Politically driven cyber-physical attacks surge globally
Claroty has published research linking a rise in attacks on cyber-physical systems (CPS) to politically and socially motivated activity, including incidents attributed to groups associated with Iran and Russia.
The report, titled Analysing CPS Attack Trends, reviewed more than 200 attacks by over 20 threat-actor groups across multiple industries during a 12-month period. Many incidents were described as opportunistic "drive-by" attacks, in which actors scan the internet for exposed assets rather than running bespoke intrusion campaigns.
Cyber-physical systems connect digital networks with physical equipment and processes and are widely used in industrial and critical infrastructure settings. Human machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems sit at the centre of many such environments, providing monitoring and control over operational processes.
Remote access routes
Claroty found that 82% of attacks in its dataset involved virtual network computing (VNC) clients, which can provide remote access to internet-facing assets when they are exposed online.
In 66% of incidents, attackers compromised HMIs or SCADA systems, which oversee industrial processes in real time. Interference can disrupt service continuity, damage physical equipment, and increase safety risks for workers and the public.
Many incidents were also characterised as "low-tech". Claroty noted that attackers often did not need vulnerabilities or deep knowledge of the devices or protocols they targeted. This shifts the focus to basic exposure management and access controls, not just patching and exploit prevention.
Political focus
The attacks were largely driven by political or social goals consistent with nation-state motivations, according to the report. Claroty linked the pattern to geopolitical tensions in the Middle East and the war between Russia and Ukraine.
It found that 81% of incidents attributed to Iran-affiliated groups targeted organisations in the US and Israel. For Russia-affiliated groups, 71% targeted organisations in European Union countries.
Italy accounted for 18% of the Russia-attributed EU incidents in the dataset, followed by France at 11% and Spain at 9%. The report did not provide the same level of detail for other countries.
Systems at risk
Claroty framed the findings as a warning for operators in sectors that rely on industrial control environments, including manufacturing, water and waste, power generation and healthcare.
Operational technology environments often include equipment designed for availability and longevity rather than internet exposure. Remote access technologies, legacy protocols and default configurations can create openings when assets become reachable from the public internet.
Claroty highlighted insecure-by-design and insecure-by-default issues as recurring themes. It also pointed to risks from protocols that lack built-in authentication or encryption-including VNC and Modbus-when deployed in exposed or poorly segmented environments.
Defensive steps
The report sets out actions for organisations responsible for CPS. Recommendations include securing internet-facing operational technology and connected device configurations, reducing the likelihood of asset enumeration, addressing default or weak credentials, and assessing insecure configurations before devices are exposed online.
It also recommends inventorying sensitive connected assets and moving to more secure communication protocols where possible. Another suggestion focuses on using threat intelligence to understand adversary motivations and tactics, particularly where hacktivist-style activity influences target selection.
In accompanying comments, Claroty said the pattern reflects a change in how attackers approach operational systems.
"Our research reveals a major escalation in how malicious actors are infiltrating the operational systems that underpin society's daily operations," said Amir Preminger, CTO and Head of Team82 at Claroty.
"Based on what's uncovered in the research, there's a clear need to bolster security efforts for CPS, and organisations can no longer tolerate lax cybersecurity practices around these devices," Preminger added.