Claroty’s Team82 disclosed that cybercriminals are increasingly targeting global critical infrastructure by directly accessing exposed cyber‑physical systems, highlighting a fast‑escalating threat to industrial control environments. Analysis of over 200 incidents over the past year revealed that 82% of attacks leveraged remote access protocols to reach internet‑facing assets, and 66% involved the compromise of HMIs (Human Machine Interfaces) and SCADA systems that control essential processes across sectors such as energy, water, manufacturing and healthcare.
The research found politically and socially motivated threat actors, particularly those linked to Russia and Iran, are exploiting low‑tech but widely exposed systems, underscoring growing risks to public safety and service continuity.
In its report titled ‘Analyzing CPS Attack Trends,’ Claroty reported that attackers are also shifting strategically, moving away from targeted attacks against specific entities, and instead are routinely selecting classes of internet-facing CPS devices to compromise at scale. A large number of these cyberattacks do not involve expensive-to-develop exploits or intimate knowledge of the inner workings of OT (operational technology), for example. Instead, attackers are finding success against CPS assets by using decidedly low-tech means of accessing devices that are often guarded by weak or default credentials, or an insecure connection to the internet.
Claroty data revealed that attacks on cyber-physical systems by these groups were largely driven by political or social objectives, consistent with known nation-state motivations. Given the long-running geopolitical tensions in the Middle East and the ongoing war between Russia and Ukraine, Team82 attributed many of the incidents to threat actors affiliated with Russia and Iran.
Hackers are also exploiting weaknesses in longstanding OT and Internet of Things (IoT) protocols that lack authentication, encryption, and other basic security capabilities. The barrier to entry is low for these groups who are accessing and controlling CPS at scale.
Manufacturing, water and wastewater, and power generation, critical infrastructure sectors that, if disrupted or damaged, could instill the most chaos and fear in societies, are the most targeted sectors observed. These three account for over 45% of the attacks observed in the 20 sectors where incidents involving CPS assets were recorded and verified.
The research found that 81% of incidents carried out by Iran-affiliated groups targeted organizations in the U.S. and Israel, while 71% of incidents conducted by Russia-affiliated groups focused on organizations in European Union countries. Among the EU targets, the countries most affected by Russian-linked activity were Italy, accounting for 18%, followed by France at 11%, and Spain at 9%.
“Our research reveals a major escalation in how malicious actors are infiltrating the operational systems that underpin society’s daily operations,” said Amir Preminger, CTO and head of Team82 at Claroty. “Attackers are using relatively low-tech means to target critical sectors—from manufacturing, to water and waste, to power generation, to healthcare—industries whose disruption would lead to dire, if not dangerous consequences. Based on what’s uncovered in the research, there’s a clear need to bolster security efforts for CPS, and organizations can no longer tolerate lax cybersecurity practices around these devices.”
Modern geopolitical landscape shows a ‘trickle-down’ effect, where high-level state tensions empower low-skilled hacktivist collectives to strike at the heart of daily life, targeting power, water, and manufacturing. An analysis of more than 200 verified attacks reveals a clear divide between two primary ideological blocs: Soviet/Russian-aligned groups and Arab/Iranian-aligned groups, each following a distinct strategic roadmap.
While threat actors often use deceptive names or self-identify with certain regions, forensic and intelligence mapping indicate that most attacks originate from specific geopolitical hubs. Within the Soviet/Russian bloc, dominant groups include NoName057(16), Z-Pentest (Z-ALLIANCE), and SECTOR16. Although some early reports suggested Serbian origins, these groups are confirmed Russian entities, often operating as volunteer arms of state-aligned campaigns against NATO. Z-Pentest was notably formed by administrators from the Cyber Army of Russia Reborn and NoName057(16) specifically to target Western infrastructure.
In the Arab/Iranian bloc, groups concentrate on operations such as OpIsrael and other attacks against Western interests. Shadow Alarm is a recognized Iranian actor, while Arabian Ghosts and Anonymous Syria are primarily Syrian or Syrian-aligned, motivated by regional conflicts in the Middle East.
An emerging trend shows cross-regional alignment where groups outside the primary conflict zones adopt Russian geopolitical interests. Nullsec Philippines exemplifies this ‘double agenda,’ maintaining anti-China operations while formally integrating into the pro-Russian, anti-Western bloc. The group participates in coordinated strikes against the U.S. and serves as a regional force multiplier for Russian interests, often leveraging shared toolkits.
Claroty detailed that targeting trends follow a mirroring effect, where cyber-physical operations directly reflect real-world diplomatic alliances and military support. Russia-aligned groups have extensively pivoted toward Western Europe, focusing on nations that provide military and diplomatic aid to Ukraine, making European infrastructure a secondary front in the ongoing conflict. Italy emerges as the most frequent European target, accounting for 18% of attacks, followed by France at 11% and Spain at 9% of activity originating from the Soviet-aligned bloc. Direct attacks on Ukraine represent 8% of documented activity within this group, concentrating on critical infrastructure such as wood production and heating systems.
Groups such as SECTOR16 and Z-ALLIANCE (Z-Pentest) have specifically targeted power generation and water treatment facilities across France, Poland, and Italy. Notable examples include the breach of a small hydroelectric power plant in France in March 2025 and a hydroelectric station in Gdańsk, Poland, in May 2025, highlighting the vulnerability of European life-support systems.
The research noted that the conflict in the Middle East has catalyzed a unification of fronts, where Arab- and Iranian-aligned groups target Western interests as a surrogate for their support of Israel.
The U.S. is the most targeted country for the Iran bloc, suffering 42% of its attacks. Groups like Arabian Ghosts and Shadow Alarm frame these as direct responses to American foreign policy. Israel remains a primary regional target for Iranian-aligned groups, accounting for 39% of attacks from these sources. Overall, Israel represents 24% of the entire dataset’s victim distribution. Other countries appearing in this segment of the dataset include France, Greece, the United Arab Emirates, Ukraine, Yemen, and Venezuela, each accounting for 3% of attacks.
Understanding how to defend against CPS attacks begins with understanding how they are executed. This led to an examination of the attack ‘kill chain,’ mapping the stages identified through the research. By isolating common patterns across incidents and analyzing artifacts released by attackers, the attack lifecycle can be distilled into a series of core steps.
The process begins with target selection, where attackers identify the type of device they intend to compromise. This may involve a specific programmable logic controller, HMI, or SCADA system, as seen in the 2023 Iranian campaign targeting Unitronics devices, but more often involves insecure legacy protocols. Attackers typically search for device classes exposing vulnerable services such as VNC or Modbus. Once a target profile is defined, the focus shifts to locating exposed systems.
The next stage is victim selection, which involves identifying internet-facing devices that match the chosen criteria. Attackers rely on internet scanning platforms such as Shodan and Censys, which continuously map exposed services across the IPv4 space. While these tools serve legitimate research purposes, they also enable malicious use. Victim identification becomes straightforward, often involving a search for devices running insecure-by-design protocols like Modbus, which lacks authentication and encryption, or VNC instances operating without proper access controls.
The final stage is target enumeration, where attackers interact directly with the exposed device to extract information or gain control. The techniques used depend on the attack vector. For Modbus-exposed systems, attackers may use open source clients to enumerate registers and coils and retrieve their values. If VNC is the entry point, attackers typically attempt to access systems using default credentials or brute-force weak authentication mechanisms.
Team 82 infers that attackers are shifting away from what are considered more traditional attacks. “Instead of calculated attacks against specific targets, where attackers are trying to avoid detection, improve their stronghold over the victim’s networks, maximize damage, and wait for the right time to attack, we are seeing a 180-degree shift in threat actor tactics. In the attacks we researched—we call them “drive-by attacks”—they are not targeted; instead, threat actors access assets that are exposed in countries or regions that meet their politically or socially motivated goals, attacking almost aimlessly at assets rather than organizations.”
Another big difference between drive-by and traditional attacks is the methodology attackers employ.
“When we think of attacks on CPS networks, we believe attackers launch sophisticated attacks, involving exploitation of unpatched 1-day or even undiscovered 0-day vulnerabilities,” Claroty Team 82 explained. “However, our research shows the opposite. Instead of vulnerability exploitation, drive-by attacks simply rely on attacking assets that are insecure by design or default, largely leveraging insecure protocols or default credentials. By targeting devices that expose protocols that were not built with security in mind or have weak, default, or no credentials, attackers can connect to the device and then control, disrupt or otherwise damage it.”
Additionally, research found that devices that expose remote access protocols, such as VNC and telnet, are favored by threat actors among the incidents researched. The reason is simple, as organizations often leave these protocols not only exposed online, but also in their default configuration and protected by default or known weak credentials. This enables remote control and takeover of CPS assets; an attacker can then remotely change an asset’s configurations and parameters to suit their mission goals.
Team82’s research shows that hackers are increasingly targeting CPS for geopolitical, political, and social gain, making lax cybersecurity practices around OT, medical, and IoT devices untenable. Internet-facing CPS are particularly vulnerable due to easily enumerable devices, weak credentials, and poorly configured legacy protocols. Defenders should prioritize securing these devices, as unauthorized access can disrupt services, damage assets, endanger workers, and provide an entry point for ransomware or other attacks.
Many CPS assets rely on insecure-by-design protocols such as Modbus or VNC, which lack authentication and encryption. Addressing these vulnerabilities requires careful auditing, updating firmware, changing default credentials, and correcting insecure configurations before devices are exposed online. Vendor cooperation is often needed, and remediation may take time, highlighting the need for proactive defense.
Understanding adversaries is equally critical. Team82 analyzed over 200 incidents and 20 threat actor groups, many of them low-tech hacktivists motivated by geopolitical sympathies. These actors exploit exposed HMIs, SCADA systems, and other internet-facing assets, often publicizing their exploits to gain credibility. While not all attacks rely on sophisticated exploits, their tactics underscore the risks posed by poorly secured CPS.
Organizations must lock down authentication, enforce basic security hygiene, and consider modern communication protocols to reduce exposure. The research stresses the urgency of acting now to protect CPS assets and prevent disruption, physical damage, or societal impact.
