For years, a group calling itself “Cyber Av3ngers” projected the image of a scrappy, ideologically motivated collective — digital vigilantes striking at Western infrastructure in protest of Israeli military operations. They claimed no master. They answered, ostensibly, to no government. But according to the U.S. Department of Justice, that was always a fiction.
The United States has formally accused Iran’s government of operating the hacktivist group responsible for hacking into systems linked to Stryker, the major American medical technology company, as well as a series of attacks on U.S. water utilities and other critical infrastructure, as first reported by TechCrunch. The accusation, unsealed in a federal indictment this week, names several individuals allegedly employed by Iran’s Islamic Revolutionary Guard Corps (IRGC) and directly ties the Cyber Av3ngers’ operations to a unit within the IRGC’s Cyber-Electronic Command.
This isn’t the first time Washington has pointed the finger at Tehran over cyber operations. But the specificity of this indictment — naming individuals, tracing command structures, mapping attack infrastructure — represents a notable escalation in the U.S. government’s willingness to publicly attribute state-sponsored cyber campaigns to Iranian military organs.
The implications are broad, touching the defense industrial base, healthcare systems, municipal water infrastructure, and the increasingly fragile trust underpinning industrial control systems worldwide.
Start with Stryker. The Kalamazoo, Michigan-based company manufactures surgical equipment, implants, and medical devices used in hospitals across the globe. It reported $20.5 billion in revenue in 2025. It’s not a household name to most Americans, but within operating rooms and orthopedic clinics, its products are ubiquitous. The company confirmed in a statement that it had experienced a cybersecurity incident but declined to detail the scope, saying it had cooperated fully with federal authorities. What the indictment reveals is that Cyber Av3ngers gained access to networked systems within Stryker’s supply chain — not through some zero-day exploit or sophisticated malware, but through the exploitation of default passwords on programmable logic controllers (PLCs) manufactured by Unitronics, an Israeli company whose products are embedded in thousands of industrial operations worldwide.
That detail matters enormously.
Unitronics PLCs — small, relatively inexpensive devices that automate everything from water treatment processes to manufacturing line operations — became the group’s primary attack vector starting in late 2023. The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in November 2023 warning that Cyber Av3ngers had been actively targeting Unitronics Vision Series PLCs, particularly those accessible via the internet with factory-default credentials. The advisory was blunt: change your passwords, get these devices off the public internet, implement multi-factor authentication. Many operators didn’t.
And so the attacks continued.
The municipal water authority in Aliquippa, Pennsylvania, was among the first publicly known victims. In that case, the hackers compromised a PLC controlling a booster station and left behind a digital calling card: “You have been hacked. Down with Israel. Every equipment ‘Made in Israel’ is Cyber Av3ngers legal target.” The Aliquippa hack drew national attention not because of the damage done — operators quickly switched to manual control — but because of what it represented. Foreign actors, ostensibly motivated by geopolitics, had reached into a small American town’s water system.
At the time, some analysts debated whether Cyber Av3ngers was genuinely a grassroots hacktivist operation or something more organized. That debate is now settled, at least in the eyes of U.S. prosecutors.
According to the indictment detailed by TechCrunch, the individuals charged operated under the direction and control of IRGC officers. Their targeting decisions were not made autonomously. Their operational infrastructure — servers, domains, cryptocurrency wallets — was procured through IRGC channels. The hacktivist branding, with its anti-Israel slogans and anonymous aesthetic, was a deliberate front designed to provide plausible deniability and to obscure Tehran’s fingerprints.
This tactic has a name in intelligence circles: false flag operations under the cover of hacktivism. And Iran is hardly alone in employing it. Russia’s GRU military intelligence has used similar approaches, most famously with the “Guccifer 2.0” persona during the 2016 U.S. election interference campaign. China has been accused of similar obfuscation. But what distinguishes the Iranian approach, according to cybersecurity researchers, is its willingness to target industrial control systems in ways that could cause physical consequences — not just data theft or espionage, but disruption of machinery, water treatment processes, and potentially medical devices.
The Stryker breach underscores that risk. While the indictment does not allege that patient safety was directly compromised, the fact that attackers linked to a foreign military penetrated systems within a major medical device manufacturer’s supply chain raises questions that executives across the healthcare sector should be asking right now. How many of their vendors rely on Unitronics or similar PLCs? How many of those devices sit on networks reachable from the internet? How many still run default credentials?
The answer, according to multiple cybersecurity professionals who spoke on background, is: more than anyone is comfortable admitting.
CISA Director Jen Easterly has been vocal about the systemic risk posed by insecure-by-default industrial devices. In congressional testimony earlier this year, she argued that the burden of security should shift from end users — often small utilities and mid-size manufacturers with limited IT staff — to the device manufacturers themselves. “We cannot expect a water utility serving 15,000 people to have the same cybersecurity posture as a Fortune 500 company,” Easterly said. “The products they buy need to be secure out of the box.”
Unitronics, for its part, issued a firmware update in early 2024 that addressed some of the default-credential vulnerabilities. But firmware updates in the operational technology world don’t propagate the way software patches do on consumer devices. There’s no automatic update mechanism. Someone has to physically or remotely access each PLC and apply the update. In many cases, that someone doesn’t exist — the device was installed by a contractor years ago, and no one on staff knows it’s there, let alone how to patch it.
This is the hard reality of critical infrastructure cybersecurity in 2026. The attack surface is enormous, the defenders are under-resourced, and the adversaries are state-backed.
The Treasury Department had previously sanctioned several individuals associated with Cyber Av3ngers in early 2024, and the State Department’s Rewards for Justice program offered up to $10 million for information leading to the identification of the group’s members. The new indictment goes further, providing a legal framework that could enable asset seizures, extradition requests (however unlikely with Iran), and additional sanctions on entities that provide material support to the group.
But indictments of foreign intelligence operatives have a mixed track record as deterrents. The U.S. has indicted Russian GRU hackers, Chinese PLA officers, North Korean operatives, and Iranian nationals before. None have stood trial. The value, officials argue, is not in the expectation of prosecution but in the strategic communication: we know who you are, we know what you did, and we have the evidence to prove it in court.
Whether that message resonates in Tehran is another matter entirely.
Iran’s cyber capabilities have grown significantly over the past decade. What began as relatively unsophisticated website defacements and DDoS attacks has evolved into a program capable of targeting industrial control systems, conducting espionage against defense contractors, and running influence operations across social media platforms. The IRGC’s Cyber-Electronic Command, established formally in 2020, centralizes much of this activity under military command. Researchers at Microsoft, Mandiant, and CrowdStrike have all published extensive analyses of Iranian threat groups — tracked under names like Sandworm (sometimes confused with Russia’s group of the same name), MuddyWater, Charming Kitten, and now Cyber Av3ngers — that show increasing technical proficiency and strategic ambition.
So what happens next?
For companies in the crosshairs — medical device manufacturers, water utilities, energy providers, anyone running Israeli-made industrial components — the indictment should serve as a catalyst for immediate action. Audit your supply chain for Unitronics and similar PLCs. Segment your operational technology networks from your IT networks. Assume that any internet-facing industrial device is a target. These aren’t new recommendations. But the indictment makes the threat concrete in a way that advisories alone often fail to do.
For policymakers, the case strengthens the argument for mandatory cybersecurity standards for critical infrastructure operators and for secure-by-design requirements for industrial device manufacturers. The Biden administration’s National Cybersecurity Strategy, released in 2023, laid out this vision. The current administration has continued many of those initiatives, though implementation has been uneven. The Stryker hack — and the broader Cyber Av3ngers campaign — may provide the political impetus to accelerate regulatory action.
And for the intelligence community, the case is a reminder that the line between hacktivism and state-sponsored cyber warfare is often a fiction. When a group waves a political banner and claims to act on ideological conviction, the instinct is to treat it as a lesser threat than a named state actor. That instinct can be dangerous. The Cyber Av3ngers weren’t rogue activists. They were soldiers, operating under military orders, using hacktivist branding as camouflage.
The mask is off now. The question is whether the infrastructure they targeted is any better defended than it was when the attacks began.
History suggests the answer won’t be reassuring.


WebProNews is an iEntry Publication