Iranian APTs target PLCs and SCADA systems in US critical infrastructure.

Summary

By the N2K CyberWire staff

Iranian APTs target PLCs and SCADA systems in US critical infrastructure.

US intelligence and law enforcement agencies have warned that several Iran-linked APTs are targeting programmable logic controllers (PLCs) and SCADA systems across US critical infrastructure sectors, including municipal government services and facilities, water and wastewater systems, and energy utilities. The joint advisory from the FBI, CISA, NSA, EPA, DOE, and US Cyber Command states, "This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss."

The agencies say the threat actors are actively exploiting vulnerable PLCs manufactured by Rockwell Automation/Allen-Bradley, and are also probing products from other vendors, including the Siemens S7 PLC. The advisory notes, "The actors used leased, third-party hosted infrastructure with configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer software, to create an accepted connection to the victim’s PLC. Targeted devices include CompactLogix and Micro850 PLC devices."

Secure and govern AI usage, applications, and agents across the enterprise

AI adoption is expanding across employee tools, copilots, embedded AI features, and homegrown applications. That pace is creating governance gaps, inconsistent policy enforcement, and new exposure risk. Security teams must now govern the AI employees use, and the AI applications and agents development teams build. This webinar shows how organizations can discover Shadow AI, apply prompt and response guardrails, and protect AI applications and agents at runtime through Cato AI Security.

US Justice Department disrupts APT28 router network.

The US Justice Department and the FBI announced a court-authorized disruption of a network of small office/home office (SOHO) routers controlled by APT28 (also known as "Fancy Bear"), a unit within Russia's GRU, Reuters reports. The DOJ says the threat actor used the compromised routers to conduct DNS hijacking attacks.

The Justice Department stated, "Since at least 2024, GRU actors have exploited known vulnerabilities to steal credentials for thousands of TP-Link routers worldwide. The actors then accessed many of these compromised routers without authorization and manipulated their settings to redirect DNS requests to GRU-controlled servers - i.e., malicious DNS resolvers. GRU actors were indiscriminate in their initial targeting and manipulation of routers. The actors then implemented an automated filtering process to determine which DNS requests were of interest and warranted interception."

Business news: Fortra acquires Zero-Point Security.

Minneapolis-based cybersecurity software provider Fortra has acquired UK-headquartered cybersecurity training firm Zero-Point Security. Fortra stated, "This will expand Fortra’s offensive security education capabilities, bringing additional expertise in red team operations, adversary emulation, and penetration testing training. Zero‑Point Security is widely recognized for its trusted red team operations training and has built a strong reputation delivering its high-demand, self-paced courses to individuals and businesses seeking advanced offensive operations skills."

Notes.

Today's issue includes events affecting , and .

Attacks, Threats, and Vulnerabilities

Frostarmada forest blizzard dns hijacking (Lumen) A DNS setting change on a single router can quietly reroute an entire network’s authentication traffic. In FrostArmada, Lumen observed Forest Blizzard using that technique ...

Massachusetts hospital turning ambulances away after cyberattack (The Record) Signature Healthcare and Signature Healthcare Brockton Hospital said on Monday that the cyber incident is impacting many of their information systems.

CVE-2026-34197 ActiveMQ RCE via Jolokia API (Horizon3.ai) CVE-2026-34197 is an ActiveMQ RCE flaw exploiting Jolokia to execute remote commands. Learn how it works, affected versions, and detection steps.

Minnesota governor orders emergency support for cyberattack disrupting county's 'critical systems' (StateScoop) “Swift coordination between state and local experts matters in these moments," Tim Walz, Minnesota's governor, said after a disruptive cyberattack in Winona County.

Legislation, Policy, and Regulation

Japan relaxes privacy laws to make AI development easy (The Register) Opting out of personal data use won't be an option because Minister says that's a 'very big obstacle' to AI adoption

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

SO-CON 2026 (Arlington, Virginia, USA, Apr 13 - 14, 2026) SO-CON is the only conference dedicated to identity-based security and attack path management. The week begins with a two-day main conference packed with talks, research, and community exchange, followed by four days of deep-dive, hands-on trainings led by adversary-experienced practitioners. Training to follow on April 15-18, 2026.

Space Symposium 2026 (Colorado Springs, Colorado, USA, Apr 13 - 16, 2026) Space Symposium is the premier event uniting global space professionals from all sectors, providing a unique platform to explore critical space issues, foster dialogue, and drive innovation across the space industry.

Adapt 2026: Signal Over Noise (New York, New York, USA, Apr 15, 2026) Adapt26 isn't your typical corporate conference. Built for security, IT, and risk leaders, this is where you learn to cut operational drag and move from overwhelming findings to focused remediation. When 56% of teams struggle to prioritize effectively, visibility alone isn't enough. You need durable context - a verifiable foundation that turns disconnected data into decision-grade security. Join the teams building a more resilient cyber future to learn how to secure your entire distributed footprint across IT, Cloud, and IoT/OT.

Philadelphia Cybersecurity Summit (Philadelphia, PA, Apr 15, 2026) Maximize your networking opportunities by meeting with fellow industry executives and leading security experts at the upcoming 9th Annual Philadelphia Official Cybersecurity Summit on Wednesday, April 15, 2026. Secure your admission now! Use Code CSS26-CRA before February 18 for Free Admission.*

CyberArk IMPACT 2026 (Austin, Texas, USA, May 11 - 13, 2026) At CyberArk IMPACT, cybersecurity practitioners and leaders will come together to explore today’s #1 attack vector – identity. Attendees will acquire a deep understanding of the latest developments in identity-based cyberattacks, including sophisticated attacker techniques that leverage AI and other methods. And most importantly, they will learn how to shut out attackers and prevent unauthorized access by securing every identity across the organization with the right level of privilege controls.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 04.08.26

Top stories.

Iranian APTs target PLCs and SCADA systems in US critical infrastructure.

US Justice Department disrupts APT28 router network.

Business news: Fortra acquires Zero-Point Security.

Notes.

Attacks, Threats, and Vulnerabilities

Legislation, Policy, and Regulation

Events