Hacktivists just walked into Canadian water treatment plants and manipulated pressure valves. Not through zero days. Not through sophisticated malware. They found internet-exposed ICS systems and logged in. The Canadian Centre for Cyber Security dropped Alert AL25-016 in October 2025 after confirming breaches at water facilities, oil and gas companies, and agricultural operations. This is what happens when open source intelligence (OSINT) works for the bad guys and your ICS leak OSINT capability is nonexistent.
CISA added two OpenPLC ScadaBR vulnerabilities to their Known Exploited Vulnerabilities catalog in December 2025 because attackers are actively using them. The Russian hacktivist group TwoNet got caught in a honeypot thinking they had compromised a real plant. The scary part? They were using the same discovery techniques available to anyone with a Shodan subscription.
How Attackers Find Exposed ICS Systems Using OSINT
The methodology is embarrassingly simple. Threat actors use internet scanning services to locate human machine interfaces, PLCs, and SCADA systems sitting naked on the public internet. They are not exploiting complex vulnerabilities. They are finding systems that should never be reachable in the first place.
Here is what they search for:
- Modbus TCP on port 502 with no authentication
- DNP3 services broadcasting on port 20000
- BACnet building automation on UDP 47808
- EtherNet/IP on port 44818
- Siemens S7 on port 102
Shodan and Censys index these protocols continuously. A basic query returns thousands of exposed devices with vendor names, firmware versions, and sometimes facility locations embedded in the banner data. If you are doing infrastructure reconnaissance, understanding these techniques for identifying criminal infrastructure helps you flip the script on attackers.
ICS Leak OSINT Workflow That Actually Works
Stop treating ICS discovery like IT asset management. Industrial systems leak information in ways that enterprise systems do not. Here is a practical workflow:
Step 1: Protocol-Based Discovery
Start with protocol-specific searches. Modbus devices often return device identification codes. DNP3 outstations broadcast station addresses. This metadata tells you exactly what you are looking at before you touch anything.
Step 2: Geographic Correlation
Cross-reference discovered IPs with geolocation data and business registrations. That exposed HMI in rural Alberta might belong to a specific pipeline operator. Now you have attribution.
Step 3: Historical Analysis
Check when these systems first appeared on the internet. Recent exposure suggests misconfiguration. Long-term exposure suggests nobody is watching. Both are bad, but they indicate different operational security failures.
For teams managing multiple investigations simultaneously, Kindi enables collaborative link analysis that connects exposed ICS assets to organizational data, threat actor infrastructure, and historical scan results without drowning in spreadsheets.
What the Canadian Breaches Teach Us About ICS Leak OSINT
The October 2025 incidents were not sophisticated. Attackers tampered with pressure valves at a water facility, manipulated automated tank gauges at an oil and gas company, and accessed agricultural systems. According to BleepingComputer’s coverage, these hacktivists believed they were causing real operational damage.
The common thread? Every compromised system was directly accessible from the internet. No VPN. No jump host. No segmentation. Basic OSINT techniques would have found these systems months before the attackers did.
| Attack Vector | OSINT Detection Method | Prevention |
|---|---|---|
| Exposed HMI | HTTP banner analysis on ICS ports | Network segmentation |
| Default credentials | Vendor documentation review | Credential rotation |
| Unpatched ScadaBR | Version fingerprinting | Patch management |
| Open Modbus | Protocol-specific Shodan queries | Firewall rules |
Common Mistakes in ICS Leak OSINT Investigations
I have watched analysts make the same errors repeatedly. Here are the big ones:
- Only checking port 502: ICS protocols run on dozens of ports. Expand your scope.
- Ignoring historical data: An asset that disappeared might have moved, not been secured.
- Skipping passive DNS: Old DNS records reveal previous infrastructure configurations.
- Not validating findings: Banner data can be spoofed. Correlate multiple sources.
Understanding how to track threat actor infrastructure applies directly to ICS investigations. The same reconnaissance tradecraft works whether you are hunting phishing kits or exposed PLCs.
FAQ
What tools are essential for ICS leak OSINT?
Shodan, Censys, and GreyNoise form the core stack. Add Maltego for link analysis and passive DNS tools for historical correlation. Protocol-specific scanners like plcscan help validate findings.
How often should organizations scan for exposed ICS assets?
Weekly minimum. After any network changes, scan immediately. Misconfigurations during maintenance windows are the leading cause of ICS exposure.
Can attackers spoof ICS banners to mislead OSINT analysts?
Yes. Honeypots and deception systems exist. Always correlate findings across multiple data sources and look for behavioral inconsistencies that indicate decoys.
What legal considerations apply to ICS OSINT research?
Passive reconnaissance using public data is generally legal. Active scanning without authorization crosses legal lines. Stick to indexed data from Shodan and Censys for external research.
How do I report exposed ICS systems I discover?
Contact the asset owner directly if identifiable. Report to CISA through their vulnerability disclosure program. For critical infrastructure, ICS-CERT provides coordinated disclosure support.
To build stronger OSINT skills, begin with our free hands-on OSINT courses. For teams that need faster investigations and better collaboration, Kindi delivers AI-powered OSINT automation and link analysis.