according to a government memo reviewed by The Times.
Iran’s cyber activities come as President Trump threatens to target Iran’s critical infrastructure, particularly its bridges and power plants, in the coming hours.
Iran’s attack targeted products from Rockwell Automation’s Allen-Bradley, one of the most widely used industrial automation brands; According to the statement, it was stated that cyber actors affiliated with Iran exploited “programmable logic controllers in US critical infrastructure.”
The statement warns that Tehran’s targeting campaigns against US entities have “increased recently, possibly in response to hostilities between Iran and the US and Israel”.
“Advanced persistent threat (APT) actors affiliated with Iran are conducting exploits targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley,” the statement said.
“U.S. agencies should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or past activity in their networks,” it continues.
The advisory was jointly issued Tuesday by the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, Department of Energy and Cyber Command.
Senior executives at companies central to the country’s ability to operate — those that run America’s largest energy, water, transportation and communications companies — have already taken it upon themselves to be wary of potential attacks, worried that Trump’s willingness to inadvertently target Iran’s critical infrastructure could leave a mark on their backs.
Some fear Iran’s ability to conduct cyber operations that could disable transformers or power inverters, even if it does not have a large-scale power system. Others are concerned about threats to brick-and-mortar facilities from Tehran’s proxies; physical attacks on the industry’s most important facilities, such as nuclear power plants or energy management systems.
Larger and more capable actors, particularly Russia and China, can take advantage of the fog of war to launch attacks themselves.
“Concerns remain about Iran’s cyber capabilities and retaliation if the United States continues to threaten to attack Iran’s infrastructures,” said Ernest Moniz, a former U.S. Secretary of Energy under President Obama who helped negotiate the 2015 nuclear deal with Iran. “There may already be backdoors, Trojans, and malware lurking in our infrastructure.”
“I have to believe that the government’s cyber experts, or what’s left of them, are working closely and even overtime with energy companies and other infrastructure operators on cyber defense and intrusion detection and warning,” Moniz added.
Iran has previously demonstrated the ability to infiltrate networks connected to critical US infrastructure.
In 2015, Iranian-backed hackers attacked Calpine Corp., one of California’s largest energy producers. He obtained detailed engineering diagrams and identification information about power plant systems by accessing data on the Some are labeled “mission critical.” US officials feared at the time that the breach would allow Tehran to initiate a nationwide blackout.
Since then, companies at the center of the U.S. energy and telecommunications sectors have significantly improved their defenses. However, Iran’s offensive capabilities have also improved.
Pedro J. Pizarro, chairman and chief executive officer of Edison International, the parent company of Southern California Edison, one of the nation’s largest electric utilities, said major players in the energy industry are operating “with a watchful eye and a heightened stance right now.”
Companies like Edison have operated under constant threat for over a decade. In 2024, a pair of devastating cyberespionage attacks targeting US critical infrastructure attributed to Chinese hackers Volt Typhoon and Salt Typhoon were discovered after evading detection for at least three years.
Experts and insiders said that despite all efforts and technological advances, the threat of a similar stealth attack, where malware remains dormant on critical infrastructure systems and waits for a signal to activate, is a real concern in the industry.
“The threat of cyber and physical attacks targeting critical infrastructure is not new,” said Jennifer DeCesaro, senior vice president of industry operations at the Edison Electric Institute. “That’s why we’re partnering with the government through the Electric Subsector Coordinating Council to share actionable intelligence and prepare to respond to events that could impact our ability to deliver electricity safely and reliably.”
ESCC works closely with the National Security Council and its intelligence arms, particularly the intelligence agencies and CISA, to coordinate regular briefings on security standards, best practices, and intelligence leads.
The CIA declined to comment. A CISA spokesperson listed as off-duty due to ongoing federal funding cuts for the Department of Homeland Security could not be reached for comment.
Director of National Intelligence Tulsi Gabbard, who announced last summer that her office’s workforce would be reduced by 40%, eliminated the Cyber Threat Intelligence Integration Center, previously viewed by private sector partners as a critical information consolidation center.
White House press secretary Karoline Leavitt echoed the president’s threats as he was asked to respond to possible retaliatory attacks on US infrastructure.
“The Iranian regime has until 20:00 Eastern time to seize the right moment and make a deal with the United States,” he said. “Only the president knows where things stand and what to do.”
Trump has threatened to destroy all bridges and power plants in Tehran if an agreement is not reached to end its control of the Strait of Hormuz.
As a result, corporate executives shoulder much of the burden as the first line of defense for the country’s critical infrastructure, about 85% of which is in the hands of private sector companies.
Tom Fanning, former CEO of Southern Co. and now executive chairman of the Critical Infrastructure Alliance, said the threat from Iran is “credible.”
“I haven’t seen anything that I would describe as an existential threat to collapse a broad system of power,” Fanning said. “Can these be activated? Of course. Is the critical infrastructure of the United States ready for action? I think so.”
Last month, early in the battle, the Los Angeles Metro transit system was forced to shut down part of its network due to a hack. Authorities say it is still unclear who was behind the breach, but a source told The Times that Iran-backed hackers are being investigated as potential culprits.
The transportation agency said its security team “discovered unauthorized activity” and made sure its approximately 1,400 servers were secure before bringing them back online. The agency emphasized that the attack did not affect passengers’ commute time.
The FBI said it was aware of the attack. DHS is working with local partners “to address cyber threats to critical infrastructure,” an official said.
“The reality is that the threats are here and now,” Fanning added. “The truth is, the bad guys are already here.”
Times writers Kevin Rector, Richard Winton and Rebecca Ellis in Los Angeles contributed to this report.
