Querying vulnerable OT devices in the Adriatics
Most attacks against organizations with industrial control systems (ICS) or operational technology (OT) are still the usual ransomware sort targeting traditional IT functions (see here).
However, security omissions with operational technology (OT) devices make them particularly vulnerable, as threat actor groups are expected to focus more on OT in the future.
As an illustration of the security gap, consider Unitronics PLC and HMI devices: these have been widely targeted during December, as a hacker group found that many of the devices are simply installed on the public internet with the default password '1111' (see more here).
We wonder if there are any such devices in the Adriatics region? Although the Shodan search engine is not too reliable, scanning the regional internet does reveal a few Unitronics PLC devices (probably around 50+) still laying around the public internet with their default protocol port exposed (as of January 2024). The affected companies seem to be water supply facilities, hospitals and manufacturing companies.
Shodan query used:
Unitronics PCOM country:SI,HR,BA,RS,ME,MK,AL,XK
Generally, the affected PLCs are used in various industrial and manufacturing applications to control and automate processes - most commonly to monitor and regulate water pressure at various water utilities worldwide.
The fact that these devices are left exposed on the internet without any network segmentation or access controls, weeks after widely reported attacks - is just an indication of wider problems with the state of IT/OT security at such facilities. It's probably just the tip of the iceberg.