New Cyberattack on Industrial Production Systems Linked to Iranian Conflict
New Attacks Target Production Systems Directly
Geopolitical tensions in the Middle East escalated into the cyber-physical domain in early 2026, with multiple confirmed attacks on operational technology (OT) networks in energy, water treatment, and manufacturing facilities. According to the Dragos Year in Review 2025 report, published in February 2026, threat actors are no longer content with IT-side reconnaissance -- they are now reaching directly into Level 1 and Level 2 of the Purdue model, targeting PLCs, RTUs, and safety instrumented systems.
The most significant incident involved a confirmed compromise of Unitronics Vision PLCs at a water treatment facility, where attackers manipulated chemical dosing setpoints before operators detected the anomaly. Separately, energy infrastructure in the Gulf region experienced coordinated scanning campaigns against Schneider Electric Modicon and Siemens S7 controllers, with traffic patterns suggesting automated exploitation frameworks rather than manual intrusion.
Evolving Attack Techniques: Living Off the Land
The Dragos report highlights a critical evolution in attacker methodology. Rather than deploying custom malware that triggers endpoint detection, threat groups are increasingly using living-off-the-land (LOTL) techniques -- leveraging legitimate engineering tools already present on OT networks. Standard utilities like PLC programming software, SCADA configuration tools, and remote desktop protocols are being weaponized for lateral movement and payload delivery.
This approach is particularly dangerous because it generates minimal forensic artifacts. Traditional signature-based detection fails to distinguish between a legitimate engineer uploading a program change and an attacker using the same tool to modify controller logic. Dragos identified at least four distinct threat groups employing LOTL techniques against industrial targets in the past 12 months.
The Alarming Numbers: 26 Active Threat Groups
The scale of the threat landscape is sobering. Dragos now tracks 26 active threat groups with demonstrated capability or intent to target industrial control systems, up from 21 in the previous year. Of these, 9 groups have confirmed Stage 2 ICS capability, meaning they can develop and deploy tools that interact directly with industrial protocols such as Modbus, EtherNet/IP, OPC UA, and S7comm.
The report notes a 87% increase in OT-targeted reconnaissance activity year-over-year, with the energy sector accounting for 39% of all tracked incidents, followed by manufacturing at 27% and water/wastewater at 15%. Geographically, the Middle East and Eastern Europe remain the most heavily targeted regions, though North American utilities have seen a sharp uptick in probing activity.
What This Means for Engineers
The days of assuming air-gapped OT networks are safe are definitively over. Engineers responsible for industrial control systems must adopt an assume-breach posture: network monitoring at the industrial protocol level, baseline behavioral analysis of controller communications, and regular validation of PLC program integrity against known-good backups. Practically, this means deploying OT-specific network detection tools like Dragos Platform, Claroty, or Nozomi Networks rather than relying on IT-centric security stacks. Equally important is restricting and auditing access to engineering workstations -- the primary vector for LOTL attacks. If your facility does not have a documented OT incident response plan that has been tested in the past 12 months, that is the first gap to close.