Eight Posts on Iran's ICS War, Indexed. We Found You in Our Zero-Result Queue and This Is What You Were Looking For.

# Eight Posts on Iran's ICS War, Indexed. We Found You in Our Zero-Result Queue and This Is What You Were Looking For.

Someone hit our search endpoint this afternoon with the query iranian apt plc critical infrastructure 2026 and got zero results.

We had to look. Because we have written about Iran's ICS campaigns eight times in the last two months. The reason the query missed is straightforward: the practitioner used "PLC" and "critical infrastructure"; our titles use "OT gateways," "ICS campaigns," and named operator handles. Different vocabulary, same story. The zero-result was a search-experience problem, not a coverage gap.

This post is the bridge. Eight posts, sixty-five days, one index. If you were the one searching this afternoon, this is what you came for.

The eight, in chronological order

March 7, 2026 — "CISA Is Running on Fumes. Iran's Cyberwar Has Begun. Who's Watching Your Network?" The opening salvo. CISA furloughs against the backdrop of the Iran war's cyber phase escalating. We argued the federal coordinator was thinning out exactly when the operational tempo demanded it most.

March 9, 2026 — "Two Countries, Three Backdoors, One Weekend: Iran and China Got Busy." Weekend operational analysis showing simultaneous Iran and China implant activity. Three named backdoors with IOCs in our index. The shape was correlated tempo, not coincidence.

March 15, 2026 — "Iran Hit Stryker. We Called It." Stryker Corporation hit by an Iran-aligned operator on Pi Day weekend. We had indexed 1,014 Stryker subdomains and the Handala infrastructure cluster days before the breach landed in the news. Receipt-bearing call-out.

April 25, 2026 — "Iran Is Fighting Two Wars. We Have the IOCs for Both." The kinetic war against Israel and the cyber war against medical-device, government, and defense targets in the West are different theaters with shared infrastructure. We mapped both, with the IOCs to back it.

April 27, 2026 — "Handala Hit Medical Devices, Then Government, Then Defense. Here Are the Three Sectors Iran's MOIS Is Hunting." The Handala wiper crew's three-sector targeting pattern, sourced to Iran's Ministry of Intelligence and Security. Medical devices first, government second, defense third — a sequencing that recurred across multiple weeks. Pattern-recognition post.

May 1, 2026 — "CISA Republished ABB AWIN — Three Adjacent-Network Vulns in OT Gateways." CISA's republication of three vulnerabilities in ABB AWIN OT gateways. We covered the OT-gateway angle specifically because adjacent-network attacks against PLCs and process-control hardware run through gateways like AWIN — exactly the layer the practitioner was searching for under the "PLC" wording.

May 9, 2026 — "Iran's Two Cyber Wings Are Running ICS Campaigns at the Same Time. CISA Just Confirmed." Two distinct Iranian cyber wings — MOIS-aligned and IRGC-aligned — running ICS campaigns concurrently. CISA confirmation came after our prior coverage of both wings. The post mapped the operator separation and what it implied for defenders watching ICS networks.

May 11, 2026 — "Twenty-Eight Kittens: CISA Named Three Iranian Operators in AA26-097A. We've Been Indexing the Group for Months." Yesterday's post. CISA's advisory AA26-097A named three Iranian threat actors using the "Kitten" naming convention. We had been indexing the operator cluster for months under different conventional names. Side-by-side mapping of the CISA naming against our prior IOCs.

Cross-cutting threads

Five threads run through these eight posts. They matter because if you are defending an ICS or OT network, the threads are how you turn the coverage into an operational hunt.

Named operators. Handala wiper crew (MOIS-aligned). MuddyWater (MOIS-aligned, runs Microsoft Teams credential-theft campaigns). Twenty-Eight Kittens family (per CISA AA26-097A — three named operators in the May 11 post). IRGC-aligned wings separately. Each operator has its own IOC cluster in our iocs index, source-tagged.

Sector sequence. The Handala writeup documented a three-sector targeting cadence: medical devices first, government second, defense third. The sequence recurred across weeks and adversaries, not just Handala. If you are in healthcare or medical device manufacturing, you are probably first on a list.

OT and PLC adjacency. The May 1 ABB AWIN republication is the most direct PLC-relevant post. AWIN gateways sit between IT and OT networks. Adjacent-network vulnerabilities mean an attacker who pivots laterally from IT can hit the PLC tier without ever touching the PLC's protocol stack directly. The CISA republication signaled this had moved past theoretical.

MOIS vs IRGC separation. Iran's cyber capability is not a single org. MOIS (Ministry of Intelligence and Security) and IRGC (Islamic Revolutionary Guard Corps) run separate wings with overlapping infrastructure. The May 9 post mapped which campaigns trace to which wing. For defenders, the implication is that disrupting one wing's infrastructure does not necessarily disrupt the other.

Iran-China tempo correlation. The March 9 weekend showed concurrent Iran-China implant activity that was unlikely to be coincidence. We have not published a definitive coordination claim but the tempo correlation is in the data and worth watching during geopolitical inflection points.

What we keep covering vs. what is new

We keep covering Iran's ICS war because the war is ongoing — kinetic since February 28, cyber-active since well before that. The IOC count for Iran-aligned infrastructure in our index grows weekly. The STIX feed pushes those IOCs daily to 275+ consumers in 46 countries.

What is new this week: the May 11 CISA AA26-097A naming of three Iranian operators puts public agency confirmation on infrastructure clusters we had under different conventional names. That advisory is the kind of receipt our ledger thrives on — public confirmation that the call-out was right.

What is coming: Iran is fighting on multiple fronts. The cyber tempo correlates with kinetic events. When the next inflection point in the kinetic war happens, expect the ICS campaigns to ramp at the same hour. The defenders who have the IOCs already indexed will have the lead time.

How to consume this

If you run an ICS or OT network and you came here from a search engine: subscribe to our STIX feed. It is free, it is unauthenticated, it returns indicators for everything covered above, and it updates daily. The URL is analytics.dugganusa.com/api/v1/stix-feed. If your SIEM or IDS speaks STIX/TAXII 2.1, the integration is fifteen minutes.

If you want the long-form context, every one of the eight posts above is on www.dugganusa.com and discoverable by title. The search endpoint that returned zero for "iranian apt plc critical infrastructure 2026" returns everything for "Handala" or "Iran ICS" or "MOIS" or "Twenty-Eight Kittens." We will adjust the search to bridge the vocabulary gap in a separate piece of work; this post is the bridge for the practitioner who needed it tonight.

If you came here from somewhere else: the eight posts are the operational primer on the Iran-aligned cyber threat to ICS and OT environments. Read them in order, pull the IOCs, run them against your network logs. The receipts are timestamped.

— Patrick Duggan, May 12, 2026

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.