A joint advisory (AA26-097A) issued by six U.S. federal agencies confirms that the Iran-linked Shahid Kaveh Group is actively targeting internet-exposed industrial control systems (ICS) across critical infrastructure sectors. The campaign has already resulted in confirmed operational disruption and financial loss.
The group, associated with Iran’s IRGC Cyber Electronic Command, specializes in operational technology (OT) attacks, including manipulation of PLC logic, SCADA/HMI tampering, and configuration destruction. UAE and GCC energy, water, and utility sectors are at immediate risk, particularly environments with internet-exposed OT devices and weak authentication controls.
The Shahid Kaveh Group gains initial access by scanning for internet-facing OT devices such as PLCs and HMIs and directly connecting using legitimate vendor engineering tools. No zero-day vulnerabilities are required, as attackers exploit devices with default credentials or no authentication.
Targets include Rockwell Automation PLCs accessed via Studio 5000 Logix Designer, Unitronics Vision Series devices, and potentially Siemens PLCs. Once access is established, attackers interact directly with PLC project files, modifying or replacing logic that controls physical processes.
HMI and SCADA displays are manipulated to present false operational data, masking malicious activity or triggering misleading alerts. In some cases, attackers wipe device configurations entirely, rendering systems inoperable.
For persistence and control, the group uses standard OT protocol ports and deploys SSH tools such as Dropbear. The IOCONTROL malware framework is also associated with this campaign, providing persistent access within embedded OT environments. The details and technicalities of the attack campaign are discussed further,
Delivery and Infection Chain:
The attack chain relies on direct exploitation of exposed OT infrastructure rather than traditional malware delivery. Its simplicity makes it highly scalable and difficult to detect.
Technical Capabilities:
The Shahid Kaveh Group demonstrates advanced OT-specific capabilities, particularly in manipulating ladder logic within PLCs, which directly control industrial equipment such as pumps, valves, and power systems. This requires deep domain expertise in industrial processes, distinguishing the group from typical IT-focused threat actors.
The deployment of the IOCONTROL malware framework highlights the group’s investment in specialized tooling for embedded systems. Their ability to combine process manipulation with display falsification allows them to disrupt operations while avoiding immediate detection.
The campaign also reflects strategic targeting of regions with mixed OT security maturity, where internet-exposed devices and weak authentication practices create exploitable entry points.
Attribution and Evolution:
The group is formally attributed to the Islamic Revolutionary Guard Corps Cyber Electronic Command and operates under multiple aliases. Its evolution reflects a transition from earlier disruptive campaigns to highly targeted cyber-physical operations.
The escalation of activity in 2026 aligns with geopolitical developments, indicating that cyber operations are being used as a strategic extension of regional conflict.
Active Campaign and Geographic Spread:
While initial advisories focus on US infrastructure, multiple intelligence reports confirm active targeting across the UAE and GCC. Sectors affected include energy, water, utilities, and industrial systems, all of which rely heavily on OT environments.
The campaign leverages globally distributed infrastructure and focuses on opportunistic exploitation of exposed systems, making it adaptable and difficult to contain geographically.
Conclusion:
This campaign represents one of the most significant cyber-physical threats currently facing critical infrastructure in the GCC. The absence of complex exploits, combined with direct access to exposed systems, makes it both highly effective and scalable.
Organizations must treat this as an active threat requiring immediate action. Strengthening OT security posture, enforcing strict access controls, and implementing continuous monitoring are essential to prevent disruption and ensure operational resilience.
The impact includes operational disruption, financial loss, and manipulation of industrial processes. False data displayed on HMI/SCADA systems can lead to incorrect operational decisions, increasing the risk of physical damage or safety incidents.
In severe cases, configuration wiping renders devices inoperable, requiring manual recovery. For UAE organizations, this also introduces regulatory implications, including mandatory reporting and compliance requirements under national critical infrastructure protection frameworks.
