Two major state-sponsored cyber campaigns came into sharp focus this week. Iranian government hackers are actively disrupting U.S. critical infrastructure by targeting internet-exposed programmable logic controllers (PLCs), while Russia's APT28 has been running a global DNS hijacking operation through compromised home routers. Both campaigns exploit neglected edge devices - and both have triggered coordinated government responses.
Iran: PLCs as a Weapon Against U.S. Energy and Water Systems
A joint advisory from six U.S. agencies - FBI, NSA, CISA, EPA, Department of Energy, and Cyber Command - warned that an Iran-affiliated APT group has disrupted PLCs across multiple U.S. critical infrastructure sectors, including energy, water and wastewater systems, and government facilities. 1Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn The attacks have caused operational disruption and financial losses.
The campaign specifically targets Rockwell Automation and Allen-Bradley PLCs, including CompactLogix and Micro850 models. Attackers used leased third-party infrastructure running Rockwell's Studio 5000 Logix Designer software to establish accepted connections to victim PLCs, then manipulated project files and tampered with data displayed on human-machine interface (HMI) and SCADA screens. 2Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs For remote persistence, the attackers deployed Dropbear, a lightweight SSH tool, on victim endpoints via port 22. 2Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs
The exposure is substantial. Censys identified over 5,200 internet-exposed Rockwell Automation PLC hosts globally, of which approximately 3,900 - roughly 75% - are located in the United States. 3Iranian attacks on US critical infrastructure puts 3,900 devices in crosshairs Many of these are field-deployed in pump stations, substations, and municipal facilities, connected solely through cellular modems on Verizon and AT&T networks. Researchers noted that many of the most prominent devices are running end-of-life software, compounding the risk. 3Iranian attacks on US critical infrastructure puts 3,900 devices in crosshairs
This is not a novel playbook. Iranian actors, notably the Cyber Av3ngers group, compromised Unitronics PLCs at a Pennsylvania water facility in late 2023 - an earlier campaign that affected at least 75 devices. 1Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn But as Check Point Research's Sergey Shykevich observed, "organizations shouldn't treat this as a new threat, but as an accelerating one." 2Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs
The timing is significant. According to Unit 42, the escalation follows Operation Epic Fury, a joint U.S.-Israeli military offensive launched on February 28, 2026. Iran has experienced over 27 consecutive days of near-complete internet blackout since the strikes began, which Unit 42 assesses has degraded the ability of state-aligned actors inside Iran to coordinate. 4Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran However, geographically dispersed operatives and proxy groups continue to act with tactical autonomy. Unit 42 identified 7,381 conflict-themed phishing URLs spanning 1,881 unique hostnames, alongside a surge in hacktivist DDoS attacks, wiper threats, and financial fraud campaigns targeting Middle Eastern and Western entities. 4Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran
A separate investigation by JUMPSEC revealed that MuddyWater, another MOIS-linked group, is now using CastleRAT - a remote access trojan from the Russian criminal ecosystem - alongside a previously undocumented JavaScript malware called ChainShell that retrieves command-and-control addresses from an Ethereum smart contract. 2Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs This crossover between Iranian state actors and Russian criminal tooling complicates attribution and raises the bar for defenders.
Russia: APT28 Turns Home Routers Into a Surveillance Dragnet
In a parallel but distinct operation, Russia's GRU Unit 26165 - tracked as APT28, Forest Blizzard, or Fancy Bear - compromised thousands of small office and home office (SOHO) routers to build a global DNS hijacking network. Lumen's Black Lotus Labs codenamed the campaign FrostArmada. 5Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
The technique was strikingly simple. Rather than deploying malware, APT28 exploited known vulnerabilities in TP-Link and MikroTik routers - including CVE-2023-50224, an authentication bypass in TP-Link WR841N devices - to modify DNS settings. 5Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign Compromised routers were reconfigured to use attacker-controlled DNS resolvers, silently redirecting users to adversary-in-the-middle (AitM) nodes when they accessed email login pages, particularly Microsoft Outlook on the web.
Because this interception occurred after users had already completed multi-factor authentication, the attackers harvested OAuth tokens directly - gaining account access without needing passwords or one-time codes. 6Russia Hacked Routers to Steal Microsoft Office Tokens
The scale was massive. At its peak in December 2025, more than 18,000 unique IP addresses across 120 countries communicated with APT28 infrastructure, and Microsoft identified over 200 organizations and 5,000 consumer devices as impacted. 5Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign 6Russia Hacked Routers to Steal Microsoft Office Tokens Targets included government ministries, law enforcement agencies, and third-party email providers across North Africa, Central America, Southeast Asia, and Europe.
The U.S. Department of Justice disrupted the American portion of the network through a court-authorized operation dubbed Operation Masquerade. 5Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign But as Black Lotus Labs engineer Danny Adamitis noted, APT28 rapidly adapts: after a previous NCSC report in August 2025 exposed an earlier, more targeted approach, the group immediately pivoted to the mass DNS hijacking technique. 6Russia Hacked Routers to Steal Microsoft Office Tokens
The Common Thread: Neglected Edge Devices
Despite targeting different device types and using different techniques, both campaigns share a fundamental lesson: internet-exposed edge devices remain the most exploitable entry point into critical networks. Iranian actors compromised PLCs that should never have been publicly accessible. Russian actors turned routers that were end-of-life or years behind on patches into silent surveillance tools.
The FCC's March 2026 decision to stop certifying foreign-made consumer routers reflects growing awareness of the problem, though experts have noted that few domestically produced alternatives currently exist. 6Russia Hacked Routers to Steal Microsoft Office Tokens
Looking Ahead
The convergence of these campaigns suggests that state-sponsored cyber operations are trending toward exploiting the structural weaknesses of under-managed infrastructure rather than developing novel zero-day exploits. For Iran, the degradation of domestic internet connectivity may push more operations toward decentralized proxy networks and criminal tool adoption. For Russia, the disruption of FrostArmada will likely prompt yet another tactical pivot - APT28 has shown repeatedly that takedowns slow but do not stop it.
For defenders, the message is clear: visibility into edge devices, OT networks, and DNS configurations is no longer optional. The next campaign will target whatever remains exposed.
Bild: towel.studio / Unsplash
