These advisory covers 14–19 April 2026 — Week 7 of the Iran–Israel–US conflict. The defining event of the week is Iran’s partial restoration of internet connectivity on 17 April after 47 consecutive days of near-total blackout — the precise escalation threshold every prior advisory in this series identified as the trigger for Iranian state-sponsored APT recovery.

Simultaneously, new Unit 42 intelligence confirms a qualitative escalation in Iranian-aligned OT/ICS attack capability, with CyberAv3ngers deploying legitimate Rockwell Automation industrial software from attacker-controlled cloud infrastructure. The convergence is the central security challenge for Week 7: suppressed capability is transitioning into operational execution.
‍

Five Key Developments

1.Iran begins partial internet restoration; APT recovery window formally opens

On 17 April, Iran initiated limited internet restoration after 47 days at ~1% of pre-war connectivity. Palo Alto Cortex Xpanse confirms Iranian IP-space activity increased 15× (≈20,000 to ≈300,000 services). This is still an order of magnitude below pre-conflict levels (~early February) but represents a measurable step toward APT operational recovery. Pre-positioned MuddyWater access on US bank and other networks can be activated without full restoration.

2.CyberAv3ngers deploys FactoryTalk on attacker-controlled VPS; OT attack sophistication escalates

Unit 42 confirmed that CyberAv3ngers installed Rockwell Automation FactoryTalk on attacker-controlled cloud VPS infrastructure, enabling remote PLC exploitation without insider credentials or physical access. This marks a shift to vendor-native, purpose-built OT attack platforms operated entirely from cloud infrastructure, directly exposing BFSI-adjacent systems such as facilities management, power handling, HVAC, and data-centre OT environments beyond traditional IT security visibility.

3.Censys confirms 5,219 internet-exposed Rockwell PLCs; ~75% located in the US

Censys identified 5,219 internet-exposed Rockwell/Allen-Bradley PLCs globally, with approximately 3,900 located in the United States. These devices support power distribution, water treatment, building management, and industrial automation, including infrastructure dependencies common to US financial institutions. When combined with attacker-operated FactoryTalk platforms, this creates a fully assembled OT attack chain requiring no zero-days, no insider access, and no physical presence.

4.CVE-2021-22681 confirmed as core exploit; no patch exists

Tenable Research published a detailed analysis confirming that CyberAv3ngers is exploiting CVE-2021-22681, a critical authentication bypass vulnerability in Rockwell Automation’s Studio 5000 Logix Designer software. Rockwell Automation has explicitly confirmed there is no patch for CVE-2021-22681 — only defence-in-depth mitigations are available. CyberAv3ngers’ ICS exploitation techniques have proliferated to an estimated 60+ affiliated groups via the Electronic Operations Room. 

5. Blackout cost: $1.8 billion to the Iranian economy; 48 consecutive days – longest national shutdown on record

By 16 April the Iran internet blackout had entered its 48th consecutive day (1,128+ hours), confirmed as the longest nationwide internet disruption recorded in any country globally. Estimated economic cost to Iran: $1.8 billion. The blackout also revealed Iranian influence operations: Scottish-independence-themed X accounts went silent during both the January and April 2026 Iran shutdowns, confirming these accounts are Iranian information operation assets operating under false flag identities.

WEEK 7 Metrics

‍

The APT Recovery Window – Analysis

The 17 April connectivity restoration is the single most strategically consequential cyber event of Week 7 — not because it introduces new capability, but because it removes the final constraint on coordinated Iranian state APT operations.

‍

What the APT recovery window ENABLES

• Pre-positioned access can now receive C2: MuddyWater’s confirmed presence on a US bank network and other pre-planted footholds established before the blackout no longer require full public internet access. The NIN infrastructure can route C2 traffic through state-controlled channels.
• Operational tempo begins recovering: The 15x increase in Iranian IP space services (20Kto 300K daily) confirms state and private connectivity is being restored selectively. APT operators on the state whitelist will have access before the public.
• Handala’s ceasefire US pause will shorten: The group stated it would resume US attacks ‘when the time is right.’ Partial connectivity restoration combined with the failing ceasefire creates exactly the conditions Handala described as its resumption trigger.
• The 47-day grievance backlog is now actionable: APT groups that have been suppressed for 47 days have accumulated targeting intelligence, credential harvests, and operational plans. Expect a surge, not a gradual ramp-up.
• OT/ICS attacks independent of Iranian connectivity:
  CyberAv3ngers’ FactoryTalk VPS technique operates entirely from non-Iranian infrastructure. Partial restoration of NIN access for coordination and C2 is sufficient to direct ongoing PLC exploitation campaigns.

What the APT recovery window does NOT change

• Full APT operational tempo is restored: The NIN restoration is limited to mirrored domestic content. Unrestricted outbound connections to global internet targets from Iranian state infrastructure are not yet confirmed. Full operational tempo requires full connectivity. 
•  BFSI faces new attack capability that did not exist during the blackout: All the attack capabilities documented in Weeks 1–6 —Handala’s wiper tools, MuddyWater’s pre positioned access, CyberAv3ngers’ ICS exploitation — existed and operated during the blackout via satellite and external proxy infrastructure. The restoration is a multiplier, not an enabler of new capability.
• The ceasefire provides protection during the restoration period: The ceasefire is kinetic and fragile. It has no cyber dimension. Handala explicitly stated cyber operations continue regardless of ceasefire status. 
•  300K services means Iranian APT is fully online: 300K services is still an order of magnitude below pre-conflict February levels (~3M+). The restoration is partial and controlled. Monitor Cortex Xpanse / NetBlocks for continued ramp-up. 
• OT/ICS threats are now higher priority than IT threats: The PLC campaign (confirmed since March 2026) and the identity weaponization campaign (Stryker, March 11) are both ongoing. Neither has replaced the other. BFSI must address both tracks in parallel.

Threat Outlook

The APT Recovery is the Defining Threat of Week 7 and Beyond

Iran’s 17 April partial internet restoration ends the 47-day suppression of state-sponsored APT activity. The threat landscape from this point forward is materially different from Weeks 1–6: proxy hacktivists and satellite-enabled MOIS cells continue their existing operations, AND domestic Iranian APT groups begin recovering operational tempo. The 15x increase in Iranian IP space services is a leading indicator — the operational impact will follow with a lag measured in days to weeks. BFSI organisations that have not completed MuddyWater threat hunts, OT isolation, and Intune security hardening are now in the highest-risk window since the conflict began.

The OT Campaign Has Evolved to an Unsolvable Attack Surface 

The combination of CVE-2021-22681 (unpatched, 5-year-old vulnerability), 3,900+ internet exposed US Rockwell devices, CyberAv3ngers’ FactoryTalk VPS platform, and 60+ groups with the proliferated exploitation playbook creates an OT attack surface that cannot be addressed through patching or detection alone. The only effective mitigation is network isolation of internet-exposed PLCs. BFSI organisations have had 12 days since AA26-097A to begin this process. Any organisation that has not yet isolated its internet-exposed Rockwell PLCs is now operating with a known, confirmed, actively exploited vulnerability that no patch will address.

The Ceasefire Window Is Now an Attack Preparation Period 

The nominal two-week ceasefire (8–22 April) is in its final days. The Islamabad talks collapsed on 12 April. Trump’s naval blockade threat and Iran’s partial connectivity restoration both signal that the post-ceasefire period will involve either resumed kinetic operations or intensified cyber operations as Iran’s primary remaining strategic instrument. Based on the pattern documented across the prior six weeks, BFSI organisations should expect: (1) Handala to lift its temporary US pause imminently; (2) MuddyWater pre-positioned access to be activated once NIN infrastructure can support reliable C2; (3) a Stryker-class attack on a US financial sector target within the next 14 days, as Nozomi Networks predicted in Week 6.

‍

The Information Operations Threat Is Now Attributable and Trackable 

The Scottish-flag account revelation provides a validated forensic methodology for identifying Iranian information operation assets: accounts that go silent during both January 2025 and April 2026 Iran internet shutdowns are with high confidence Iranian IO infrastructure. This methodology is directly applicable to BFSI-sector accounts that have amplified false breach claims, deepfake executive content, or fake insolvency narratives. The IO campaign targeting the BFSI sector — documented since Week 1 of this advisory series — now has a confirmable attribution technique that BFSI brand protection teams should apply retrospectively across their threat intelligence records.

‍

Revised Defensive Priorities – Week 7 Additions

This section outlines new actions only. Actions from Weeks 1–6 remain valid.

• Launch immediate threat hunting for MuddyWater/Seedworm pre-positioned access.
• Re-baseline SIEM alerts to account for the 15× increase in Iranian IP-space activity.
• Identify and isolate all internet-exposed Rockwell Automation PLCs in BFSI-operated or vendor-operated facilities.
• Apply and document CVE-2021-22681 compensating controls to all Rockwell PLC deployments. 
• Audit social-media narratives and breach claims using blackout-correlated false-flag indicators.
• Establish a daily Xpanse/Shodan/Censys internet-exposure check for BFSI-adjacent OT devices

‍

Sources & References

1.Palo Alto Networks Unit 42 — Threat Brief: Escalation of Cyber Risk Related to Iran (Updated 17 April 2026)

2.Palo Alto Cortex Xpanse — Iranian IP-space connectivity telemetry and service enumeration (17 April 2026)

3.Censys — Internet-Exposed Rockwell / Allen-Bradley PLC Devices (8 April 2026)

4.Tenable Research — What to Know About CyberAv3ngers / CVE-2021-22681 exploitation analysis (9 April 2026)

5.Rockwell Automation — Studio 5000 Logix Designer security advisories (CVE-2021-22681 no-patch confirmation, referenced April 2026)

6.NetBlocks — Iran internet connectivity monitoring and restoration timeline (16–17 April 2026)

7.Wikipedia — 2026 Internet Blackout in Iran article (updated 16–17 April 2026)

8.Nozomi Networks — Assessment of exposed Rockwell PLCs and BFSI-adjacent OT risk (referenced via Censys coverage, April 2026)

‍