Iranian APT Hits Critical Infrastructure: Alert for East Africa

Severity: CRITICAL

The Threat

A joint advisory published by CISA on April 7, 2026 confirms that Iran-affiliated Advanced Persistent Threat (APT) actors are actively exploiting internet-facing Programmable Logic Controllers (PLCs) across critical infrastructure sectors worldwide. These are not opportunistic scans - this is a coordinated, targeted campaign by a nation-state actor with a documented history of destructive attacks against power grids, water treatment facilities, and industrial systems.

PLCs are the hardware backbone of Operational Technology (OT) environments - the physical control systems that manage electricity distribution, water pressure, fuel pipelines, and manufacturing processes. Many of these devices were never designed with cybersecurity in mind, and a significant number remain directly exposed to the internet with default or weak credentials.

CISA's advisory classifies this as an active exploitation campaign, meaning attackers are not just probing - they are gaining unauthorized access right now.

Impact Assessment for East African Organizations

East Africa's critical infrastructure sector faces a heightened and specific risk from this campaign for several reasons:

• Rapid digitization without OT security maturity: Kenya's power sector (Kenya Power, KenGen), Ethiopia's hydroelectric grid (EEPCO/EEP), and Uganda's utility networks have undergone rapid SCADA and remote monitoring upgrades in recent years - often without corresponding OT security investment.
• Internet-exposed industrial devices: Shodan and Censys scans consistently reveal hundreds of unprotected industrial control system (ICS) interfaces across East African IP ranges, many running outdated firmware.
• Limited OT/IT security segmentation: Most regional utilities still operate flat networks where a breach of an IT system can pivot directly into OT environments - giving attackers the ability to manipulate physical processes.
• Cascading downstream effects: A disruption to power infrastructure in Nairobi, Addis Ababa, or Mogadishu would immediately impact banking operations, hospital systems, telecom networks, and government services - multiplying the damage far beyond the initial target.

Water authorities, fuel depot operators, and port infrastructure managers across the Horn of Africa carry equivalent exposure. The Djibouti port corridor, a strategic chokepoint for regional trade, is a high-value target for any actor seeking geopolitical leverage.

Immediate Actions - Do These Now

• Audit internet exposure of all PLCs and HMIs immediately. Use your asset inventory to identify every OT device with an external-facing IP or remote access interface. If you do not have a complete OT asset inventory, that is your first problem to solve.
• Disable all unnecessary remote access to ICS/SCADA systems. If a PLC does not need to be internet-accessible, take it offline from external networks today. No exceptions for convenience.
• Change all default credentials on industrial devices. Default usernames and passwords on PLCs (Siemens, Schneider Electric, Allen-Bradley, etc.) are publicly documented and are the first thing attackers try.
• Implement network segmentation between IT and OT environments. A firewall or DMZ between your corporate network and your control system network is the single highest-impact control you can deploy. Follow IEC 62443 zone-and-conduit principles.
• Enable logging and alerting on all OT network traffic. You cannot defend what you cannot see. Passive OT monitoring tools (such as those used in DRONGO's managed OT security service) can detect anomalous PLC commands without disrupting operations.

Regulatory Context for East African Operators

Kenya's Energy Act 2019 and the Computer Misuse and Cybercrimes Act 2018 place explicit obligations on licensed energy operators to protect critical systems. Ethiopia's Cybercrime Proclamation No. 1038/2021 similarly establishes liability for critical infrastructure operators who fail to implement reasonable security controls. A successful PLC compromise that causes a service outage is not just an operational failure - it is a regulatory and legal exposure.

DRONGO Recommendation

DRONGO's OT Security practice conducts passive ICS network assessments that identify exposed PLCs, map IT/OT network paths, and benchmark your environment against IEC 62443 and NIST SP 800-82. We operate across Kenya, Ethiopia, Somalia, and Djibouti - and we understand the specific vendor landscape deployed in East African utilities.

Is your organization protected? Request a free security assessment.