CPS Attacks Surge: Claroty Report Reveals Geopolitical Influence & Easy Exploits

Cyberattacks targeting critical infrastructure are increasingly originating through cyber-physical systems (CPS), with a significant majority exploiting readily available tools and vulnerabilities, according to a new report released March 19, 2026, by cybersecurity firm Claroty. The report, “Analyzing CPS Attack Trends,” details an analysis of over 200 attacks carried out by more than 20 hacker groups between January and December 2025.

The analysis revealed that 82 percent of attacks on CPS environments utilized Virtual Network Computing (VNC) protocol clients to gain remote access to exposed, internet-connected resources. Two-thirds (66%) of incidents compromised Human Machine Interfaces (HMIs) or Supervisory Control and Data Acquisition (SCADA) systems – components vital for real-time monitoring and control of industrial processes. Compromise of these systems can lead to operational disruptions, physical damage to facilities, and potential risks to personnel and the environment.

Many of these attacks are described as opportunistic and require minimal technical sophistication, often not relying on zero-day vulnerabilities but rather exploiting existing weaknesses in system configurations and protocols. Claroty’s research indicates a shift towards less targeted, more readily executable attacks against foundational infrastructure.

The report also highlights a strong geopolitical dimension to these attacks. A substantial portion were motivated by political or societal objectives, aligning with the patterns observed in state-sponsored threat activity. Specifically, Claroty researchers linked a significant number of attacks to actors associated with Russia and Iran.

According to the report, 81 percent of attacks attributed to Iranian-linked groups targeted entities in the United States and Israel. Meanwhile, 71 percent of attacks linked to Russian groups focused on organizations within the European Union (EU). Within the EU, Italy (18%), France (11%), and Spain (9%) were the most frequently targeted countries.

“Our research shows a significant increase in attacks on the fundamental systems that keep our society running – from manufacturing and water and waste treatment to power generation and healthcare,” said Thorsten Eckert, Regional Vice President Sales Central at Claroty. “We are seeing more and more opportunistic drive-by attacks in this area, which has historically been characterized by targeted attacks. Attackers are using relatively simple technical means to attack critical sectors, the disruption of which can have serious and sometimes dangerous consequences. The report clearly shows a need to strengthen security measures for CPS. Lax security practices and poor cyber hygiene are no longer acceptable given the geopolitical situation, which has worsened compared to last year.”

Claroty recommends organizations take several steps to bolster the security of their cyber-physical systems. These include securing internet-connected devices by reviewing configurations of Operational Technology (OT), smart devices, and connected medical devices (IoMT), and preventing enumeration of these devices. The firm also advises addressing insecure default configurations, identifying and changing weak or standard credentials, and upgrading to secure communication protocols, replacing vulnerable options like VNC and Modbus which lack fundamental security features like authentication and encryption. Finally, Claroty stresses the importance of understanding the motivations and tactics of threat actors to anticipate future attacks and prioritize countermeasures.

The full “Analyzing CPS Attack Trends” report is available for download on the Claroty website.