Following last month’s post highlighting its capabilities for protecting ICS (industrial control systems) and OT (operational technology) environments, Team Cymru published new research examining three case studies that reveal the extent of exposed ICS and OT devices known to be targeted by hostile nation-state actors. The findings underscore a critical concern: many of these systems remain directly exposed and vulnerable to exploitation.
Through this research, Team Cymru aims to reinforce awareness that critical national infrastructure systems are still at risk, while demonstrating how its data can help organizations identify exposures, mitigate threats, and prevent adversary pre-positioning and potentially destructive cyberattacks.
Looking ahead, Team Cymru stresses that the most alarming takeaway is not just the attacks themselves, but the fact that these devices remain internet-exposed and actively targeted in the first place. “Best practices in industrial cybersecurity dictate that ICS devices should never be directly exposed to the public internet. The fact that thousands of unique IPs are being detected as targeted means that many organizations are still struggling with IT/OT convergence, leaving critical infrastructure dangerously exposed to remote cyberattacks, ransomware, or state-sponsored disruption.”
The first case study underscores real and present risks facing industrial environments, focusing on targeted nation-state activity against ICS devices. It examines the Hitachi RTU560, a high-end modular remote terminal unit widely used to support electrical grid stability and large-scale substation automation. Despite its advanced capabilities and support for modern protocols such as IEC 61850, the device was not immune to targeted sabotage.
According to Poland’s CERT-PL, a campaign attributed to the Russian-linked Dragonfly group targeted the Polish power grid. On 29 December 2025, attackers exploited default credentials that had not been rotated on internet-exposed web interfaces, exposing a persistent and well-known weakness in many ICS and OT deployments.
Once inside, Team Cymru detailed that the attackers executed a so-called ‘hard brick’ attack. They uploaded corrupted ELF firmware files that forced the device’s processor into executing invalid instructions, triggering an infinite reboot cycle that rendered the unit inoperable. In many cases, this type of attack requires physical replacement of the affected hardware.
While the immediate impact was limited to a loss of communication between the facility and distributed system operators, without disrupting electricity generation, the intent was clearly destructive. The incident highlights how relatively simple access vectors, when combined with targeted tradecraft, can be used to degrade critical infrastructure and potentially escalate into wider outages.
Team Cymru noted that the second case study focuses on Moxa NPort devices, which act as critical bridges in industrial environments by enabling legacy serial equipment such as sensors, PLCs, and meters to communicate over modern IP networks. Although these devices support secure protocols like TLS and SSH, their security is frequently undermined by the continued use of factory-default credentials.
In the same Dragonfly campaign identified by CERT-PL, attackers exploited these default logins to gain administrative access to device web interfaces. Instead of destroying the hardware, they executed a coordinated denial-of-service lockout. The attackers reset devices to factory settings, changed administrative credentials to unknown values, and reconfigured IP addresses to the non-routable loopback address 127.0.0.1.
This effectively removed the devices from the network, resulting in an immediate loss of visibility and control over connected field equipment. Recovery required manual intervention, significantly increasing downtime and operational disruption.
In July 2023, Team Cymru said that Rockwell Automation and U.S. CISA (Cybersecurity and Infrastructure Security Agency) disclosed critical vulnerabilities (CVE-2023-3595 and CVE-2023-3596) in the 1756-EN2, EN3, and EN4 communication modules used in the Allen-Bradley ControlLogix platform. These modules play a central role in industrial environments, managing high-speed EtherNet/IP traffic across the backplane and acting as a bridge between controllers and field devices.
What set this case apart was that the issue was not uncovered through an active breach, but through the identification of a novel exploit capability attributed to a nation-state actor. The exploit involved sending specially crafted Common Industrial Protocol messages to trigger an out-of-bounds memory write, potentially enabling remote code execution and direct manipulation of the module’s firmware.
Security researchers at Dragos likened the threat to the TRISIS or TRITON class of attacks. By compromising the communication module, an attacker could falsify input and output data, maintain persistence across reboots, and evade detection by intercepting forensic data. Such capabilities could allow a threat actor to induce a catastrophic process failure while leaving operators unaware of any visible fault.
“We found that Rockwell Automation accounts for a massive 68.1% of the exposed devices (6,653 unique IPs),” Team Cymru said in its post. “Rockwell is one of the world’s largest industrial automation companies, heavily utilized in North America and globally. Because these devices are used to control physical industrial processes, this high level of targeting is a significant security concern.”
It added that Moxa represents the second-largest slice at 15.7% (1,532 unique IPs). Unlike the other companies listed, which primarily make industrial controllers, Moxa specializes in industrial networking equipment, like cellular routers, switches, and serial-to-ethernet converters. By targeting the networking gear, attackers can potentially pivot deep into a secure OT network.
“Siemens (7.3%), Schneider Electric (4.5%), Hitachi Energy (4.2%), and Mitsubishi Electric (0.1%) make up the remainder of the chart,” according to Team Cymru data. “While their percentages are smaller relative to Rockwell and Moxa, hundreds of unique IPs for companies like Siemens and Schneider are still highly significant. These companies represent the backbone of European and Asian industrial markets and would be priority targets for hostile nation-state threats looking to trigger destructive attacks.”
The post identified that the U.S. accounts for nearly half of all targeted devices at 45.4% (1,269 unique IPs), which is a concern for the US, due to state-aligned threat actors frequently engaging in pre-positioning within critical infrastructure. “Hostile nation-state threat groups, such as Dragonfly and Volt Typhoon, are known to conduct reconnaissance on US water systems and compromise routers at electric utilities to establish access in preparation for potential future conflicts. Additionally, the sheer size of the US industrial base means there is a massive volume of internet-exposed devices to scan.”
Russia (4.3%), Ukraine (3.0%), and Taiwan (2.6%) all appear in the top 10. Seeing these specific nations on the list is a direct reflection of real-world physical and political conflicts. Russia and Ukraine have a well-documented history of cyber warfare involving attacks on power grids and industrial systems. Similarly, Taiwan’s presence highlights ongoing strategic tensions in the Asia-Pacific region. Targeting ICS in these areas often points toward espionage or preparations for sabotage during a military conflict rather than simple financial extortion by a cybercriminal group.
