Introduction

Team Cymru works with defenders at critical national infrastructure (CNI) organizations around the world to discover and protect internet-exposed industrial control systems (ICS) devices, such as PLCs, RTUs, and SCADA systems, before they are exploited and shutdown by adversaries.

In our previous blog, Protecting Critical National Infrastructure (CNI) through extended global visibility, we raised awareness about the range of capabilities Team Cymru has that are specifically tailored to protect ICS and Operational Technology (OT).

In this blog, we will walk through three case studies to highlight the number of exposed ICS/OT devices that are known targets of attacks by hostile nation state actors. The fact these devices are exposed is a significant concern. Team Cymru’s aim in this research is to raise awareness again to the fact CNI systems are exposed and our data can help mitigate these issues and prevent pre-positioning operations and potential destructive cyberattacks.

Case Studies: Nation-State Attacks Targeting ICS Devices

The following three case studies highlight present risks in industrial cybersecurity, as well as observed attacks against ICS devices and OT devices. 

Case Study 1: Hitachi Devices and the "Hard Brick" Attack

The Hitachi RTU560 (formerly ABB) is a product that supports modern electrical grid stability, serving as a high-end, modular Remote Terminal Unit (RTU) for large-scale substation automation and transmission. However, its sophisticated support for protocols like IEC 61850 hasn't shielded it from targeted sabotage.

The Computer Emergency Response Team of Poland (CERT-PL) recently reported on a disturbing campaign attributed to Dragonfly (aka Berserk Bear) to target the Polish power grid. Dragonfly is a threat group linked to the Russian FSB by the US Justice Department. On 29 December 2025, the Dragonfly operators reportedly exploited the default account credentials left unrotated on internet-exposed web interfaces, marking a glaring security gap in ICS/OT environments.

CERT-PL explained that once logged in, the Dragonfly operators performed a "Hard Brick" attack. By uploading corrupted ELF firmware files, they forced the processor to execute invalid instructions. This triggered an infinite boot loop that effectively destroyed the unit's functionality, often necessitating the physical replacement of the hardware in the field.

Thankfully, however, the damage to the RTU controllers was limited to the loss of communication between the facility and the distributed system operators (DSO) and did not affect the ongoing electricity generation. The nature of the attack, though, was destructive and is assessed to have intended to cause an outage.

Identifying Exposed Units with Scout

To visualize the current exposure of these devices, we can utilize the following Scout query:

• tag = "hitachi"

Case Study 2: Moxa Devices and the Denial-of-Service Lockout

The Moxa NPort device serves as a critical bridge in industrial environments, functioning as a secure serial-to-ethernet device server that allows legacy serial hardware, such as sensors, programmable logic controllers (PLCs), and meters to communicate over modern IP networks. Despite its support for encrypted protocols like TLS and SSH, its security is often undermined by the retention of factory-default credentials.

In the same campaign linked to Dragonfly (aka Berserk Bear) by CERT-PL, the attackers also exploited these default logins to gain administrative access to the devices' web interfaces. Rather than "bricking" the hardware, the Dragonfly operators executed a coordinated lockout: they restored the devices to factory settings, updated the administrative passwords to unknown values, and reconfigured the IP addresses to a non-routable loopback address (127.0.0.1).

This effectively made the devices vanish from the network, causing immediate loss of visibility and control over the connected field equipment while maximizing the time required for technicians to manually reset and recover each unit.

Identifying Exposed Units with Scout

To visualize the current exposure of these devices, we can utilize the following Scout query:

• tag = "moxa"

Case Study 3: Rockwell Automation and the "TRISIS-Class" Threat

In July 2023, Rockwell Automation and CISA issued an urgent disclosure regarding critical vulnerabilities (CVE-2023-3595 and CVE-2023-3596) found within the 1756-EN2, EN3, and EN4 communication modules. These modules are the translators of the Allen-Bradley ControlLogix platform, handling high-speed Ethernet/IP traffic across the backplane to other industrial components. 

What made this discovery unique was that it was not triggered by a breach, but by the discovery of a novel exploit capability developed by an unnamed nation-state actor. The exploit would have allowed attackers to send malformed Common Industrial Protocol (CIP) messages to the module to trigger an out-of-bounds write. This would have granted them the ability to perform remote code execution (RCE) and manipulate the module’s firmware directly.

Security experts from Dragos compared the threat to the infamous TRISIS/TRITON malware, noting that by gaining a foothold in the communication module, a hostile actor could falsify I/O traffic, stay persistent across reboots, and even hide their presence from incident responders by intercepting forensic data. This could have potentially led to a catastrophic process failure without the operator ever seeing a fault on their screen.

Identifying Exposed Units with Scout

To visualize the current exposure of these devices, we can utilize the following Scout query:

• tag = "rockwell"

Monitoring ICS and OT Devices with Team Cymru

The chart shown in Figure 4 below displays data we pulled from Scout, tracking the number of unique IP addresses of targeted ICS devices over a single month (January 2026). 

We found that Rockwell Automation accounts for a massive 68.1% of the exposed devices (6,653 unique IPs). Rockwell is one of the world's largest industrial automation companies, heavily utilized in North America and globally. Because these devices are used to control physical industrial processes, this high level of targeting is a significant security concern.

Moxa represents the second-largest slice at 15.7% (1,532 unique IPs). Unlike the other companies listed, which primarily make industrial controllers, Moxa specializes in industrial networking equipment (like cellular routers, switches, and serial-to-ethernet converters). By targeting the networking gear, attackers can potentially pivot deep into a secure OT network.

Siemens (7.3%), Schneider Electric (4.5%), Hitachi Energy (4.2%), and Mitsubishi Electric (0.1%) make up the remainder of the chart. While their percentages are smaller relative to Rockwell and Moxa, hundreds of unique IPs for companies like Siemens and Schneider are still highly significant. These companies represent the backbone of European and Asian industrial markets and would be priority targets for hostile nation-state threats looking to trigger destructive attacks.

While the first chart showed what technology adversaries are looking for, the chart shown below in Figure 5 highlights where the devices the adversaries are looking for are primarily located. The United States accounts for nearly half of all targeted devices at 45.4% (1,269 unique IPs), which is a concern for the US, due to state-aligned threat actors frequently engaging in pre-positioning within critical infrastructure.

Hostile nation-state threat groups, such as Dragonfly and Volt Typhoon, are known to conduct reconnaissance on US water systems and compromise routers at electric utilities to establish access in preparation for potential future conflicts. Additionally, the sheer size of the US industrial base means there is a massive volume of internet-exposed devices to scan.

Russia (4.3%), Ukraine (3.0%), and Taiwan (2.6%) all appear in the top 10. Seeing these specific nations on the list is a direct reflection of real-world physical and political conflicts. Russia and Ukraine have a well-documented history of cyber warfare involving attacks on power grids and industrial systems. Similarly, Taiwan's presence highlights ongoing strategic tensions in the Asia-Pacific region. Targeting ICS in these areas often points toward espionage or preparations for sabotage during a military conflict rather than simple financial extortion by a cybercriminal group.

Outlook

The underlying, and perhaps most alarming, significance of these findings are that these devices are reachable and targeted over the internet at all. Best practices in industrial cybersecurity dictate that ICS devices should never be directly exposed to the public internet. The fact that thousands of unique IPs are being detected as targeted means that many organizations are still struggling with IT/OT convergence, leaving critical infrastructure dangerously exposed to remote cyberattacks, ransomware, or state-sponsored disruption.

How Team Cymru Can Help

Tools like Scout and the Insights Feed enable defenders to:

• Help Close Visibility Gaps: Monitor sensitive OT environments non-disruptively using Netflow data.
• Harden the Boundary: Discover and pinpoint internet-exposed ICS devices before adversaries do.
• Enrich Detection: Enhance intrusion detection systems (IDS) with global intelligence for higher-fidelity alert triage.