Claroty’s Team82 Investigated Hundreds of Politically, Socially Motivated Attacks on Exposed Internet-Facing Devices Including HMI and SCADA Assets
NEW YORK—March 18, 2026—Claroty, the cyber-physical systems (CPS) protection company, today announced new research on CPS becoming a preferred target of opportunistic threat actors, who are often inspired politically and socially by geopolitical events. The new report from Claroty’s Team82, “Analyzing CPS Attack Trends,” analyzes more than 200 attacks carried out by more than 20 threat-actor groups against CPS in numerous industries over a 12-month period.
The research shows that 82% of attacks against CPS involve using virtual network computing (VNC) protocol clients to remotely access exposed, internet-facing assets, with 66% of incidents including the compromise of human machine interfaces (HMI) or supervisory control and data acquisition (SCADA) systems that control industrial processes. Both device classes oversee industrial processes in real time, and any illicit access or manipulation could have extremely serious consequences for organizations and the populations they serve, including but not limited to, service disruption, physical damage to assets, or endangering the personal safety of workers or the general public. Many of these attacks are also decidedly low-tech and do not require vulnerabilities or extensive knowledge of devices or protocols being leveraged.
The data revealed that attacks from these groups targeting CPS were largely driven by political or social goals that align with known nation-state attacker motivations. Given the long-running geopolitical tensions in the Middle East and the four-year-old war between Russia and Ukraine, Team82 attributed many of the incidents to Russia- and Iran-affiliated threat actors. Key findings include:
81% of incidents carried out by Iran-affiliated groups targeted organizations in the U.S. and Israel
71% of incidents carried out by Russia-affiliated groups targeted organizations in the European Union (EU) countries
The top Russian-targeted EU countries were Italy (18%), France (11%), and Spain (9%)
“Our research reveals a major escalation in how malicious actors are infiltrating the operational systems that underpin society’s daily operations,” said Amir Preminger, CTO and head of Team82 at Claroty. “Attackers are using relatively low-tech means to target critical sectors—from manufacturing, to water and waste, to power generation, to healthcare—industries whose disruption would lead to dire, if not dangerous consequences. Based on what’s uncovered in the research there’s a clear need to bolster security efforts for CPS, and organizations can no longer tolerate lax cybersecurity practices around these devices.”
Organizations responsible for CPS environments can take a number of steps to strengthen their defenses:
Secure internet-facing devices: Check the configurations of operational technology (OT), connected smart devices, and internet of medical things (IoMT) devices, and ensure that there are proper precautions taken to prevent enumeration of these devices, as they are increasingly connected to the internet.
Remedy insecure by design/default: Defenders must be vigilant about default, or known, weak credentials, and proactively change them as devices are deployed online. They should evaluate and understand other insecure configurations, and any security issues must be addressed before devices are connected online.
Upgrade insecure protocols: Since many of the attacks researched by Team82 featured the use of insecure-by-design protocols such as VNC and Modbus that lack basic security capabilities such as authentication and encryption, defenders should inventory their most sensitive connected assets and move to more secure communication protocols.
Know the adversary: It is important to understand the motivations and tactics of hacker groups—particularly hacktivists in the case of this research— in order to determine likely next targets within a given industry, or whether particular CPS assets are similarly exposed as other organizations that have been compromised.
To access Team82’s complete set of findings, in-depth analysis, and recommended security measures, download the “Analyzing CPS Attack Trends” report.
Methodology
To provide a comprehensive view of the evolving threat landscape regarding drive-by attacks in the CPS domain, Team82 employed a multi-layered research methodology. Unlike highly targeted, bespoke campaigns, these drive-by incidents are characterized by opportunistic actors scanning the internet for exposed assets to amplify their political message or social cause. This research process was designed to filter out the “noise” of general cybercrime and focus specifically on verified incidents targeting CPS.
The research was conducted over a 12-month period—January to December 2025—and followed a four-stage pipeline: Source Mapping, Continuous Monitoring, Verification, and Attack Analysis. For more details on methodology and research limitations, view the report.
About Claroty
Claroty has redefined cyber-physical systems (CPS) protection with an unrivaled industry-centric platform built to secure mission-critical infrastructure. The Claroty Platform provides the deepest asset visibility and the broadest, built-for-CPS solution set in the market comprising exposure management, network protection, secure access, and threat detection – whether in the cloud with Claroty xDome or on-premise with Claroty Continuous Threat Detection (CTD). Backed by award-winning threat research and a breadth of technology alliances, The Claroty Platform enables organizations to effectively reduce CPS risk, with the fastest time-to-value and lower total cost of ownership. Claroty is deployed by hundreds of organizations at thousands of sites globally. The company is headquartered in New York City and has a presence in Europe, Asia-Pacific, and Latin America. To learn more, visit claroty.com.
