Listen to this Post
Introduction: A New Phase of Cyber Risk for Critical Systems
Cybersecurity threats in 2025 reached a new level of intensity, especially for environments once considered niche or isolated. Operational Technology (OT), long shielded by obscurity and physical separation, is now firmly in attackers’ crosshairs. New research from Forescout reveals a threat landscape that is not only more aggressive, but also faster-moving, more distributed, and deeply intertwined with cloud services, AI platforms, and globally fragmented infrastructure. The findings point to a decisive shift: cyber adversaries are no longer experimenting with OT systems—they are actively scaling attacks against the digital backbone of critical infrastructure.
Summary of the Original Report: What the Data Reveals
Forescout’s 2025 Threat Roundup Report, produced by its Vedere Labs research team, analyzed over 900 million cyberattacks recorded worldwide between January and December 2025. The sheer volume of data highlights how rapidly the global attack surface is expanding and how efficiently threat actors are adapting to defensive pressure.
A standout finding from the report is the 84% year-on-year increase in attacks using OT-specific protocols. Modbus, Ethernet/IP, and BACnet led this surge, underscoring the growing focus on industrial control systems, building management platforms, and manufacturing environments. These protocols underpin essential services, making them high-impact targets for both financially motivated cybercriminals and state-aligned groups.
The research also shows a marked geographic dispersion of attacks. Malicious activity was traced to 214 countries and territories, reflecting attackers’ increasing reliance on cloud-hosted and rapidly reconfigurable infrastructure. While China, Russia, and Iran remained prominent sources, the top ten originating countries accounted for only 61% of malicious traffic, a significant drop from the previous year. This dispersion complicates attribution and weakens traditional geopolitical assumptions about attack origins.
The United States emerged as the most targeted nation in 2025, followed by India and Germany. Although the number of active cybercriminal and state-sponsored groups remained broadly similar, cybercriminal operations generated nearly six times more incidents, emphasizing how dominant financially driven attacks have become.
Cloud abuse continued to rise sharply. Amazon and Google infrastructure together accounted for more than 15% of observed attacks, up from 11% in 2024. Attackers also rotated through Autonomous Systems at high speed, often abandoning previously abused providers in response to law enforcement actions and shifting to lesser-known networks.
Web applications remained the primary attack target, responsible for 61% of observed activity, followed by remote management protocols. At the same time, attacks on IoT devices increased from 16% to 19%, with IP cameras and network video recorders remaining consistent weak points. Exploitation of network infrastructure devices—such as routers, firewalls, and edge systems—accounted for 19% of all exploitation attempts.
Vulnerability exploitation accelerated significantly. In 2025, 242 vulnerabilities were added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue, representing a 30% annual increase. Vedere Labs recorded an even sharper 213% rise in exploited vulnerabilities within its own dataset. Notably, 71% of exploited vulnerabilities were not listed in CISA’s KEV catalogue, signaling a strategic move by attackers toward less-publicized weaknesses.
The report also raises early red flags around AI security. Langflow, a low-code, open-source AI development platform, ranked among the most exploited new vulnerabilities. This suggests attackers are already targeting the infrastructure that supports AI adoption, not just the models themselves.
Finally, attacker behavior has shifted toward extensive reconnaissance. Discovery activity accounted for 91% of post-exploitation actions in 2025, up dramatically from 25% in 2023. Rather than rushing toward destructive outcomes, attackers are spending more time mapping environments, identifying valuable assets, and positioning themselves for maximum impact.
What Undercode Say: Why This Report Matters More Than It Looks
OT Is No Longer a Side Target
The sharp rise in OT protocol abuse confirms that industrial environments are now mainstream attack targets. This is not opportunistic noise but deliberate, repeatable exploitation.
Convergence Is the Real Risk Multiplier
IT, IoT, OT, and cloud systems are increasingly interconnected. Each connection expands the blast radius of a single compromise.
Protocol Familiarity Is Being Weaponized
Attackers are demonstrating deep knowledge of industrial protocols. This suggests a maturation of tooling and expertise, not random scanning.
Geographic Dispersion Signals Professionalization
The spread across 214 countries reflects infrastructure-as-a-service abuse, making attackers harder to track and faster to recover from takedowns.
Attribution Is Becoming Less Reliable
With infrastructure constantly rotating, origin-based blocking and geopolitical assumptions are losing defensive value.
Cybercrime Is Outscaling Nation-State Activity
Six times more incidents from cybercriminals than state actors highlights where defenders should prioritize resources.
Cloud Trust Is Being Exploited
Major cloud providers are now critical attack enablers, not because they are insecure, but because they are trusted and ubiquitous.
Autonomous System Churn Is Strategic
Rapid shifts between network providers show attackers actively responding to enforcement and adapting in near real time.
External Exposure Remains the Weakest Link
The dominance of web application attacks confirms that exposed services continue to be the easiest entry point.
IoT Still Lacks Security Maturity
The steady rise in IoT exploitation reflects slow progress in device hardening and lifecycle management.
Network Infrastructure Is a Silent Casualty
Routers and firewalls are not just defensive tools—they are high-value targets that enable broad access when compromised.
Vulnerability Management Is Falling Behind Reality
The majority of exploited flaws are not in official KEV lists, exposing a dangerous lag in organizational patch priorities.
Attackers Are Playing the Long Game
Extended reconnaissance phases indicate patience and planning, not smash-and-grab operations.
Discovery Activity Is an Early Warning Signal
Lateral movement and environment mapping should now be treated as high-confidence indicators of compromise.
AI Tooling Is the Next Soft Target
Platforms like Langflow show that AI ecosystems are being attacked at the infrastructure level first.
Security Teams Are Watching the Wrong Layers
Too much focus remains on models and endpoints, while pipelines and orchestration tools remain exposed.
Perimeter Security Is No Longer Enough
Distributed infrastructure makes perimeter-only defense strategies fundamentally obsolete.
Visibility Is the New Control Plane
Organizations cannot defend what they cannot see across IT, OT, and IoT boundaries.
East–West Traffic Deserves More Attention
Lateral movement inside networks is where attackers now spend most of their time.
Segmentation Is Becoming Non-Negotiable
Flat networks dramatically amplify the impact of any single breach.
Detection Speed Matters More Than Prevention Alone
Early detection during reconnaissance can stop attacks before damage occurs.
Threat Intelligence Must Be Broader
Relying only on well-known vulnerability lists leaves defenders blind to emerging exploitation trends.
Cloud Security Needs Shared Accountability
Security teams must rethink trust assumptions around third-party cloud infrastructure.
Critical Infrastructure Faces Systemic Risk
Energy, manufacturing, and building systems are no longer indirectly exposed—they are directly targeted.
Attack Surface Management Is Now Continuous
Periodic audits cannot keep up with attackers who retool infrastructure weekly.
Defender Fatigue Is a Strategic Advantage for Attackers
The volume and speed of attacks increase the likelihood of missed signals.
OT Security Skills Are in Short Supply
Many organizations still lack teams capable of interpreting industrial protocol abuse.
AI Will Accelerate Both Sides
Attackers and defenders will increasingly use AI, raising the speed and complexity of future campaigns.
2025 Marks a Transition Year
This report signals a shift from experimental OT attacks to sustained, scalable operations.
The Window for Preparation Is Shrinking
Organizations that delay integrated security strategies will face higher-impact incidents.
Security Architecture Must Be Rebuilt, Not Patched
Incremental fixes cannot address structural weaknesses in converged environments.
Early Detection Is the Only Real Advantage Left
Stopping attackers during reconnaissance may be the last reliable defensive edge.
Fact Checker Results
✅ Forescout’s data confirms a documented 84% increase in OT protocol-based attacks.
✅ The reported rise in cloud and Autonomous System abuse aligns with observed enforcement-driven infrastructure churn.
❌ Attribution certainty remains limited due to the intentional geographic dispersion of attacker infrastructure.
Prediction
🔮 OT environments will see automated exploitation frameworks emerge by late 2026.
🔮 AI development platforms will become a top-five attack vector as adoption accelerates.
🔮 Organizations without unified IT–OT visibility will experience longer dwell times and higher recovery costs.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.itsecurityguru.org
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




