Daily OT Security News: April 24, 2026

Today’s briefing highlights critical developments in operational technology (OT) security, focusing on emerging threats from nation-state actors, large-scale campaigns targeting industrial control systems, and significant vulnerabilities impacting IoT and automotive devices. Additionally, we cover efforts to enhance OT asset visibility and debunk misleading malware narratives, underscoring the evolving complexity and urgency in defending critical infrastructure environments.

CISA and Allies Warn of China-Nexus Covert Networks Exploiting IoT Devices

A joint advisory from CISA and international cybersecurity agencies has flagged the systematic use of covert networks — built from compromised SOHO routers and IoT devices — by China-linked threat actors including Flax Typhoon and Volt Typhoon. These networks, which are used across every phase of the cyber kill chain from reconnaissance to data exfiltration, are designed to be rapidly reshaped, rendering traditional static IP blocklists ineffective. The advisory notes that the Raptor Train botnet, controlled by Chinese company Integrity Technology Group, infected more than 200,000 devices worldwide in 2024. Organizations are urged to map network edge assets, implement multifactor authentication, and adopt zero trust architectures to mitigate the threat.

Source: Industrial Cyber

Cato Networks Uncovers Global Modbus/TCP Campaign Targeting Internet-Exposed PLCs

Researchers at Cato Networks have documented a large-scale, coordinated campaign targeting internet-exposed programmable logic controllers (PLCs) via the Modbus/TCP protocol. Observed between September and November 2025, the activity spanned 70 countries and involved more than 14,000 unique IP addresses, with the United States accounting for the largest share of targeting at 36%. Behavioral patterns ranged from automated register scanning and device fingerprinting to bulk-read flooding and write operations — the latter carrying a critical risk rating. Manufacturing was the most targeted sector at 18%. Researchers recommend that organizations immediately cease exposing Modbus devices to the public internet and enforce strict OT/IT network segmentation.

Source: Industrial Cyber

Dragos Dismisses ZionSiphon as Operationally Ineffective AI-Generated ICS Malware

Industrial cybersecurity firm Dragos has issued a direct rebuttal to alarm surrounding ZionSiphon, a piece of malware purportedly designed to sabotage Israeli water desalination facilities. Dragos analysts found the code to be riddled with logic errors, nonexistent file paths, and flawed ICS protocol implementations, concluding it was generated by a large language model with little genuine knowledge of dam desalination or ICS protocols. While the malware would fail to cause any significant negative consequence in an OT environment, Dragos warned that defenders have finite time and attention, and that focusing on ZionSiphon diverts resources from proven threat groups such as VOLTZITE, which have a demonstrated history of intrusions into critical infrastructure environments.

Source: Industrial Cyber

NIST NCCoE Launches New OT Asset Visibility Project for Critical Infrastructure

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) is launching a new project focused on improving asset visibility in operational technology and industrial control system environments. NCCoE Director Cherilyn Pascoe announced the initiative after consultations with multiple critical infrastructure sectors identified asset management and visibility as the single greatest shared challenge. The project will demonstrate how to leverage existing standards and commercially available technologies — potentially including AI — to build OT visibility architectures. The announcement comes amid ongoing concerns about nation-state actors targeting OT environments and the widespread lack of OT asset inventories across critical infrastructure sectors including water utilities, energy, and transportation.

Source: Federal News Network

Kaspersky Discloses BootROM Vulnerability in Qualcomm Snapdragon Chips Affecting IoT and Automotive Devices

Kaspersky ICS CERT has disclosed a hardware-level vulnerability (CVE-2026-25262) in multiple Qualcomm Snapdragon chipsets, affecting a broad range of consumer and industrial devices including smartphones, tablets, IoT products, and vehicle components. The flaw resides in the BootROM — firmware embedded directly into hardware during manufacturing — and is exploitable via Qualcomm’s Sahara protocol during Emergency Download Mode. An attacker with brief physical access could bypass secure boot protections, install persistent backdoors, and gain access to passwords, files, location data, and camera or microphone feeds. Kaspersky warned that compromising a device may take only a few minutes and that standard reboots may not remove the infection. The flaw was privately reported to Qualcomm in March 2025 and formally acknowledged in April 2025.

Source: ITP.net / Kaspersky ICS CERT

Editorial Note: These developments collectively underscore the dynamic and multifaceted nature of OT and ICS security challenges. From sophisticated nation-state covert networks and large-scale protocol exploitation campaigns to critical hardware vulnerabilities and the need for improved asset visibility, defenders must prioritize adaptive strategies and cross-sector collaboration. Staying informed and proactive is essential for safeguarding the resilience and integrity of critical infrastructure in an increasingly hostile threat landscape.