Opportunistic hacktivist crews aligned with their geopolitical interests are now a standing threat to critical infrastructure operators throughout the US and EU, and a convergence of recent government advisories and new cyber-physical systems threat research makes it clear that most of the risks are self-inflicted.
Since 2022, CISA, the FBI, the NSA, and partner agencies in Canada and the UK have warned that pro‑Russia hacktivists are targeting and compromising small‑scale operational technology (OT) and industrial control system (ICS) environments within water and wastewater, dams, energy, and the food and agriculture sectors. In a May 1, 2024, joint fact sheet, the agencies describe these actors targeting modular, internet‑exposed ICS components such as human-machine interfaces (HMIs) by exploiting virtual network computing (VNC) remote-access software and default or weak passwords, rather than deploying bespoke implants or zero‑days in PLCs.
Bill Brenner
The same alert warned that pro‑Russia hacktivists have gained remote access by abusing publicly exposed connections and outdated VNC software, then using HMI factory default or weak passwords without multifactor authentication to manipulate setpoints, disable alarms, and change administrative credentials, creating nuisance‑level physical effects in insecure, misconfigured OT environments with techniques that are inexpensive to execute and easy to replicate.
Claroty’s Team82 has now put a quantitative shape around what CISA has been warning about. Analyzing more than 200 verified CPS attacks, Team82 found that 82% involved insecure protocols, such as VNC, used to remotely access exposed internet-facing assets, and 66% involved the compromise of HMIs or supervisory control and data acquisition (SCADA) systems that directly control industrial processes. Those are not fringe cases. They represent the dominant pattern of how CPS environments are being reached and manipulated by threat actors who frequently do not fully understand the systems they are attacking.
The frontline is everywhere
Geopolitical alignment seems to, to a large degree, determine targeting. Team82's data shows that 81% of incidents attributed to Iran-affiliated groups hit US and Israeli targets, while 71% of Russia-affiliated incidents focused primarily on EU countries. CISA's advisory is consistent with that pattern, specifically calling out pro-Russia hacktivist groups' coordinated efforts against US and allied critical infrastructure and noting that the groups amplify each other's claimed intrusions on social media to manufacture an impression of greater impact than they often achieve. That social amplification is itself part of the attack — the operational disruption and the propaganda are one and the same.
Bill Brenner
The broader breach data puts this CPS-specific activity in context. Verizon's 2025 Data Breach Investigations Report found that critical infrastructure organizations reported thousands of incidents in the covered period, and year-over-year data shows a roughly 180% increase in the exploitation of vulnerabilities as an initial access path, concentrated heavily on edge devices and remote access infrastructure.
That shift stems from perimeter services, remote access consoles, and exposed management interfaces, which are the weak links in the attack surface and where security controls lag. VNC is a particularly clear example: it was never architected for secure exposure to the public Internet, typically lacks strong encryption, and has historically shipped or been configured with weak defaults. Placing it in front of operational control systems is an architectural decision that hacktivists did not have to stretch too far to exploit.
Mitigating risk to cyber-physical systems
CISA’s December advisory highlighted the gap between what these groups intend and what they can reliably execute. Their "apparent low level of technical knowledge results in haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate the actual impact." That is not reassuring. The advisory also notes that while attacks have not yet caused injury, they have caused loss of view in control systems — forcing manual intervention — along with unauthorized setpoint changes, disabled alarms, parameter modifications, and device restarts. Those outcomes have real costs: OT downtime, PLC programmer fees to restore configurations, and network remediation. And they represent the lower end of what this level of access could enable if a more capable actor inherited the same exposed infrastructure.
Bill Brenner
The structural problem, visible across Team82's data and CISA's advisory alike, is that critical infrastructure operators have left CPS assets reachable from the public internet in configurations that make exploitation trivially easy for anyone motivated enough to run Nmap and a password sprayer. When CISA says to assume compromise if you find exposed systems with weak or default credentials, it acknowledges how widely this condition exists across operational environments. Team82's finding that 66% of incidents reached the HMI and SCADA layer suggests the assumption of compromise is warranted for a large share of affected organizations.
For CISOs and OT security leads, the mitigations are not complex — they are, however, organizationally challenging. Reducing internet exposure of CPS assets, replacing insecure remote access protocols with brokered and authenticated alternatives, implementing MFA on any account that can affect physical processes, and establishing monitoring for unexpected OT traffic patterns: these are the control actions that CISA and Team82 both point toward. None of them requires an overhaul. Most do require prioritization, budget, and in some case,s the difficult internal argument that retiring a legacy remote access configuration is an operational safety decision, not just a security preference.
The take-away? The adversary today is opportunistic. These attacks are no longer targeted in any meaningful sense. They are sweeping up entire classes of exposed CPS assets across geographies, sectors, and levels of operator sophistication. An organization does not need to be interesting to be compromised; it needs only to be reachable and vulnerable. That changes the calculus on deferring remediation work.
Every exposed VNC port on a live control network is, at this point, a welcome mat — and a growing list of hacktivist groups has made clear they are willing to walk on in until more organizations adequately lock the door.
