Exposed ICS/OT Devices Under Nation-State Threat: Key Findings from Team Cymru’s Research
Team Cymru’s latest research reveals alarming vulnerabilities in industrial control systems (ICS) and operational technology (OT) environments, highlighting how exposed devices remain prime targets for hostile nation-state actors. The report examines three case studies demonstrating the persistent risks to critical infrastructure, driven by poor security practices and active exploitation campaigns.
Case Study 1: Destructive Attack on Polish Power Grid
In December 2025, the Russian-linked Dragonfly group targeted Poland’s power grid by exploiting Hitachi RTU560 remote terminal units critical for electrical grid stability. Attackers leveraged default credentials on internet-exposed web interfaces, a common but preventable weakness. Once inside, they deployed a "hard brick" attack, uploading corrupted firmware that forced devices into an infinite reboot loop, rendering them inoperable. While the immediate impact was limited to communication disruptions, the attack demonstrated how basic access vectors could escalate into broader infrastructure degradation.
Case Study 2: Moxa NPort Devices Compromised via Default Credentials
The same Dragonfly campaign also targeted Moxa NPort devices, which bridge legacy serial equipment with modern IP networks. Despite supporting secure protocols like TLS and SSH, many devices remained vulnerable due to unrotated factory-default logins. Attackers gained administrative access, reset devices to factory settings, and reconfigured IP addresses to 127.0.0.1, effectively cutting them off from the network. Recovery required manual intervention, causing prolonged operational downtime.
Case Study 3: Rockwell Automation Vulnerabilities Enable Remote Exploitation
In July 2023, Rockwell Automation and CISA disclosed critical vulnerabilities (CVE-2023-3595, CVE-2023-3596) in Allen-Bradley ControlLogix communication modules. These flaws, attributed to a nation-state actor, allowed remote code execution via maliciously crafted Common Industrial Protocol (CIP) messages. Security firm Dragos compared the threat to TRISIS/TRITON-level attacks, noting that compromised modules could manipulate process data, maintain persistence, and evade detection potentially leading to catastrophic failures without operator awareness.
Exposure Landscape: Key Statistics
Team Cymru’s data reveals a troubling concentration of exposed devices:
- Rockwell Automation dominates with 68.1% (6,653 unique IPs) of detected targets, reflecting its widespread use in North American and global industrial automation.
- Moxa accounts for 15.7% (1,532 IPs), with attackers leveraging its networking equipment to pivot deeper into OT networks.
- Other major vendors include Siemens (7.3%), Schneider Electric (4.5%), Hitachi Energy (4.2%), and Mitsubishi Electric (0.1%), all critical to European and Asian infrastructure.
Geographically, the U.S. leads with 45.4% of exposed devices (1,269 IPs), a concern given Dragonfly and Volt Typhoon’s history of pre-positioning in critical sectors. Russia (4.3%), Ukraine (3.0%), and Taiwan (2.6%) also rank high, reflecting ongoing cyber warfare and geopolitical tensions.
Broader Implications
The research underscores a critical gap in ICS/OT security: thousands of devices remain internet-exposed despite best practices advising against direct public access. The persistence of default credentials, unpatched vulnerabilities, and nation-state reconnaissance efforts signals an urgent need for improved IT/OT convergence and proactive threat mitigation. Without intervention, these exposures risk enabling disruptive or destructive attacks on essential services.
Siemens Energy cybersecurity rating report: https://www.rankiteo.com/company/siemens-energy
Moxa cybersecurity rating report: https://www.rankiteo.com/company/moxa
Mitsubishi Electric Iconics Digital Solutions cybersecurity rating report: https://www.rankiteo.com/company/mitsubishi-electric-iconics-digital-solutions
Hitachi cybersecurity rating report: https://www.rankiteo.com/company/hitachi
"id": "SIEMOXMITHIT1774866497",
"linkid": "siemens-energy, moxa, mitsubishi-electric-iconics-digital-solutions, hitachi",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Energy',
'location': 'Poland',
'name': 'Polish Power Grid',
'type': 'Critical Infrastructure'},
{'industry': ['Manufacturing', 'Energy', 'Utilities'],
'location': ['United States',
'Russia',
'Ukraine',
'Taiwan'],
'name': 'Unspecified Organizations',
'type': 'Industrial'}],
'attack_vector': ['Default Credentials',
'Exploited Vulnerabilities',
'Internet-Exposed Devices'],
'description': 'Team Cymru’s latest research reveals alarming vulnerabilities '
'in industrial control systems (ICS) and operational '
'technology (OT) environments, highlighting how exposed '
'devices remain prime targets for hostile nation-state actors. '
'The report examines three case studies demonstrating '
'persistent risks to critical infrastructure due to poor '
'security practices and active exploitation campaigns.',
'impact': {'downtime': 'Prolonged operational downtime due to manual recovery',
'operational_impact': ['Communication disruptions',
'Infinite reboot loops',
'Network isolation',
'Process data manipulation'],
'systems_affected': ['Hitachi RTU560',
'Moxa NPort',
'Allen-Bradley ControlLogix']},
'lessons_learned': 'The research underscores a critical gap in ICS/OT '
'security: thousands of devices remain internet-exposed '
'despite best practices advising against direct public '
'access. The persistence of default credentials, unpatched '
'vulnerabilities, and nation-state reconnaissance efforts '
'signals an urgent need for improved IT/OT convergence and '
'proactive threat mitigation.',
'motivation': ['Disruption of Critical Infrastructure',
'Cyber Warfare',
'Geopolitical Tensions'],
'post_incident_analysis': {'corrective_actions': ['Immediate firmware updates',
'Credential rotation',
'Network segmentation',
'Enhanced monitoring'],
'root_causes': ['Internet-exposed ICS/OT devices',
'Unrotated default credentials',
'Unpatched vulnerabilities',
'Lack of network segmentation']},
'recommendations': ['Rotate default credentials on all ICS/OT devices',
'Implement network segmentation to limit exposure',
'Apply patches for known vulnerabilities (e.g., '
'CVE-2023-3595, CVE-2023-3596)',
'Enhance monitoring for anomalous CIP traffic',
'Restrict internet access to critical OT devices'],
'references': [{'source': 'Team Cymru Research'},
{'source': 'CISA Advisory'},
{'source': 'Dragos Analysis'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA Disclosure '
'(CVE-2023-3595, '
'CVE-2023-3596)']},
'response': {'remediation_measures': ['Manual intervention for recovery',
'Firmware updates']},
'threat_actor': ['Dragonfly', 'Nation-State Actor (Suspected Russian)'],
'title': 'Exposed ICS/OT Devices Under Nation-State Threat: Key Findings from '
'Team Cymru’s Research',
'type': ['Cyber Espionage', 'Sabotage', 'Remote Code Execution'],
'vulnerability_exploited': ['CVE-2023-3595',
'CVE-2023-3596',
'Unrotated Factory-Default Logins']}