Ddos 
Sector distribution of observed targets associated with suspicious Modbus probing | Image: Cato
Between September and November 2025, a massive wave of suspicious activity targeted industrial control systems worldwide, proving that the backbone of our physical infrastructure is being systematically probed by digital adversaries. A new threat report from Cato Networks reveals a relentless campaign involving Modbus/TCP activity against internet-exposed Programmable Logic Controllers (PLCs), spanning 70 countries and over 14,000 distinct targets.
Industrial protocols designed for trusted, isolated networks are being weaponized on the public internet.
Attackers aren’t just knocking on doors; they are meticulously mapping the hallways. The report identifies a progression of risk, starting with automated reconnaissance and escalating to potentially catastrophic “write” commands.
The researchers highlight a specific, scripted two-step sequence used by threat actors:
- Fingerprinting: Using function code 0x2B/0x0E to identify the vendor, product, and version of the PLC.
- Targeted Data Pull: Executing a fixed register read to retrieve meaningful data specific to that model.
As the report warns, “When a Modbus-enabled PLC is exposed externally, a remote threat actor can move quickly from discovery to action: fingerprint the device, read controller data, and if writes are reachable, change register values that influence physical processes.”
To illustrate the danger, Cato researchers used a proof-of-concept simulation based on MITRE’s Wildcat Dam. By manipulating water-level thresholds via Modbus, they demonstrated how an attacker could force water levels to rise to 255% and override dam door states, defeating the expectations of human operators.
The telemetry data paints a picture of an opportunistic but increasingly aggressive adversary:
- The Scale: 233 source IPs generated roughly 235,500 inbound requests, primarily focusing on reading holding registers (0x03).
- Targeted Sectors: While the activity was broad, the Manufacturing sector (18%) was the most frequent target, followed by healthcare, construction, and government municipalities.
- Systematic Manipulation: In one of the most alarming observations, a single IP address was responsible for 3,240 write requests, a “Critical” risk behavior that can directly change device behavior.
- Geographic Focus: The United States bore the brunt of the activity, accounting for 36% of the targeted IPs, followed by France and Japan.
While the identities of these threat actors remain unknown, researchers noted that a subset of “higher-intent” reconnaissance came from sources geolocated to China. These actors used rare, expanded device identification techniques that suggest deeper intelligence gathering.
Much of the infrastructure used by scanners was “fresh” or rotating, allowing them to bypass traditional reputation-based security filters.
The takeaway for CISOs and junior admins alike is identical: do not expose Modbus to the public internet.
The report’s core recommendation emphasizes a layered defense: “Where exposure exists, enforce segmentation by isolating OT from IT and the public internet, strict access controls to limit Modbus reachability, and pair that with threat prevention to stop both early-stage probing and higher-impact actions.”
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
