Recent Breaches
Breaches
View All →
Breaking NewsUpdated as information becomes available
Back to Knowledge Vault
InsightBreaking21 June 20265 min read

Iranian state hackers targeting OT: why offline golden copies decide the recovery

A new Congressional Research Service report names Iran alongside China, Russia and North Korea as a leading cyber adversary, with operations now reaching deep into industrial control systems. The recovery problem is no longer about backups. It is about whether your golden copies are reachable by the attacker.

Mark Fermor

Mark Fermor

Director & Co-Founder, Firevault

Share
Industrial control room with PLCs and HMI screens, an Ethernet cable physically disconnected mid-air representing an air gap

I came across this story in Industrial Cyber, written by Anna Ribeiro, reporting on an updated Congressional Research Service review of nation-state cyber operations against US networks. What stopped me was not another headline about ransomware. It was the explicit OT and ICS targeting: Iranian operators going after programmable logic controllers in water and wastewater facilities. When a state-backed actor reaches the control layer, the conversation changes from prevention to recovery.

Key takeaways

  • Iran now sits alongside China, Russia and North Korea as a top-tier state-backed cyber adversary, with explicit OT and ICS targeting confirmed by the Congressional Research Service.
  • The IRGC-affiliated CyberAveng3rs campaign hit programmable logic controllers in water and wastewater facilities, the same class of device used across UK and European utilities.
  • Online backups reachable from the compromised network are not recovery copies. They are a second target.
  • Physically disconnected golden copies of PLC configurations, HMI projects and incident response runbooks are the layer that decides recovery time.

The Congressional Research Service has updated its multi-year review of nation-state cyber operations against US networks, and the headline is uncomfortable for anyone responsible for operational technology. Iran sits alongside China, Russia and North Korea as one of the four leading state-backed cyber adversaries tracked by US intelligence, and the report is explicit that Iranian operations now reach the control systems that run water, wastewater and energy.

The campaign attributed to the Islamic Revolutionary Guard Corps affiliated CyberAveng3rs group is the clearest signal. Those operators went after programmable logic controllers in water and wastewater facilities, the same class of device that sits inside thousands of UK and European utilities. Separately, Iranian actors exploited known vulnerabilities in Microsoft Exchange and Fortinet products to establish footholds inside critical infrastructure organisations, then moved on to data theft, ransomware and extortion. A parallel operation used Log4Shell to drop cryptocurrency miners and harvest credentials from federal networks.

What the report is really saying

Strip away the country labels and a consistent pattern emerges. State-aligned actors are not relying on novel zero days. They are exploiting unpatched perimeter products, weak authentication and exposed internet-facing systems to gain quiet, persistent access. Volt Typhoon, the China-linked campaign also cited by CRS, is the textbook case: compromise critical infrastructure now, sit dormant, and retain the option to disrupt later. Iranian operators are running a similar play with a sharper appetite for OT.

For an OT security lead, that changes the question. The question is no longer whether the perimeter will hold. It is whether the systems that let you recover are themselves clean.

Why OT recovery is the harder problem

IT estates have a recovery muscle. OT estates often do not. Programmable logic controllers, human machine interfaces, engineering workstations and historian databases cannot be patched on a monthly cadence without risking process integrity. The crown jewels are not the devices themselves. They are the configuration files, the HMI projects, the ladder logic, the engineering backups and the incident response runbooks that let an operator rebuild a process safely after compromise.

Lose those, or have them tampered with by an attacker who has been resident for months, and recovery stops being a technical exercise. It becomes a forensic reconstruction project measured in weeks.

The gap most operators do not see

Most CNI operators back up OT configuration data to network attached storage that sits on the same routable network the attacker is already living on. Some replicate to a cloud bucket reached over the same federated identity that has just been phished. A handful keep tapes, but rotate them through the same domain credentials.

If the recovery copies are reachable from the compromised network, they are not recovery copies. They are a second target.

The Firevault viewpoint

Physical disconnection is the only control that survives a determined, well-resourced adversary with months of dwell time. An air gap by policy is not an air gap. An air gap by wire is.

Firevault Offline Secure Storage exists for exactly this class of asset: a physically disconnected vault for the configuration files, engineering backups, HMI projects and incident response material that decide how quickly a CNI operator can restore safe operation. It cannot be reached from the IT network. It cannot be reached from the OT network. It cannot be reached from the internet. Restore is a deliberate, witnessed act, not an API call.

This is not a replacement for network segmentation, patching discipline or OT monitoring. It is the layer underneath them. When those controls are bypassed, and the CRS report makes clear they will be, the offline copy is what stands between an incident and an outage.

Three actions for OT security leads this quarter

  1. Inventory the recovery data that matters. PLC configurations, HMI projects, engineering workstation images, historian exports, IR runbooks and safety system parameters. If you cannot list them, you cannot protect them.
  2. Sever the path between IT and OT recovery copies. Recovery data for OT must not live on storage reachable by a compromised IT identity, and vice versa.
  3. Test restore from offline media every quarter. A golden copy you have never restored is a hypothesis, not a control.

The CRS report is a useful prompt, but the underlying message is older than this week. State-aligned operators are patient, they are inside critical infrastructure already, and the network controls that were meant to stop them have known limits. The recovery layer is where the next decade of CNI resilience is going to be decided. Make sure yours is somewhere the attacker cannot reach.

Further reading: Firevault for OT and ICS, NIS2 alignment for Offline Secure Storage, NCSC ransomware-resistant backup guidance.

Mark Fermor, Co-Founder, Firevault

About the author

Mark Fermor

Mark Fermor

Director & Co-Founder

The driving force behind Firevault's market presence, combining commercial vision with deep tech insight.

Share this article

Breaking News
Insight21 June 20265 min read

Iranian state hackers targeting OT: why offline golden copies decide the recovery

A new Congressional Research Service report names Iran alongside China, Russia and North Korea as a leading cyber adversary, with operations now reaching deep into industrial control systems. The recovery problem is no longer about backups. It is about whether your golden copies are reachable by the attacker.

Iranian state hackers targeting OT: why offline golden copies decide the recovery
Mark Fermor
Published by Mark Fermor, Director & Co-Founder

    Firevault

    Firevault is Offline Secure Storage. Hardware you own, physically disconnected by default, with KYC-verified access. Ransomware-proof by design, not by patch.

    © 2026 Firevault Limited. Disconnect to Protect®