WatchGuard Technologies, a company specializing in unified cybersecurity for managed service providers, has published The WatchGuard Geopolitical Cyber Report, a new threat intelligence report analyzing the relationship between geopolitical instability and increasing cyber risks to critical infrastructure.
The document focuses on the activity of CyberAv3ngers, also known as Shahid Kaveh Group, Storm-0784, Hydro Kitten, UNC5691, or CL-STA-1128. According to the analysis, this Iran-linked organization has led campaigns against programmable logic controllers (PLCs) and operational technology (OT) environments used in critical infrastructure across North America.
While the study primarily centers on this region, the identified techniques are relevant to organizations in other markets, especially those that operate industrial systems, OT devices, or exposed Internet-connected infrastructure.
The research was conducted by Paolo Omezzolli, an SOC analyst at WatchGuard Spain. His work focuses on security incident investigation, supporting the creation of alert reports for clients, and developing threat intelligence with an emphasis on the geopolitical impact of current cyber campaigns.
The cyberspace as an extension of geopolitical tension
The analysis is set against an international context marked by rising geopolitical tensions and the establishment of cyberspace as an additional front of confrontation. According to the report, after a period of escalated geopolitical activity, 1,245 cyberattacks were associated with 99 threat actors across 14 countries, reflecting how international crises are increasingly translating into the digital sphere.
One key conclusion is that attacks on OT environments should not be seen as conventional cyber incidents. WatchGuard warns that such campaigns no longer merely aim to steal data, encrypt information, or disrupt digital services; they can impact industrial systems that control physical processes. In the case of PLCs, compromise can disrupt pumps, valves, production lines, or supply systems, potentially affecting operational continuity and essential services.
The report also highlights the global exposure of these devices. According to the investigation, there are 5,219 hosts reachable via EtherNet/IP on the internet. While most are in the United States, the report also notes presence in Spain, with 110 devices, as well as in other countries like Taiwan and Italy.
Affected sectors and main findings
Sectors impacted or targeted include water and wastewater systems, energy sector entities, government services and facilities, as well as indications of probes in other manufacturing and OT-dependent industries through specific port scanning.
Among the key findings, WatchGuard notes that CyberAv3ngers has compromised internet-exposed PLCs, and that their campaign has already caused operational outages, manipulation of HMI/SCADA screens, and financial losses for affected organizations. The report also emphasizes that attackers have used legitimate engineering tools to establish connections with victims’ systems, making detection based solely on malware signatures more difficult.
The investigation suggests that any organization with OT technology exposed to the internet should consider itself within the potential scope of this threat and prioritize evaluating their exposure, especially if they operate devices accessible from the public network or services linked to industrial ports commonly used in these environments.
Mitigation recommendations
WatchGuard recommends organizations identify all exposed OT devices, review their external attack surface, disconnect or isolate publicly accessible control systems using firewalls, strengthen authentication measures, analyze indicators of compromise in network and DNS logs, segment IT and OT environments, validate offline backups, and review incident response plans tailored for industrial scenarios.
The report concludes that the link between geopolitics and cybersecurity should be treated as a continuous risk factor, not just an isolated incident tied to a specific crisis. For WatchGuard, ongoing visibility, exposure reduction, segmentation, and rapid response capabilities will be crucial for safeguarding critical infrastructure against increasingly sophisticated campaigns with the potential to impact the physical world.