Industrial routers and other OT perimeter devices are absorbing the majority of cyberattacks targeting operational technology environments, according to new Forescout Vedere Labs research.
Analysing 90 days of real-world honeypot data, researchers found that 67% of malicious activity was directed at OT perimeter devices, such as industrial routers and firewalls, compared with 33% aimed at directly exposed OT assets like PLCs and HMIs.
The findings highlight the growing risk facing edge devices that sit between IT and OT networks.
Automated attacks dominate the OT perimeter
The research shows that OT environments are under constant, automated attack, with more than 60 million requests logged across 11 devices in just three months. Once high-volume SNMP fingerprinting traffic was removed, the remaining 3.5 million events revealed that industrial firewalls and routers were the most heavily targeted assets.
Attackers overwhelmingly relied on SSH and Telnet brute-force attempts, which accounted for 72% of perimeter attacks. Many of the credentials used were drawn from well-known default IoT password lists that have circulated for almost a decade, underlining the persistent risk posed by weak or unchanged credentials.
HTTP and HTTPS traffic made up a further 24% of attacks, including thousands of automated exploit attempts designed to force devices to download malware from external servers.
Emerging botnets raise concerns
Researchers identified several malware families actively targeting OT perimeter devices, including RondoDox, Redtail, and ShadowV2. Of these, RondoDox stood out as the most prevalent, responsible for 59% of observed malicious HTTP activity.
RondoDox is a relatively new botnet that has rapidly expanded its exploit arsenal to include more than 50 known vulnerabilities, many without assigned CVEs. While most current exploits focus on IT and IoT devices, researchers warn that the addition of industrial router vulnerabilities could quickly increase the risk to critical infrastructure operators.
ShadowV2, first observed only months ago, has already become the third most common botnet in the dataset, demonstrating how quickly new automated threats are emerging.
Chaya_005: a long-running reconnaissance campaign
One of the most significant findings was the discovery of a previously undocumented activity cluster, dubbed Chaya_005. Active for at least two years, Chaya_005 appears to focus on fingerprinting and capability testing of industrial edge devices, rather than immediate mass exploitation.
The campaign initially included a successful exploit against a legacy Sierra Wireless router, before evolving into a broader set of malformed exploit attempts against multiple vendors’ devices. Researchers believe the activity may be designed to identify which devices are vulnerable to specific command-execution techniques, potentially for future exploitation or monetisation.
Unlike typical botnets, Chaya_005 showed no evidence of indiscriminate scanning or follow-on attacks, suggesting a more deliberate and targeted reconnaissance effort.
Hacktivists and OT expand the threat surface
The research also highlights the growing interest of hacktivist groups in OT targets. In one incident, the pro-Russian group TwoNet compromised and defaced a water treatment HMI in Forescout’s adversary engagement environment.
While such attacks often rely on manual exploitation, the data shows that routers, PLCs, HMIs and even IP cameras are routinely targeted by automated scanners and botnets, blurring the traditional distinction between IT and OT threats.
Security teams urged to rethink IT/OT boundaries
Forescout warns that treating attacks as “IT-only” or “OT-only” is increasingly dangerous. Automated malware does not distinguish between environments, and compromised IT devices at the OT perimeter can serve as a stepping stone into critical systems.
To reduce risk, researchers recommend that organisations harden OT devices, eliminate weak credentials, avoid exposing industrial equipment directly to the internet, and implement OT-aware monitoring capable of detecting malicious behaviour specific to industrial protocols.
