Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Claroty: CPS Attack Trends: Dark Web Research & Critical Infrastructure

Claroty
07/01/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Hey. Good to see you. Good to see you, Mike. So let's talk a little bit about the recently published Team 82 Threat Report. A lot of great data in there, and we're talking about actual attacks against cyber-physical systems, whether it's OT or healthcare devices. Just curious to you, what stood out? I mean, there's a lot of different angles we can tackle here, but... Well, look, at first, I think it's important to talk about the genesis of the report, that there's a lot of threat reports out there from a lot of different cyber vendors over the years. What we really wanted to do was have one that oriented... There's a question sometimes about what attacks are actually occurring against cyber-physical systems. And so we have a team of threat researchers that infiltrated the dark web, and we're looking for evidence of actual, real evidence of attacks against CPS assets, OT assets, medical devices. And so over the course of 2025, they were able to find over 200 documented examples of attacks against these assets. So we looked at the source country of the attack, we looked at what country was being attacked, we looked at what, if we could figure it out, what threat group was associated with it. So it really turned into a harvest of super interesting information. And so that's the genesis of it. Now, I want to get back to your question in terms of some of the interesting points. So I guess a little bit not surprisingly, we found that 71% of the attacks that originated from Iran in 2025 were targeting asset owners, infrastructure within the US and Israel. More surprising for me is that we found that attacks originating from Russia, 81% of the time were targeting countries within the European Union, I guess, because of the Ukraine war, but I was expecting actually to see more attacks against the US as well. So I thought, I thought that was interesting. So that's kind of one. Sure. Yeah, it definitely stands out. It also kind of the geopolitical leanings of some of these hacktivist groups. They're not necessarily super skilled, but they do align either politically or socially with what's happening geopolitically. And I thought that that actually showing that linkage in a lot of areas was really interesting Yeah, like one of the, I thought, really interesting things, attribution. So many... CISA recently published a report about a lot of opportunistic attacks by adversary affiliated hacking groups against critical infrastructure, which is borne out by our research. We saw a lot of Russian affiliated hacking groups, we saw Iranian affiliated hacking groups, and they were kind enough to us to put their logos on video recordings of their attacks. Lots of logos. They were able to see it. Now, the one thing that I thought was also super interesting is we found, I'll call it a getting start, a getting a quick start guide that hackers had published to teach other hackers around, step by step around how to find and attack OT assets using like Shodan and other tools. Yeah. And I mean, that's kind of what the dark web is all about is there's a lot of this information sharing between these groups and to see it against OT is kind of concerning. I mean, it's new, at least. Yeah. Look, I feel like there's always another red line that an attacker, some attacker will cross. Right. And I think that we need to recalibrate that it's like an elevation of our thinking about cyber physical system based attacks that it is just another tool that adversaries and cyber criminals have to achieve their strategic or financially motivated objectives. And so if you look at, you know, right now, you know, our team told me earlier this morning that they're seeing a lot of Iranian attacks against wastewater, retail and manufacturing. There was actually an Israeli retailer, again, targeting PLCs, these environments, an Israeli retailer whose refrigeration systems were taken offline, causing from Iran, causing a lot of spoilage. And so the intent is not just it's to cause malfeasance, but it's also to try to impact the supply chain. Right. So good place for the next question. Three of the industries that we really saw attackers targeting on focusing in manufacturing, water and wastewater and power generation, probably no surprise, you create a lot of social chaos there, get a lot of attention for your whatever your cause is just your reaction. Yeah. So if it's like 19 percent against manufacturing, like 15 percent, something like that against water, against water and 11 percent against power generation. Look, I think that it's the least for power generation and utilities. The goal is to domestically cause harm to U.S. based infrastructure or to implant themselves in U.S. based infrastructure as a means in case of a kinetic conflict to be able to cause disruption. Right. So I think, you know, again, we can talk about specific companies that we found, but a lot of the manufacturing is how can you influence supply chain? Like we saw like Colonial Pipeline attack influenced supply chain. And so there are so many, if we think about critical infrastructure, not as individual entities, but which ones need to be operating, the essential ones that could impact upstream or downstream capabilities. That's where I think the lens needs to be in manufacturing. I mean, the big point is that too many of these assets are exposed online. They're easily enumerated using scanning services and, you know, they give up a lot of information and that's really gold for an attack. Well, look, it's not very difficult to find cyber physical systems to attack there. When a couple of months ago, our team 82 looked at this on Shodan, we found over 4,000 building automation systems either using KNX or BACnet in the insecure manner. So with this insecure protocol, an attacker can directly connect to it and drive commands without the need for any password and any credentials. So it's kind of like bonkers to me that there's so much vulnerable infrastructure out there. So let's wrap up with a couple of minutes on the national cyber strategy that was released 10 days ago or whatever. Just curious on your thoughts on a few of the pillars, obviously most relevant to us would be protecting critical infrastructure and, you know, prioritizing that within the strategy. What was just kind of your initial reaction on that? Yeah, look, it's important that the administration put out the national cyber strategy. Just candidly, it was shy on details and shy on kind of implementation operations. But I was, you know, I think it was really important that as cybers, as critical infrastructure is the next cyber battleground, I think it was important that the administration called on, I think it's pillar four, around securing critical infrastructure. They specifically called out operational technology and impact potentially on supply chain. So I think, you know, it's good directionally. The question was like, so what is the implementation plan? There's also one of the pillars around, I think it's around smart regulation or pragmatic regulation. And so, again, it's good. I think it's important and good that there is some regulation because a lot of organizations won't implement cyber protection unless they have a requirement to do so and with penalties associated with it. So I think that's a good thing. The question is, what will that yield? Like, what is the result? I think the whole pillar on regulation was to be three or four sentences. So I'm eager to read the next chapter. Just final question. Just curious on your take, I think it was pillar one, just more of a leaning towards being more offensive in cyber and it's a slippery slope, let's be honest. Yeah, I read through it and I know the administration had talked about this. Just two sides of this. On one side, I get the fact that the administration is looking for leverage. I just worry about organizations putting a target on their own backs or maybe an organization getting it wrong. That's the bad one. Exactly. Now, on the other side of this, there are organizations out there, Microsoft and others, that have done a really nice job in terms of helping work with intelligence agencies, Department of Justice, FBI, to help secure infrastructure and take down finance. So there is some stark precedence for takedown of critical infrastructure. I think we just need to be really crisp and purposeful about where it should be focused and also a lot of introspection in terms of what the consequences are to be associated. All right, Grant. Good to catch up. Thanks.

TL;DR

  • Claroty's Team 82 documented over 200 real-world attacks against cyber-physical systems in 2025 by analyzing dark web evidence, revealing that 71% of Iranian attacks targeted US and Israeli infrastructure while 81% of Russian attacks focused on EU countries.
  • Manufacturing, water/wastewater, and power generation emerged as the top three targeted sectors, with adversaries seeking to disrupt supply chains and establish footholds in critical infrastructure for potential future conflicts.
  • Over 4,000 building automation systems were found exposed online using insecure protocols that allow attackers to execute commands without authentication, demonstrating how easily enumerable CPS assets have become.
  • The research uncovered dark web tutorials teaching hackers how to find and attack OT assets using scanning tools, lowering the sophistication barrier and enabling hacktivist groups to cause operational disruption with relatively basic techniques.

Dark Web Research Methodology and Key Findings

Claroty's Team 82 threat research team conducted an extensive investigation into actual attacks against cyber-physical systems (CPS) by infiltrating dark web forums and documenting real-world incidents throughout 2025. The research identified over 200 documented attacks against OT assets, medical devices, and other CPS infrastructure, analyzing source countries, target nations, and associated threat groups. The methodology focused on verifiable evidence rather than theoretical vulnerabilities, providing concrete data on how adversaries are actively targeting critical infrastructure. Key findings revealed that 71% of Iranian-originated attacks targeted US and Israeli infrastructure, while 81% of Russian-originated attacks focused on European Union countries, likely related to the Ukraine conflict. The research also uncovered step-by-step hacking guides published on the dark web specifically teaching attackers how to find and compromise OT assets using tools like Shodan.

Industry Targeting and Asset Exposure

The research identified manufacturing (19%), water and wastewater systems (15%), and power generation (11%) as the most frequently targeted critical infrastructure sectors. These industries represent high-value targets for adversaries seeking to cause social disruption, influence supply chains, or establish persistent access for potential future kinetic conflicts. A particularly concerning finding revealed over 4,000 building automation systems using insecure protocols like KNX and BACnet that allow direct command execution without authentication. The ease of discovering vulnerable CPS assets through internet scanning services has lowered the barrier to entry for attacks, with hacktivist groups demonstrating surprisingly low sophistication levels while still achieving operational impact. Iranian-affiliated groups have been observed targeting Israeli retailers' refrigeration systems to cause supply chain disruption through food spoilage, illustrating how CPS attacks extend beyond traditional IT security concerns into physical operational consequences.

Chapters

0:00 - Introduction and Report Overview
0:23 - Research Methodology and Dark Web Investigation
1:27 - Geopolitical Attack Patterns
2:18 - Attribution and Hacker Tutorials
4:20 - Industry Targeting and Impact
5:32 - Asset Exposure and Vulnerability
6:21 - National Cyber Strategy Discussion

Key Quotes

0:49 "Over the course of 2025, they were able to find over 200 documented examples of attacks against these assets."
1:35 "We found that 71% of the attacks that originated from Iran in 2025 were targeting asset owners, infrastructure within the US and Israel."
1:49 "Attacks originating from Russia, 81% of the time were targeting countries within the European Union, I guess, because of the Ukraine war."
2:54 "We found, I'll call it a getting start, a getting a quick start guide that hackers had published to teach other hackers around, step by step around how to find and attack OT assets using like Shodan and other tools."
5:51 "Our team 82 looked at this on Shodan, we found over 4,000 building automation systems either using KNX or BACnet in the insecure manner."
6:07 "An attacker can directly connect to it and drive commands without the need for any password and any credentials."

FAQ

What makes cyber-physical system attacks different from traditional IT security incidents?

CPS attacks target operational technology and physical systems like manufacturing equipment, building automation, and critical infrastructure, causing real-world physical consequences beyond data breaches. These attacks can disrupt supply chains, damage equipment, cause safety incidents, and impact essential services like power and water delivery.

How are attackers finding vulnerable OT and CPS assets to target?

Attackers use internet scanning services like Shodan to enumerate exposed cyber-physical systems, many of which use insecure protocols that reveal detailed information about the devices and allow direct command execution without authentication. The research found step-by-step guides on the dark web teaching hackers how to discover and exploit these assets.

Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • OT
  • IoT Security
  • Threat Intelligence
  • Critical Infrastructure
  • Technical Deep Dive
  • Webinar
  • Cyber-Physical Systems Security
  • OT Attack Trends
  • Dark Web Threat Intelligence
  • Critical Infrastructure Protection
  • Nation-State Cyber Operations
  • Supply Chain Disruption
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Claroty: CPS Attack Trends: Dark Web Research & Critical Infrastructure

              Upcoming Webinar Calendar

              • 07/02/2026
                10:00 AM
                07/02/2026
                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges
                https://www.truthinit.com/index.php/channel/2011/building-resilience-insights-from-hybrid-threats-amid-cloud-challenges/
              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting an Elite Security Team to Achieve Championship-Level Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-an-elite-security-team-to-achieve-championship-level-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Mastering the DPDP Framework
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-mastering-the-dpdp-framework/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                02

                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges

                07/02/202610:00 AM ET
                • Jul
                  09

                  The HUMAN Experience: Empowering Agentic Trust in Practice

                  07/09/202601:00 PM ET
                  • Jul
                    14

                    Crafting an Elite Security Team to Achieve Championship-Level Defense

                    07/14/202601:00 PM ET
                    • Jul
                      14

                      Understanding the Crucial Role of Context in AI Data

                      07/14/202602:00 PM ET
                      • Jul
                        21

                        Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                        07/21/202604:00 AM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version