Cyber Advisory: What Businesses and Nonprofits Need to Know About Recent Iranian-Backed Cyberattacks

April 13, 2026

On April 10, several U.S. agencies issued a joint advisory warning that Iranian-affiliated threat actors are exploiting internet-exposed industrial/control devices used by utilities and municipal services. Even if your organization does not run industrial systems, you can still be impacted through service disruptions (power, water, facilities) or third-party/vendor compromise (managed IT, building management, security systems).

Bottom line: reduce exposure from internet-facing systems and vendor remote access, ensure you can recover quickly (tested backups), and confirm your continuity plan works during real outages.

What’s happening—and why it matters to you

  • Attack pattern: attackers are looking for poorly secured, internet-reachable control/facilities systems and remote access pathways (including vendor access) and then using legitimate tools to change configurations or disrupt operations.
  • Likely business/nonprofit impacts: outages or degraded services from utilities/municipal providers; downtime or safety issues at facilities; and vendor-related compromises that spill into IT (credentials, ransomware, data exposure).
  • Who should pay extra attention: organizations with building automation, generators, specialized equipment, or vendors that remotely manage facility/operational systems.

What you should do now

Good cybersecurity hygiene is particularly important now as attack levels are increasing. Steps to mitigate your risk include:

  • Find and fix internet exposure: inventory external-facing systems and portals (VPN, remote admin, vendor tools, cloud consoles) and remove or restrict anything that doesn’t need to be public.
  • Harden remote access: require MFA everywhere, disable unused accounts, and avoid direct remote access to servers or facilities systems.
  • Control vendor access: ensure vendors use named accounts, MFA, least privilege, logging, and clear breach-notification obligations. Promptly offboard access when contracts or staff change.
  • Be ready to detect and respond: centralize key logs (identity, remote access, endpoints, cloud) and confirm you can quickly isolate affected devices or accounts.
  • Create backups you can trust: maintain offline/immutable backups and regularly test restoration of at least one critical system.
  • Limit exposure: separate admin from everyday accounts and segment facilities/building systems from staff networks where practical.
  • Plan continuity for outages: validate plans for power/water/internet disruptions (alternate site, manual workarounds, backup communications).

If you operate Operational Technology (OT), Industrial Control Systems (ICS) or building/facility controls

  • Remove direct internet access: do not expose control devices/networks to the public internet; use VPN + MFA and a jump host for any remote administration.
  • Segment and monitor: separate OT/facilities networks from business IT; tightly control any connections and monitor for remote access and configuration changes.
  • Back up configurations: keep offline backups of control logic/configs and test restore procedures.

Further Resources

  • Vendor security advisories for any facility/OT/building management systems you operate.

This threat environment is active and evolving. It’s a good time to be vigilant and report suspected incidents to CISA or the FBI’s Internet Crime Complaint Center (IC3).

This alert is for informational purposes and is based on publicly available government advisories as of April 10, 2026. Organizations should consult the full official guidance and their own cybersecurity experts, or the GRF Cybersecurity Team.

Keep Reading

Previous
Reorganized and Refocused: A Government Contractor’s Guide to the New DCAA
next
Action Required: New DEI Executive Order Imposes Strict Compliance Mandates for Federal Contractors