Threat Research

Industrial Cybersecurity Risks from Internet-Exposed ICS Devices

team-cymru
Industrial Cybersecurity Risks from Internet-Exposed ICS Devices

Team Cymru analyzed internet-exposed ICS/OT devices and presented three case studies showing nation-state actors targeting Hitachi RTU560, Moxa NPort, and Rockwell 1756 modules using default credentials, corrupted firmware uploads, device lockout, and protocol exploits. The research highlights thousands of exposed devices—particularly Rockwell and Moxa components—being scanned and targeted, and recommends using Scout and the Insights Feed to discover, monitor, and harden exposed OT assets. #Dragonfly #TRISIS #RockwellAutomation #HitachiRTU560 #MoxaNPort

Keypoints

  • Three case studies document nation-state targeting of internet-exposed ICS/OT devices: Hitachi RTU560, Moxa NPort, and Rockwell 1756 communication modules.
  • Attack techniques observed include exploitation of default/unrotated credentials, uploading corrupted ELF firmware to “hard brick” devices, forced factory resets and administrative lockout, and protocol-level exploits enabling remote code execution.
  • CERT-PL attributes a campaign against Polish power infrastructure to Dragonfly (aka Berserk Bear), demonstrating destructive and pre-positioning tactics against CNI.
  • Rockwell devices comprised 68.1% of exposed targeted devices in January 2026 (6,653 unique IPs), with Moxa at 15.7% (1,532 unique IPs); the United States accounted for 45.4% of targeted devices in that sample month.
  • Malicious actions ranged from loss of visibility/control (reconfigured IPs to 127.0.0.1 and changed admin passwords) to potential remote code execution through malformed CIP messages (CVE-2023-3595 and CVE-2023-3596).
  • Team Cymru recommends using Scout and the Insights Feed to discover internet-exposed ICS devices, close visibility gaps, harden network boundaries, and enrich IDS detection with global intelligence.

MITRE Techniques

  • [T1078 ] Valid Accounts – Attackers exploited default/unrotated credentials to gain administrative access to device web interfaces (‘…exploited the default account credentials left unrotated on internet-exposed web interfaces…’)
  • [T1499 ] Endpoint Denial of Service – Adversaries rendered devices inoperable or unreachable by uploading corrupted firmware to cause infinite boot loops and by restoring factory settings and reconfiguring IPs to loopback addresses (‘…uploading corrupted ELF firmware files…triggered an infinite boot loop…’ and ‘…restored the devices to factory settings, updated the administrative passwords to unknown values, and reconfigured the IP addresses to a non-routable loopback address (127.0.0.1).’)
  • [T1190 ] Exploit Public-Facing Application – A nation-state-developed exploit targeted communication modules by sending malformed CIP messages to trigger an out-of-bounds write and achieve remote code execution (‘…exploit would have allowed attackers to send malformed Common Industrial Protocol (CIP) messages to the module to trigger an out-of-bounds write.’)
  • [T1098 ] Account Manipulation – Operators changed administrative passwords and settings to lock out legitimate administrators and obscure device access (‘…updated the administrative passwords to unknown values…’)
  • [T1547 ] Boot or Logon Autostart Execution (Persistence) – Firmware-level manipulation that enables persistence across reboots and hides activity from responders (‘…stay persistent across reboots, and even hide their presence from incident responders by intercepting forensic data.’)

Indicators of Compromise

  • [Device/Product ] Targeted ICS/OT models – Hitachi RTU560, Moxa NPort, and Rockwell 1756-EN2/EN3/EN4 communication modules
  • [IP addresses ] Examples of network indicators and exposure context – 127.0.0.1 (reconfigured loopback used in lockout), and large counts of exposed device IPs such as 6,653 unique Rockwell IPs detected in January 2026
  • [File types ] Malicious or corrupted firmware context – corrupted ELF firmware files uploaded to Hitachi RTU560 (no hashes provided)
  • [Vulnerabilities ] Exploited CVEs and protocol exploit context – CVE-2023-3595, CVE-2023-3596, and malformed Common Industrial Protocol (CIP) messages used to trigger out-of-bounds writes
  • [Credentials ] Authentication indicators – factory-default/unrotated credentials and attacker-updated administrative passwords used to gain and deny access

Read more: https://www.team-cymru.com/post/industrial-cybersecurity-for-ics-and-ot-devices