Global campaign targets internet-exposed Modbus/TCP PLCs across 70 countries, with China-geolocated infrastructure observed executing high-risk write operations and DoS-like bulk reads.

In brief - Cato Networks identified a large-scale campaign probing 14,426 Modbus/TCP PLCs globally, with manufacturing (18%) as the top sector. Reconnaissance included automated fingerprinting and 3,240 Write Multiple Registers (0x10) attempts, while bulk reads suggest disruption intent. A subset of China-linked IPs used rare expanded device identification.

Technically - The campaign employed Modbus/TCP function codes 0x03 (Read Holding Registers, ~235.5K requests) and 0x10 (Write Multiple Registers, 3,240 requests) with consistent parameters (e.g., starting at 0x0BB8). Scripted sequences paired 0x2B/0x0E (payload 0100/0200) for device ID with fixed 0x03 reads. Six China-geolocated IPs used payload 0200, a rare expanded identification method. Bulk reads near the 125-register limit (~158.1K against one target) align with resource exhaustion tactics. MITRE ATT&CK for ICS PoC (Wildcat Dam) demonstrated physical impact via register manipulation.

Source: https://www.catonetworks.com/blog/global-campaign-discovered-with-modbus-plcs-targeted/

#Cybersecurity #ThreatIntel