Full Report
Cato Networks researchers have uncovered a coordinated global campaign targeting internet-exposed PLCs (programmable logic controllers) using the Modbus/TCP... The post Cato traces large-scale Modbus/TCP activity targeting PLCs, exposing persistent gaps in OT security appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Global Modbus/TCP Reconnaissance & Exploitation Campaign
## Executive Summary
Between September and November 2025, Cato Networks identified a coordinated global campaign targeting internet-exposed Programmable Logic Controllers (PLCs) via the Modbus/TCP protocol. The campaign involved over 14,000 unique IP addresses performing systematic probing, bulk data reads, and unauthorized register writes, indicating a large-scale effort to map and potentially disrupt critical industrial infrastructure.
## Incident Details
- **Discovery Date:** April 2026 (Reported); Data analyzed from late 2025.
- **Incident Date:** September – November 2025
- **Affected Organization:** Multiple (Internet-exposed PLC owners)
- **Sector:** Critical Infrastructure / Industrial Control Systems (ICS)
- **Geography:** Global (70 countries), with 36% of activity targeting the United States.
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing September 2025.
- **Vector:** Direct connection to internet-exposed Modbus/TCP port 502.
- **Details:** Attackers targeted devices exposed to the public internet without secondary authentication or VPN gateways, leveraging the lack of security inherent in the Modbus protocol.
### Lateral Movement
- **Details:** While the report focuses on external probing, the use of Modbus allows for direct interaction with control logic; successful compromise of a PLC often serves as a pivot point into the broader OT network.
### Data Exfiltration/Impact
- **Details:** Massive reconnaissance through "Read Holding Registers" (0x03) and "Read Device Identification" (0x2B/0x0E). High-risk "Write Multiple Registers" (0x10) requests (3,240 observed from a single source) attempted to manipulate device states.
### Detection & Response
- **How it was discovered:** Cato Networks researchers analyzed inbound telemetry, focusing on function code frequency, PDU argument consistency, and IPS triggers.
- **Response actions taken:** Intelligence gathering, behavior correlation with AbuseIPDB/VirusTotal, and public disclosure to raise awareness of OT exposure.
## Attack Methodology
- **Initial Access:** Exploitation of internet-exposed OT protocols (Modbus/TCP).
- **Persistence:** Use of rotating and "fresh" scanning hosts (low reputation scores) to maintain a continuous scanning presence.
- **Privilege Escalation:** N/A (Modbus/TCP lacks inherent authentication/authorization).
- **Defense Evasion:** Use of diverse infrastructure across 70 countries; rotating source IPs.
- **Credential Access:** N/A (Protocol-level exploitation).
- **Discovery:** Automated scanning; Read Device Identification (0200) for granular hardware/firmware mapping.
- **Lateral Movement:** Protocol-based commands to interact with interconnected PLCs.
- **Collection:** Bulk-read requests near protocol limits to harvest register data.
- **Exfiltration:** Transfer of industrial register maps and device metadata to actor-controlled infrastructure.
- **Impact:** Potential Denial of Service (DoS) through bulk reads; physical process manipulation via "Write" commands.
## Impact Assessment
- **Financial:** Undisclosed, but potential for significant loss if physical processes were halted.
- **Data Breach:** Exposure of industrial configurations, register values, and device metadata.
- **Operational:** Risk of "degrading availability or manipulating device state altogether."
- **Reputational:** High-profile targeting of critical infrastructure sectors.
## Indicators of Compromise
- **Network Indicators:**
- Traffic on Port 502 (Modbus/TCP).
- Specific Function Codes: 0x03 (Read), 0x10 (Write), 0x2B/0x0E (Identification).
- High-volume requests from IPs with no historical reputation.
- **Behavioral Indicators:**
- Sequence of Read Device Identification followed immediately by fixed register reads.
- Bulk-read lengths nearing maximum protocol PDU limits.
## Response Actions
- **Containment:** Recommended removal of PLCs from the public internet.
- **Eradication:** Implementation of IPS signatures to block high-frequency or unauthorized Modbus function codes.
- **Recovery:** Not applicable (campaign was ongoing reconnaissance and probing).
## Lessons Learned
- **Visibility Gaps:** Many organizations remain unaware that their PLCs are directly reachable via the public internet.
- **Protocol Vulnerability:** Modbus/TCP remains a high-risk vector due to its lack of native security features (plaintext, no auth).
- **Automation:** The scale (14,000+ IPs) indicates threat actors are using sophisticated automation for OT reconnaissance.
## Recommendations
- **Immediate Disconnection:** Ensure no PLCs or industrial controllers are directly accessible via the public internet.
- **Secure Remote Access:** Utilize "Secure-by-Design" principles, such as requiring encrypted VPNs or Zero Trust Network Access (ZTNA) for OT maintenance.
- **Protocol Filtering:** Deploy Deep Packet Inspection (DPI) to monitor and restrict Modbus function codes (e.g., blocking "Write" commands from unauthorized sources).
- **Asset Inventory:** Conduct regular scans to identify "shadow" OT assets exposed to the internet.