Cato Networks researchers have uncovered a coordinated global campaign targeting internet-exposed PLCs (programmable logic controllers) using the Modbus/TCP (transmission control protocol) protocol, highlighting a sharp rise in OT (operational technology) threats. The activity, observed between September and November 2025, spanned 70 countries and involved more than 14,000 unique IP addresses, with the U.S. accounting for the largest share of targeting. The campaign zeroed in on internet-exposed devices, laying bare a wide and often ignored attack surface across industrial environments, while also flagging a smaller cluster of higher-intent infrastructure, including sources traced to China.
The findings point to systematic probing and potentially pre-attack reconnaissance rather than isolated incidents, signaling a coordinated effort to map and assess vulnerable industrial systems at scale. By leveraging Modbus, a widely used but inherently insecure protocol in ICS (industrial control systems), attackers can interact directly with PLCs, increasing the risk of disruption or manipulation of physical processes. The scale and geographic spread of the activity underscore how exposed OT infrastructure continues to attract sustained and organized attention from threat actors.
Guy Waizel and Jakub Osmani, Cato executives detailed in a Thursday blog post that they reviewed inbound Modbus/TCP telemetry observed over three months, focusing on function code frequency and sequencing; consistency versus variability of PDU arguments, where static patterns strongly indicate automation; bulk-read lengths near protocol limits and repeated high-rate request patterns; single-source, single-target behaviors; and enrichment using AbuseIPDB, VirusTotal, and internal correlation, such as multiple IPS triggers per source.
They added that across three months of inbound Modbus/TCP telemetry, the pattern was unmistakable, covering broad automated reconnaissance escalating into higher-risk behaviors capable of degrading availability or manipulating device state altogether.
Over the three-month observation period from September to November 2025, 233 source IPs generated approximately 235,500 inbound requests, the majority dominated by Read Holding Registers (0x03) activity. Many of those source IPs carried low or zero public reputation scores, consistent with fresh or rotating scanning hosts rather than established infrastructure. A recurring pattern emerged of Read Device Identification (0x2B/0x0E) followed by a fixed register read, with behaviour consistent with scripted, deliberate targeting rather than opportunistic scanning.
The observation period also captured disruption attempts, including DoS-like bulk reads near maximum request size and 3,240 Write Multiple Registers (0x10) requests originating from a single source. Of particular interest, only six IPs used the rare expanded device identification technique (0200), pointing to a small subset of higher-intent actors. Geographically, the activity spanned 70 countries, with the United States accounting for the largest share at 36%.
Waizel and Osmani outlined a set of distinct behavioral patterns observed during the campaign, each pointing to a different stage or intent in attacker activity. First, researchers recorded high-volume register read activity using function code 0x03, with roughly 235,500 inbound requests over three months originating from 233 IP addresses. This function dominated overall traffic, indicating automated scanning of exposed PLCs aimed at extracting data from holding registers. The associated risk is assessed as medium to high.
A second pattern revealed a clear fingerprint-then-target approach. Attackers first queried devices for identifying details such as vendor, product, and version, then followed up with a fixed register read at address 0xB414, consistently pulling eight registers. This suggests scripted fingerprinting followed by model-specific data access targeting known register ranges, carrying a high risk.
The third behavior resembled denial-of-service conditions through bulk-read flooding. Attackers issued near-maximum register reads, often requesting 124 registers per query. In one case, a single source generated approximately 158,100 rapid read requests against a single target. This pattern aligns with resource exhaustion attempts aimed at overwhelming PLC processing capacity, queues, or connection handling, and is rated high risk.
Another, less frequent but more targeted behavior involved expanded device identification requests using code 0200. A total of 175 such requests came from six IP addresses, most of which were geolocated to China and associated with strong reputation signals. This indicates more deliberate reconnaissance using extended device metadata collection, also categorized as high risk.
Finally, the most severe activity involved the systematic use of the Write Multiple Registers function, 0x10. Researchers observed 3,240 write requests from a single IP address, all beginning at register 0x0BB8 and writing between 27 and 122 registers. This consistent pattern points to automated probing or manipulation attempts targeting writable register regions, representing a critical level of risk.
The regional distribution shows that the Americas accounted for the largest share of observed targeting at 48%, followed by Europe at 28% and Asia at 23%. Activity in Oceania was minimal at 1%, while Africa registered close to 0%, indicating a heavily concentrated focus on Western and industrialized regions.
Country-level data shows the U.S. as the primary target, accounting for 36% of activity, well ahead of France at 13% and Japan at 12%. Canada followed at 8%, while India, the Philippines, and Switzerland each accounted for 3%. Germany also accounted for 3%, with Italy and Peru each at 2%. The remaining 14% was grouped under other countries, reinforcing the global but uneven nature of the campaign.
At the sector level, manufacturing emerged as the most targeted industry at 18%. Consumer goods and medical or healthcare each accounted for 8%, while construction and technology followed at 7% apiece. Transportation, wholesale, and finance each represented 6% of observed targets, with automotive at 5% and consulting at 4%. A further 27% fell into an “other” category, suggesting a long tail of smaller or less-defined industry segments.
In conclusion, Waizel and Osmani identified that their findings show that internet-exposed Modbus devices face repeated hostile interest that ranges from broad discovery and device profiling to attempts at disruption and direct manipulation.
“While the threat actors are unknown, we know that this activity spans multiple industries, with manufacturing most represented, and is geographically widespread across dozens of countries,” they added. “The core recommendation remains the same: do not expose Modbus to the public internet. Where exposure exists, enforce segmentation by isolating OT from IT and the public internet, strict access controls to limit Modbus reachability, and pair that with threat prevention to stop both early-stage probing and higher-impact actions.”
Earlier this month, Comparitech data highlighted how exposed ICS continue to present a tangible risk to critical infrastructure, with 179 internet-facing ICS devices identified globally through scans of Modbus. These devices, which communicate over port 502, are embedded in sectors such as power grids, manufacturing, and transportation, and their exposure reflects a broader shift toward connectivity without corresponding security controls.
