Security researchers have uncovered a large-scale campaign aimed at fingerprinting internet-exposed industrial control systems, specifically Modbus-based programmable logic controllers (PLCs). The activity, which peaked between September and November last year, spanned 70 countries and targeted more than 14,000 unique IP addresses.
According to cybersecurity firm Cato Networks, the operation combined widespread automated scanning with more focused probing techniques that suggest attempts to identify, disrupt, and potentially manipulate vulnerable devices. The United States accounted for the largest share of observed activity.
Researchers noted that Modbus, a legacy protocol designed for trusted industrial environments, lacks built-in security for exposure to the public internet. When PLCs using Modbus are accessible externally, attackers can quickly progress from reconnaissance to action, identifying devices, reading operational data, and in some cases altering system behavior by writing new values to control registers.
Analysis of three months of telemetry showed an escalation in tactics, from broad reconnaissance to more targeted actions capable of degrading system availability or directly impacting device operations. Much of the infrastructure used in the campaign appeared to evade traditional detection methods, with many source IPs showing little or no prior malicious history.
The targeting was widespread across industries, with manufacturing accounting for 18% of observed activity followed by sectors including healthcare, construction, technology, transportation, and finance.