Forescout’s latest threat briefing highlights a shift in the OT threat landscape, with both hacktivists and nation-state actors increasingly targeting critical infrastructure. In the first half of 2025, the distinction between cyber activism and state-sponsored campaigns blurred—groups like APT IRAN, GhostSec, Arabian Ghosts, Sector16, and Z‑Pentest used hacktivist personas to amplify disruptive messaging while carrying out attacks on PLCs and industrial control systems across utilities, oil & gas, telecom, and manufacturing. At the same time, ransomware incidents rose sharply—accounting for over 3,600 documented breaches, roughly 20 per day—often exploiting devices like IP cameras and BSD servers to gain stealthy lateral access across IT, OT, and IoT environments.

The report also notes significant increases in zero-day exploit usage (46 %) and persistent scanning of OT protocols like Modbus (now 57 % of honeypot interactions), BACnet, and EtherNet/IP. These findings signal a rise in opportunistic scanning campaigns and emphasize the urgent need for organizations to strengthen visibility, segment networks, enforce multi-factor authentication, maintain proactive patching, and deploy integrated threat detection across all device types to reduce exposure in increasingly hostile OT environments.

‍

Source: https://industrialcyber.co/reports/forescout-reports-ot-threat-landscape-shift-as-hacktivists-nation-state-actors-target-critical-infrastructure/