Sources: CISA Advisory · Utility Dive · NERC · April 8, 2026
CISA issued an advisory on April 8 warning that hackers affiliated with Iran are actively targeting programmable logic controllers (PLCs) used in the energy sector, water and wastewater systems, and government facilities. NERC confirmed it is “actively monitoring the grid” in response. The advisory was issued during the sixth week of the US-Israeli war against Iran, indicating that Iranian cyber operations against U.S. critical infrastructure are escalating in direct response to the kinetic conflict. PLCs are the fundamental building blocks of industrial automation — they control pumps, valves, circuit breakers, and other physical systems. Compromising a PLC gives an attacker the ability to cause physical effects: opening valves, tripping breakers, disrupting water treatment processes. CSIS analysis published this week confirmed that Iran’s approach to cyber conflict has shifted from episodic to sustained, treating cyberspace as an extension of state power against critical infrastructure.
Action Required: Audit all internet-exposed PLCs immediately. Ensure no PLCs are directly accessible from the internet without VPN and MFA. Implement network monitoring for anomalous PLC communications. Review CISA advisory for specific Iran-linked indicators of compromise. Coordinate with your regional NERC entity on grid monitoring status. Brief control room operators on the elevated Iranian threat to PLC infrastructure.
Sources: Dragos 2026 OT/ICS Cybersecurity Year in Review · April 2026
Dragos’s 2026 report reveals that KAMACITE — the access development team that directly enables ELECTRUM (Sandworm/Russia) — spent four months systematically scanning internet-exposed industrial devices across the United States. KAMACITE targeted HMIs, variable frequency drives, meters, and cellular gateways in deliberate sequence to map entire control loops across energy and critical infrastructure sectors. Separately, Dragos observed SYLVANITE, a Stage 1 access group, operating inside a U.S. electric utility network and handing footholds directly to ICS-capable adversaries including VOLTZITE (Volt Typhoon). Dragos now tracks over twenty ICS threat groups — up from five in 2018. The report states that “electric environments are not being breached loudly at a point in time; they are being inhabited silently over time.” The adversaries are not just maintaining access — they are building the operational intelligence required to cause physical disruption when ordered to act.
Action Required: Conduct an immediate audit of all internet-exposed industrial devices — HMIs, VFDs, meters, cellular gateways. Implement the Dragos/SANS ICS Five Critical Controls. Deploy OT-specific network monitoring capable of inspecting ICS protocols. Hunt for SYLVANITE and KAMACITE indicators in your OT environment. If you are a U.S. electric utility, request a proactive assessment from Dragos or CISA.
Sources: Dragos · CyberScoop · CISA · January–February 2026
ELECTRUM (tracked by others as Sandworm) conducted the first-ever cyberattack targeting distributed energy resources (DERs) — smaller wind, solar, and CHP facilities being added to grids worldwide. The attack targeted a Polish power system, deploying wiper malware through vulnerable internet-facing edge devices. The malware destroyed remote terminal units (RTUs), corrupted HMI data, and caused loss of view and control between facilities and distribution system operators. While the renewable energy systems continued producing power, the operators could not control or monitor them — a loss of situational awareness that is the prerequisite for grid instability. CISA issued a follow-up alert urging U.S. operators to review the Polish report and strengthen edge device security. The Polish CERT compared the attack to “deliberate arson.” This attack is significant because DERs are being deployed rapidly across the U.S. and globally, often faster than they are secured. The grid is becoming more capable but also more exposed.
Action Required: Operators of distributed energy resources (solar, wind, battery storage, CHP) must audit all edge devices and remote access pathways. Implement firmware integrity monitoring on RTUs. Ensure DER management systems are segmented from business IT networks. Review CISA’s guidance on the Poland attack. Coordinate with DER equipment vendors on patch status for internet-facing devices. Recognize that DER environments are now confirmed targets for nation-state destructive attacks.
Sources: Anthropic · The Hacker News · Help Net Security · April 8, 2026
Anthropic’s unreleased Mythos Preview AI model autonomously found and exploited zero-day vulnerabilities in every major operating system and browser. Energy infrastructure is uniquely exposed to this capability shift: SCADA systems run on operating systems with 20-30 year lifecycles. ICS devices often run legacy firmware that has never been audited by modern tools. Physical assets cannot be rebooted for patching without safety incidents. Edge devices connecting DER systems to the grid were not designed with cybersecurity in mind. When AI models can autonomously find zero-days in modern, well-maintained software, they will find orders of magnitude more exploitable vulnerabilities in the legacy systems that the energy grid depends on. Palo Alto Networks warned similar capabilities are “weeks or months from proliferation.” Energy sector defenders must prepare now for a world where adversaries can discover vulnerabilities in their infrastructure faster than vendors can produce patches.
Action Required: Prioritize reducing attack surface on all OT systems — every internet-exposed device is a target. Implement compensating controls for systems that cannot be patched: network isolation, protocol-aware monitoring, access restrictions. Begin evaluating AI-augmented vulnerability scanning for OT environments. Accept that patching alone is no longer sufficient — defense-in-depth with monitoring and segmentation is mandatory.
Sources: Adobe · CISA KEV · April 11–13, 2026
Adobe patched a critical Acrobat Reader zero-day (CVE-2026-34621, CVSS 8.6) actively exploited since December 2025 via malicious PDFs. Energy utilities exchange PDF documents constantly with regulators (NERC, FERC, state PUCs), vendors, contractors, and government agencies. Phishing emails delivering malicious PDFs are disguised as compliance filings, inspection reports, and vendor communications. CISA added to KEV catalog with April 27 deadline.
Action Required: Patch Adobe Acrobat Reader immediately. Instruct staff not to open PDF attachments from unverified senders. Block “Adobe Synchronizer” User Agent traffic.
Sources: Kaspersky · The Hacker News · April 9–13, 2026
CPUID’s website was compromised for 19 hours (April 9–10), serving trojanized CPU-Z and HWMonitor installers that deployed STX RAT. These hardware monitoring tools are used by utility IT staff, OT engineers, and data center administrators — the people with privileged access to SCADA systems and control networks. STX RAT harvests credentials, session cookies, VPN credentials, and password manager data. A single infected workstation used by an OT engineer provides a bridge from IT to OT networks.
Action Required: Check all IT and OT workstations for CPUID downloads April 9–10. Isolate and investigate if found. Block C2 95.216.51[.]236. Implement application allowlisting on OT-adjacent workstations.
Sources: CSIS · Industrial Cyber · April 2026
CSIS published analysis this week identifying that Iran’s approach to cyber conflict is no longer episodic or symbolic. It is a sustained, strategic posture that treats cyberspace as an extension of state power, particularly against critical infrastructure. Iranian actors, including state-linked and proxy hacktivist groups, are positioned to target energy, water, and transportation sectors, exploiting legacy ICS and weak segmentation. These operations are not just about immediate disruption — they are about pre-positioning access for future escalation, creating latent risk inside networks that may only surface during moments of geopolitical crisis. The blend of capability and intent makes the current threat environment more volatile than previous Iranian cyber campaigns. For energy utilities, this means the threat is not a single attack — it is a persistent presence that may activate at a time chosen by the adversary, not the defender.
Action Required: Energy utilities should assume Iranian actors are probing or present in their environments. Conduct threat hunts specifically targeting Iranian TTPs: default credentials on PLCs, internet-exposed HMIs, and Modbus/DNP3 anomalies. Coordinate with sector ISACs on Iran-specific threat intelligence. Brief executive leadership on the CSIS assessment framing Iran as a sustained strategic threat, not an episodic one.
Sources: Dragos · CISA · Mandiant · 2026
This week’s intelligence creates a composite picture that is more concerning than any individual threat item. Volt Typhoon (China) remains embedded in utility control loops. KAMACITE (Russia) spent four months mapping U.S. industrial control loops. SYLVANITE (multi-national) is operating inside a U.S. electric utility and handing access to ICS-capable adversaries. Iran is actively targeting PLCs in U.S. power grid operations. ELECTRUM (Russia) demonstrated destructive DER capability in Poland. Dragos now tracks over 20 ICS threat groups. The grid is not being attacked — it is being prepared for attack. Multiple nation-states are building the access, intelligence, and capability to disrupt U.S. energy infrastructure at a time of their choosing. This is the full-spectrum pre-positioning that this brief’s 80/10/10 framework is designed to correlate.
Action Required: Energy executives should present this composite threat picture to boards and regulators. The threat is not hypothetical — it is documented and active. Investment in OT visibility, ICS-specific incident response, and grid resilience should be treated as operational imperatives, not discretionary spending.
KAMACITE spent four months in 2025 systematically scanning internet-exposed U.S. industrial devices to map entire control loops. ELECTRUM conducted the first-ever DER cyberattack in Poland, deploying wiper malware that destroyed RTUs and corrupted HMI data. These two entities work as a team: KAMACITE develops access, ELECTRUM executes destructive operations. They have caused real power outages in Ukraine (2015, 2016) and are now actively building the intelligence and access required to do the same in the United States and NATO allies. Dragos describes their current posture as “deliberate, active preparation for operational impact.”
Primary TTPs
ICS Scanning, Edge Device Exploitation, Wiper Malware, RTU Destruction, DER Targeting
Target Sectors
Electric Grid, DER/Renewables, Natural Gas, Water
Activity Level
Critical · 4-month U.S. scanning campaign · Poland DER attack
Remains embedded inside U.S. critical infrastructure. Dragos confirmed SYLVANITE operating inside a U.S. electric utility and handing footholds directly to VOLTZITE. This confirms the multi-actor handoff model: one group develops access, another prepares for disruption. Volt Typhoon’s mission remains pre-positioning for disruption during a potential Taiwan scenario. The combination of SYLVANITE access delivery + VOLTZITE operational capability + AI-enabled zero-day discovery represents a compound threat with no historical precedent.
Primary TTPs
LOLBins, SOHO Router C2, NTDS.dit Theft, Receiving SYLVANITE Handoffs
Target Sectors
Energy, Water, Telecom, Transportation, Defense
Activity Level
Active · Embedded · SYLVANITE handoff confirmed
CISA warned on April 8 that Iran-affiliated hackers are targeting PLCs in U.S. energy, water, and government facilities during the sixth week of the US-Israeli-Iran conflict. CSIS analysis confirms this is not episodic — Iran now treats cyberspace as a sustained extension of state power against critical infrastructure. Iranian actors are pre-positioning access for future escalation, exploiting legacy ICS and weak segmentation. The combination of Iranian PLC targeting, Handala’s destructive operations against other sectors, and the sustained wartime context creates the highest Iranian cyber threat to U.S. energy infrastructure since the conflict began.
Primary TTPs
PLC Targeting, Default Credentials, Internet-Exposed ICS, Pre-Positioning
Target Sectors
Energy, Water, Wastewater, Government Facilities
Activity Level
Critical · Active PLC targeting · NERC monitoring grid