Iranian Cyber Activity Targets Critical Infrastructure Through Remote Access Pathways
Ethan Schmertzler, Co-CEO, Dispel
Ethan Schmertzler, Co-CEO, Dispel
Apr 9, 2026
Apr 9, 2026
min read
min read
min read
Article
Article
Recent joint guidance from CISA and U.S. government partners warns that Iranian state-sponsored actors are actively targeting critical infrastructure organizations, including sectors with direct operational impact. The activity described is not theoretical—it reflects real-world access into operational environments, including the ability to interact with industrial control systems.
According to the advisory (AA26-097A), these actors have gained access by exploiting internet-exposed services and weak authentication practices, including default credentials, enabling them to enter environments through legitimate access pathways rather than relying on sophisticated exploits.
This is a critical distinction.
The threat is not defined by zero-days or novel malware. It is defined by how attackers are using existing remote access mechanisms to reach operational systems.
Remote Access Is Not the Vulnerability—It Is the Path
What makes this activity particularly concerning is not simply that access was gained, but how it was gained.
The advisory highlights that attackers are targeting systems that are accessible from the public internet, including OT-related assets, and then leveraging weak identity controls to establish access. In some reported cases, this has enabled interaction with programmable logic controllers (PLCs), human-machine interfaces (HMIs), and other operational components.
This aligns with a broader and well-documented pattern of activity.
While the advisory does not attribute the current campaign to a specific group, the tactics closely resemble those used by CyberAv3ngers (Shahid Kaveh Group), an Iran-linked threat group associated with the IRGC. As reported by Dragos and others, this group previously compromised more than 100 Unitronics PLC/HMI devices, many deployed in water and wastewater environments. In those incidents, attackers not only defaced systems, renaming devices and altering displays, but also modified underlying control logic, creating real operational disruption.
These are the same access pathways industrial organizations rely on every day:
Vendors maintaining equipment remotely
Engineers troubleshooting systems across sites
Operators managing distributed infrastructure
Subsequent campaigns extended beyond disruption. According to Dragos reporting, the group deployed IOControl malware designed to persist across industrial control and IoT devices, indicating a shift toward maintaining long-term access within critical infrastructure environments rather than conducting one-off attacks.
This progression, from opportunistic disruption to persistent access, is significant. It reflects an evolution in both capability and intent, and reinforces that the activity described in the advisory is not isolated.
Remote access is not an edge case. It is a requirement for modern operations.
But as connectivity has expanded, many environments have accumulated access pathways that are exposed, inconsistently governed, or insufficiently monitored.
The advisory makes clear that these conditions are now being actively exploited.
When “Valid Access” Becomes the Attack Vector
One of the most important implications of this activity is how it changes the nature of detection.
When attackers exploit vulnerabilities, there are often recognizable indicators—malicious payloads, anomalous traffic, known signatures.
When attackers use valid credentials and legitimate services, those signals largely disappear.
From a system perspective:
Authentication succeeds
Connections appear normal
Tools and protocols are expected
The activity blends into routine operations.
CISA’s mitigation guidance reflects this shift, emphasizing the need to:
Remove or secure internet-exposed services
Eliminate default credentials
Enforce strong authentication
Monitor and log access to OT environments
These are necessary controls. But they primarily address the conditions before access is granted.
They do not fully resolve what happens after authentication succeeds.
The Gap Between Access and Trust
In many industrial environments, remote access still operates on a straightforward model: If credentials are valid, access is allowed.
That model assumes that credentials reliably represent identity and intent.
The advisory highlights why that assumption is increasingly fragile.
Default or weak credentials can be discovered or reused
Vendor and contractor access may rely on shared accounts
Remote access endpoints may be exposed beyond intended boundaries
In these conditions, a successful login does not necessarily mean:
the user is who they claim to be
the access is occurring under expected conditions
the activity within the session is appropriate
This creates a critical visibility gap between: “a valid login occurred” and “this was legitimate, expected activity.”
Remote Access Mitigation Is Necessary—but Not Sufficient
The steps outlined in the advisory reducing exposure, strengthening authentication, and improving logging are essential and should be treated as baseline controls.
However, they do not eliminate risk in environments where:
Remote access is routine and operationally necessary
Third-party vendors regularly connect to critical systems
Access spans multiple sites, assets, and user types
Operational urgency prioritizes speed and availability
In these environments, risk does not end at authentication. It begins there.
Extending Control Beyond Authentication
The activity described in the advisory points to a necessary evolution in how remote access is secured.
It is no longer sufficient to determine: Can this user log in?
Organizations must also be able to answer: Should this session be trusted?
This requires visibility into the session itself—who is connecting, under what conditions, to which systems, and what occurs during that access.
Bringing Context to Every Remote Access Session
Dispel’s approach is built around addressing this gap by introducing session-level intelligence into remote access workflows.
Rather than treating access as a binary decision, each session is evaluated in real time across identity, behavior, and asset context.
Connection Risk Scoring: Understanding Who Is Actually Logging In
In environments spanning manufacturing plants, OT networks, vendors, and contractors, valid credentials alone cannot prove identity.
Dispel’s Connection Risk Scoring continuously evaluates every session, building a behavioral profile for each user and comparing new sessions against expected patterns.
This allows teams to identify:
access from unfamiliar locations or devices
unusual timing or behavioral deviations
indicators of credential theft or misuse
The result is immediate visibility into whether a login and behavior align with how that user typically operates—without requiring manual analysis.
Vendor and Contractor Risk: Detecting Shared and Misused Credentials
The advisory’s emphasis on weak and default credentials is especially relevant in environments with large third-party ecosystems.
In practice, many organizations face:
shared vendor credentials
multiple users accessing systems under a single account
limited visibility into how those accounts are used
Dispel addresses this through concurrent session detection, which flags when a single account is used simultaneously from different locations.
This is a direct indicator of credential sharing or compromise—conditions that traditional authentication controls cannot detect.
Protecting Operational Systems: Context at the Moment of Access
The advisory notes that threat actors have interacted directly with operational systems, including interfaces used to monitor and control processes.
Access to these systems carries physical and operational consequences.
Dispel incorporates device risk intelligence into access decisions, providing visibility into the security posture and criticality of the asset being accessed at the moment of connection.
This allows organizations to evaluate:
whether the system is vulnerable or high-risk
whether access aligns with operational need
whether additional controls should be applied before granting access
This ensures that access decisions are informed not just by the user, but by the risk of the system itself.
Session Forensics: From Logging to Security Intelligence
CISA emphasizes the importance of logging and monitoring access. However, traditional logs often require reconstruction after an incident.
Dispel provides session-level forensics, capturing a complete, time-sequenced record of remote access activity.
This enables organizations to:
see exactly what actions were taken during a session
investigate anomalies without ambiguity
produce audit-ready records aligned with compliance frameworks
Instead of relying on fragmented logs, teams gain a clear, attributable record of activity tied to each session.
A Shift in How Remote Access Must Be Secured
The activity outlined in the advisory reflects a broader shift in the threat landscape.
Attackers are not always bypassing controls. They can be operating within them.
They are using:
exposed access pathways
weak or shared credentials
legitimate tools and protocols
This places pressure on a model of security that ends at authentication.
Reducing Risk Through Secure Remote Access
Strengthening remote access is not just a defensive measure—it is a measurable way to reduce operational risk.
According to SANS and the Dragos 2025 OT Cybersecurity Financial Risk Report, organizations can achieve up to a 30% reduction in OT cyber risk through a combination of secure remote access and defensible architecture—12% from securing remote access pathways alone, and an additional 17% from broader architectural improvements.
This reflects a broader shift: when remote access is structured, monitored, and aligned with operational reality, it does more than prevent incidents. It reduces exposure at scale.
In environments where access is constant and distributed, improving how that access is controlled, verified, and observed becomes one of the most direct ways to lower risk while enabling operations to move faster and with greater confidence.
See how organizations are reducing OT risk by bringing visibility and control into every remote access session.
Ready to Simplify OT Secure Remote Access?
See how Dispel helps industrial teams standardize connectivity and protect critical environments—without added complexity.
Recent joint guidance from CISA and U.S. government partners warns that Iranian state-sponsored actors are actively targeting critical infrastructure organizations, including sectors with direct operational impact. The activity described is not theoretical—it reflects real-world access into operational environments, including the ability to interact with industrial control systems.
According to the advisory (AA26-097A), these actors have gained access by exploiting internet-exposed services and weak authentication practices, including default credentials, enabling them to enter environments through legitimate access pathways rather than relying on sophisticated exploits.
This is a critical distinction.
The threat is not defined by zero-days or novel malware. It is defined by how attackers are using existing remote access mechanisms to reach operational systems.
Remote Access Is Not the Vulnerability—It Is the Path
What makes this activity particularly concerning is not simply that access was gained, but how it was gained.
The advisory highlights that attackers are targeting systems that are accessible from the public internet, including OT-related assets, and then leveraging weak identity controls to establish access. In some reported cases, this has enabled interaction with programmable logic controllers (PLCs), human-machine interfaces (HMIs), and other operational components.
This aligns with a broader and well-documented pattern of activity.
While the advisory does not attribute the current campaign to a specific group, the tactics closely resemble those used by CyberAv3ngers (Shahid Kaveh Group), an Iran-linked threat group associated with the IRGC. As reported by Dragos and others, this group previously compromised more than 100 Unitronics PLC/HMI devices, many deployed in water and wastewater environments. In those incidents, attackers not only defaced systems, renaming devices and altering displays, but also modified underlying control logic, creating real operational disruption.
These are the same access pathways industrial organizations rely on every day:
Vendors maintaining equipment remotely
Engineers troubleshooting systems across sites
Operators managing distributed infrastructure
Subsequent campaigns extended beyond disruption. According to Dragos reporting, the group deployed IOControl malware designed to persist across industrial control and IoT devices, indicating a shift toward maintaining long-term access within critical infrastructure environments rather than conducting one-off attacks.
This progression, from opportunistic disruption to persistent access, is significant. It reflects an evolution in both capability and intent, and reinforces that the activity described in the advisory is not isolated.
Remote access is not an edge case. It is a requirement for modern operations.
But as connectivity has expanded, many environments have accumulated access pathways that are exposed, inconsistently governed, or insufficiently monitored.
The advisory makes clear that these conditions are now being actively exploited.
When “Valid Access” Becomes the Attack Vector
One of the most important implications of this activity is how it changes the nature of detection.
When attackers exploit vulnerabilities, there are often recognizable indicators—malicious payloads, anomalous traffic, known signatures.
When attackers use valid credentials and legitimate services, those signals largely disappear.
From a system perspective:
Authentication succeeds
Connections appear normal
Tools and protocols are expected
The activity blends into routine operations.
CISA’s mitigation guidance reflects this shift, emphasizing the need to:
Remove or secure internet-exposed services
Eliminate default credentials
Enforce strong authentication
Monitor and log access to OT environments
These are necessary controls. But they primarily address the conditions before access is granted.
They do not fully resolve what happens after authentication succeeds.
The Gap Between Access and Trust
In many industrial environments, remote access still operates on a straightforward model: If credentials are valid, access is allowed.
That model assumes that credentials reliably represent identity and intent.
The advisory highlights why that assumption is increasingly fragile.
Default or weak credentials can be discovered or reused
Vendor and contractor access may rely on shared accounts
Remote access endpoints may be exposed beyond intended boundaries
In these conditions, a successful login does not necessarily mean:
the user is who they claim to be
the access is occurring under expected conditions
the activity within the session is appropriate
This creates a critical visibility gap between: “a valid login occurred” and “this was legitimate, expected activity.”
Remote Access Mitigation Is Necessary—but Not Sufficient
The steps outlined in the advisory reducing exposure, strengthening authentication, and improving logging are essential and should be treated as baseline controls.
However, they do not eliminate risk in environments where:
Remote access is routine and operationally necessary
Third-party vendors regularly connect to critical systems
Access spans multiple sites, assets, and user types
Operational urgency prioritizes speed and availability
In these environments, risk does not end at authentication. It begins there.
Extending Control Beyond Authentication
The activity described in the advisory points to a necessary evolution in how remote access is secured.
It is no longer sufficient to determine: Can this user log in?
Organizations must also be able to answer: Should this session be trusted?
This requires visibility into the session itself—who is connecting, under what conditions, to which systems, and what occurs during that access.
Bringing Context to Every Remote Access Session
Dispel’s approach is built around addressing this gap by introducing session-level intelligence into remote access workflows.
Rather than treating access as a binary decision, each session is evaluated in real time across identity, behavior, and asset context.
Connection Risk Scoring: Understanding Who Is Actually Logging In
In environments spanning manufacturing plants, OT networks, vendors, and contractors, valid credentials alone cannot prove identity.
Dispel’s Connection Risk Scoring continuously evaluates every session, building a behavioral profile for each user and comparing new sessions against expected patterns.
This allows teams to identify:
access from unfamiliar locations or devices
unusual timing or behavioral deviations
indicators of credential theft or misuse
The result is immediate visibility into whether a login and behavior align with how that user typically operates—without requiring manual analysis.
Vendor and Contractor Risk: Detecting Shared and Misused Credentials
The advisory’s emphasis on weak and default credentials is especially relevant in environments with large third-party ecosystems.
In practice, many organizations face:
shared vendor credentials
multiple users accessing systems under a single account
limited visibility into how those accounts are used
Dispel addresses this through concurrent session detection, which flags when a single account is used simultaneously from different locations.
This is a direct indicator of credential sharing or compromise—conditions that traditional authentication controls cannot detect.
Protecting Operational Systems: Context at the Moment of Access
The advisory notes that threat actors have interacted directly with operational systems, including interfaces used to monitor and control processes.
Access to these systems carries physical and operational consequences.
Dispel incorporates device risk intelligence into access decisions, providing visibility into the security posture and criticality of the asset being accessed at the moment of connection.
This allows organizations to evaluate:
whether the system is vulnerable or high-risk
whether access aligns with operational need
whether additional controls should be applied before granting access
This ensures that access decisions are informed not just by the user, but by the risk of the system itself.
Session Forensics: From Logging to Security Intelligence
CISA emphasizes the importance of logging and monitoring access. However, traditional logs often require reconstruction after an incident.
Dispel provides session-level forensics, capturing a complete, time-sequenced record of remote access activity.
This enables organizations to:
see exactly what actions were taken during a session
investigate anomalies without ambiguity
produce audit-ready records aligned with compliance frameworks
Instead of relying on fragmented logs, teams gain a clear, attributable record of activity tied to each session.
A Shift in How Remote Access Must Be Secured
The activity outlined in the advisory reflects a broader shift in the threat landscape.
Attackers are not always bypassing controls. They can be operating within them.
They are using:
exposed access pathways
weak or shared credentials
legitimate tools and protocols
This places pressure on a model of security that ends at authentication.
Reducing Risk Through Secure Remote Access
Strengthening remote access is not just a defensive measure—it is a measurable way to reduce operational risk.
According to SANS and the Dragos 2025 OT Cybersecurity Financial Risk Report, organizations can achieve up to a 30% reduction in OT cyber risk through a combination of secure remote access and defensible architecture—12% from securing remote access pathways alone, and an additional 17% from broader architectural improvements.
This reflects a broader shift: when remote access is structured, monitored, and aligned with operational reality, it does more than prevent incidents. It reduces exposure at scale.
In environments where access is constant and distributed, improving how that access is controlled, verified, and observed becomes one of the most direct ways to lower risk while enabling operations to move faster and with greater confidence.
See how organizations are reducing OT risk by bringing visibility and control into every remote access session.
Ready to Simplify OT Secure Remote Access?
See how Dispel helps industrial teams standardize connectivity and protect critical environments—without added complexity.
Products
Industries
Resources
Products
Industries
Resources
Products
Industries
Resources