Iran's Two Cyber Wings Are Running ICS Campaigns at the Same Time. CISA Just Confirmed It.

We have 60-plus published posts on the Handala Hack Team and the broader Iran-aligned cyber lineage. We have an indicator-of-compromise database that includes Handala command-and-control infrastructure, the Handala Intune Wiper signature, and the GitHub repository hosting Handala wiper-emulation code. We also have an existing IOC in our database tagged Rockwell-Allen-Bradley-PLC-Iran from a prior FBI / CISA / NSA joint advisory.

Today CISA published advisory AA26-097A. It names a different Iranian crew — Cyber Av3ngers, affiliated with the IRGC's Cyber Electronic Command — and it says they are now hitting Rockwell Automation Allen-Bradley programmable logic controllers across U.S. critical infrastructure.

Here is the part that matters more than the headline: Iran's two state-aligned cyber wings — the IRGC-CEC and the MOIS — are running parallel campaigns against U.S. critical infrastructure right now. Different branches, different malware families, same outcome.

If you read our March 13 post Handala Hit Medical Devices, Then Government, Then Defense, this is the ICS sequel.

What CISA Said Today

The advisory is direct. Iran-affiliated APT actors are exploiting internet-facing operational technology — PLCs manufactured by Rockwell Automation Allen-Bradley — across multiple U.S. critical infrastructure sectors. The disruptions hit Water and Wastewater Systems, Government Services, and Energy. The attack pattern is malicious project-file interaction plus manipulation of HMI and SCADA displays. The financial loss is not theoretical. The operational disruption is not theoretical.

The threat actor named is Cyber Av3ngers, also tracked as Soldiers of Solomon and the Shahid Kaveh Group. CISA places them inside the IRGC Cyber Electronic Command. The crew already had 75 confirmed Unitronics PLC compromises in a prior wave that hit U.S.-based water utilities — that earlier campaign was the subject of a separate IRGC-CEC advisory from late 2023. The new advisory escalates the target class from Unitronics to Rockwell Allen-Bradley and broadens the sector list.

The CVE in play is CVE-2021-22681 — an authentication-bypass vulnerability in Logix Controllers that Rockwell first disclosed five years ago. Five years. The bulletin is PN1550. The mitigation is to remove the device from direct internet exposure. That mitigation has been the same since 2021.

Why This Reads Differently if You Track Iran

The lazy framing on a story like this is that some new Iranian crew is doing something new. It is neither.

Cyber Av3ngers and the Shahid Kaveh Group are IRGC-CEC. The IRGC's Cyber Electronic Command is one of two state-aligned cyber arms in Iran. The other is the Ministry of Intelligence and Security — MOIS. MOIS contracts work to a constellation of front companies and crews, and the most active brand-name in the MOIS orbit for the past two months has been Handala.

Handala hit Stryker on March 6, 2026 and wiped roughly 200,000 medical devices in 79 countries. We covered it the same day. By March 17 our Handala-attributed indicator-of-compromise count had grown into the triple digits. Handala then hit Lockheed Martin's claim in late March, the Dubai government wiper on April 12, and a string of smaller medical-device and ISP targets.

The reason this matters today: Iran is running two ICS campaigns simultaneously through two different organizations. IRGC-CEC is hitting PLCs at water plants and electric utilities. MOIS-aligned Handala is hitting medical devices, defense contractors, and foreign government infrastructure. Both campaigns are alive in May 2026. Both are state-directed. Both are hitting U.S. and allied targets. The bureaucratic separation between the two does not show up at the victim end of the wire.

If a vendor's threat report only covers one wing, the vendor is missing half the campaign.

The IOC Overlap

We checked our index this morning before writing this. Three things are already there.

We have an existing entry tagged Rockwell-Allen-Bradley-PLC-Iran in the iocs index, sourced from the prior FBI / CISA / NSA joint advisory on IRGC-CEC PLC activity. Today's advisory is the expansion of that earlier campaign — the same lineage of intrusion activity, retargeted from Unitronics to Rockwell hardware. The earlier advisory got 75 Unitronics PLC compromises across water utilities. The new advisory does not name a victim count yet, but the pattern is the same: internet-exposed devices, default or weak credentials, malicious project-file injection, HMI manipulation.

We have a long tail of Handala IOCs — handala.to as a command-and-control node, handala-hack.ps as a secondary domain, the GitHub repository MrDomainAdmin/handalas-wiper-emulation as a malware-source flag, the Handala Intune Wiper signature, plus a stack of additional infrastructure indicators built up across two months of tracking.

We have five active blog posts that establish the through-line. Handala Hit Medical Devices, Then Government, Then Defense is the macro post. We Started With 85 Handala IOCs. We Ended With 145. Here's How. shows the IOC accumulation pattern. Today Is CISA Deadline Day for the Exact Vulnerability Class That Hit Stryker is the patch-cycle post that matters most for defenders. We Checked GitHub for Exploit Code Targeting the IRGC's Hit List. Nobody Else Is Looking. is the supply-chain angle. The Cisco FMC POC on GitHub Has a Webshell in It is the lateral example.

The IRGC-CEC PLC activity is in the same threat-intel orbit. Different malware family, same defender problem.

What Defenders Should Do Right Now

The CISA advisory's mitigation list is the same list every PLC advisory has had since 2021. None of it is novel. All of it is unimplemented at scale, which is the actual story.

Take Rockwell Automation Allen-Bradley PLCs off direct internet exposure. The Shodan history on these devices is bleak — there are still thousands of Logix Controllers responding on default ports with no firewall in front of them. The first action is enumeration of your own perimeter for any PLC that responds to a public IP. If it does, that is the issue.

Patch CVE-2021-22681. Five years is a long time. Rockwell's PSIRT is responsive — [email protected] is in the advisory contact section. Do not ask CISA for help while the device is still exposed.

Pull AA26-097A's STIX bundle and ingest it. CISA publishes the IOCs as both STIX XML and STIX JSON downloads on the advisory page. Anyone running an ICS environment with internet-exposed OT should already have a STIX consumer wired to CISA. If you do not, that is a same-day fix, not a quarter-end project.

Cross-reference against the IRGC's Hit List. We've been maintaining the public list of named Iranian-targeting infrastructure since March. If you operate in WWS, Energy, or Government Services and you do not see your asset on a watchlist somewhere, you are in scope by inference. Iran does not telegraph specific targets, but the sector pattern is now public.

Check your own logs for the Handala signatures too. The MOIS wing is hitting different verticals but using overlapping infrastructure. We've seen handala.to TLS fingerprints turn up in beacon logs at organizations that do not believe they are in Iran's target set. The cross-pollination is real.

The Bigger Pattern

The thing to take away from today's CISA advisory is not "Iran is doing PLCs now." Iran has been doing PLCs since 2023. The thing to take away is that two different Iranian state-aligned cyber organizations are running parallel ICS campaigns against U.S. critical infrastructure in May 2026. IRGC-CEC's Cyber Av3ngers wing has the PLC beat. MOIS-aligned Handala has the medical-device-and-defense beat. The April 7 advisory was the prologue. May 9 is the renewed-attention moment. June will be a second advisory.

The defender-relevant takeaway is harder. The five-year-old Logix CVE is still working because a non-trivial number of utilities run their water plants on PLCs that have a public IP and a default login. That is a procurement problem, an engineering-culture problem, and a budget-allocation problem. It is not a threat-intel problem. The threat is the same threat it was in 2021. The attackers have not had to evolve, because the defender side did not.

Our bet at DugganUSA has been that the threat intel is the easy half. Identifying who is running which campaign on which day is a known, solvable problem. We do it every day. The hard half is whether the operator on the receiving end of the advisory takes the device off the internet before the next quarterly report.

The PLCs that go offline this week because of CISA AA26-097A will be the ones operated by people who already had the headcount to do it. The ones that get hit are the ones run by utilities with no SOC, no asset inventory, and no budget line for ICS hardening. The next victim list is not random. It correlates with org chart, not threat capability.

What We're Doing Next

We are adding the AA26-097A STIX bundle to our ingest pipeline tonight. The IOCs from CISA will land in our public STIX feed by tomorrow morning. The Rockwell Automation Allen-Bradley PLC pattern is being added to our public adversaries graph. Anyone consuming our feed — and there are 275 organizations in 46 countries currently doing so, with Microsoft and AT&T as top consumers — will see the IRGC-CEC PLC indicators alongside the existing Handala MOIS signatures by Saturday morning.

If you operate critical infrastructure and are not on the feed, the URL is at the bottom of our STIX-feed onboarding page. There is no per-seat pricing. We do not gatekeep threat intelligence. The point is to make the public-defender side of this fight easier, not harder.

If you want the macro picture, start at the March 13 Handala-Stryker post. If you want the ICS-specific picture, start at this advisory and walk back. Either path arrives at the same conclusion.

Iran is running two cyber campaigns at once. CISA confirmed half of it today. We've been writing the other half for two months. The receipts are public, indexed, and free.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.