“Analyzing CPS Attack Trends” by Claroty Team 82 shows opportunistic actors using low-tech methods to disrupt cyber-physical systems in sectors aligned with ongoing conflicts.
Geopolitical conflicts continue to shape cyber activity targeting operational systems. Research covering January to December 2025 examined more than 200 verified attacks on cyber-physical systems (CPS) carried out by hacktivist collectives. The incidents, drawn from open sources, social platforms and messaging channels, illustrate a pattern of opportunistic operations rather than complex intrusions.
Attackers aligned with Russian interests primarily directed efforts toward European Union countries and Ukraine. Italy accounted for 18 percent of such incidents, followed by France at 11 percent and Spain at 9 percent. Direct actions against Ukraine represented 8 percent, often affecting power and heating infrastructure. Groups associated with Iranian positions concentrated on targets in the United States (42 percent) and Israel (39 percent), with smaller shares in France, Greece and other listed nations.
The attacks reflect regional alignments. Russian-speaking entities focused on nations providing support in the Ukraine conflict. Iranian and Arab-aligned actors framed operations as responses to Middle East developments. A smaller set of groups outside core zones adopted Russian positions, extending reach through shared resources.
Manufacturing, water and wastewater, and power generation sectors formed the core targets, together exceeding 45 percent of cases. Manufacturing led at 19 percent, water and wastewater at 15 percent, and power at 12 percent. These sectors were selected for their visibility and potential to signal disruption in daily services.
Technical patterns stand out. In 82 percent of incidents, attackers employed virtual network computing (VNC) clients to reach internet-exposed assets. Devices often presented default or weak credentials, enabling remote control. Supervisory control and data acquisition (SCADA) and human-machine interface (HMI) systems appeared in 66 percent of compromises. Modbus protocol access occurred in a smaller subset, typically paired with VNC.
The operational sequence followed consistent stages. Actors first identified device classes exposing services such as VNC or Modbus. They then queried scanning platforms to locate internet-facing instances. Enumeration relied on open-source clients to read registers or test credentials. Access led to parameter changes that altered physical processes. Final steps included capturing evidence and publishing claims on public or closed channels to associate actions with political positions.
The approach differs from conventional targeted campaigns. Instead of sustained presence or zero-day exploitation, groups selected exposed assets matching geographic or ideological criteria. Tools remained basic: free VNC viewers, command-line utilities and, in limited cases, vendor management software. Many targeted systems, including older programmable logic controllers and integrated HMI units, retained factory configurations.
Research methodology involved source mapping across web, forums and messaging platforms, followed by continuous collection, verification of actor claims through shared screenshots or videos, and structured analysis of context, sector and vector. Limitations include reliance on self-reported data, possible exaggeration for impact, and exclusion of unreported events. The dataset covers 2025 activity and predates certain later developments.
Findings indicate that exposure of remote protocols and absence of authentication create accessible entry points. Organizations operating CPS assets face routine enumeration by actors seeking quick, visible effects to advance stated causes. The incidents underscore the role of basic configuration controls in limiting reach for these operations.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de