It seems that we have greatly overestimated the reliability of important objects.
The researchers found a large-scale campaign against industrial controllers that the owners left available from the Internet. Behind the usual for the views of the Modbus/TCP were hidden not only by mass scanning, but also attempts to understand what the device controls, overload it or change the values in the registers.
According to Cato Networks experts Guy Weisel and Yakub Osmani, from September to November 2025, suspicious activity affected 14 426 IP addresses in 70 countries. Most of the goals were in the United States, followed by France and Japan. Ten of the most affected countries accounted for 86% of all addresses, and three leading countries accounted for 61%.
Modbus was created for closed industrial networks, not for public access. If the PLC is visible from the Internet, an attacker can quickly move from search to action: to determine the manufacturer and model, read the data from the registers, and when you write, change the parameters that affect the physical process.
The most massive activity was the requests for reading the registers through the function 0x03. In three months, Cato Networks recorded about 235 500 such appeals from 233 IP addresses. Almost half of the sources intersected with other triggers of protective systems, indicating a broader suspicious activity.
Part of the behavior looked more useful. The sources first requested the identification of the device, and then read the fixed range of registers. Such a bundle is similar to an automated scenario: first understand which PLC is found, then pull out data that is significant for a particular model.
Separately, experts described an activity similar to an attempt to cause a failure. One source sent about 158 100 quick queries to one goal, each time trying to read the almost maximum number of registers. The impact on the controller itself, the authors did not check the report, but such a flow can interfere with the normal processing of commands.
The most dangerous part was 3240 requests for registers that came from one IP address. The teams each time started with the address 0x0BB8 and covered 27 to 122 registers. Cato Networks considers such a template a sign of automated verification or manipulation attempts.
Manufacturing companies turned out to be the most prominent group of targets, they accounted for 18%. Also in the sample were medicine, construction, technology, transport, finance and municipal structures. The authors of the report advise not to leave Modbus available from the Internet, isolate OT-nets and allow access only to trusted sources.
The researchers found a large-scale campaign against industrial controllers that the owners left available from the Internet. Behind the usual for the views of the Modbus/TCP were hidden not only by mass scanning, but also attempts to understand what the device controls, overload it or change the values in the registers.
According to Cato Networks experts Guy Weisel and Yakub Osmani, from September to November 2025, suspicious activity affected 14 426 IP addresses in 70 countries. Most of the goals were in the United States, followed by France and Japan. Ten of the most affected countries accounted for 86% of all addresses, and three leading countries accounted for 61%.
Modbus was created for closed industrial networks, not for public access. If the PLC is visible from the Internet, an attacker can quickly move from search to action: to determine the manufacturer and model, read the data from the registers, and when you write, change the parameters that affect the physical process.
The most massive activity was the requests for reading the registers through the function 0x03. In three months, Cato Networks recorded about 235 500 such appeals from 233 IP addresses. Almost half of the sources intersected with other triggers of protective systems, indicating a broader suspicious activity.
Part of the behavior looked more useful. The sources first requested the identification of the device, and then read the fixed range of registers. Such a bundle is similar to an automated scenario: first understand which PLC is found, then pull out data that is significant for a particular model.
Separately, experts described an activity similar to an attempt to cause a failure. One source sent about 158 100 quick queries to one goal, each time trying to read the almost maximum number of registers. The impact on the controller itself, the authors did not check the report, but such a flow can interfere with the normal processing of commands.
The most dangerous part was 3240 requests for registers that came from one IP address. The teams each time started with the address 0x0BB8 and covered 27 to 122 registers. Cato Networks considers such a template a sign of automated verification or manipulation attempts.
Manufacturing companies turned out to be the most prominent group of targets, they accounted for 18%. Also in the sample were medicine, construction, technology, transport, finance and municipal structures. The authors of the report advise not to leave Modbus available from the Internet, isolate OT-nets and allow access only to trusted sources.
