The Malware Knows Your Protocols.
Now You Can Too.
ShiftSix maps your externally exposed industrial protocols to active malware families and known attack campaigns — delivering adversary-perspective intelligence on every reachable OT service.
Two paths to OT disruption. Both start at your perimeter.
Ransomware groups hit 3,300 industrial organizations in 2025 — reaching OT environments through exposed VPNs, RDP endpoints, and edge devices. Nation-state actors go further: deploying ICS-specific malware that speaks your protocols directly. FrostyGoop took down a Ukrainian district heating grid using only Modbus TCP. INCONTROLLER/PIPEDREAM targeted Schneider and Omron PLCs across four protocols. ShiftSix monitors both paths: the perimeter access points ransomware exploits and the protocol-level exposures ICS malware targets.
From Exposed Protocol to Active Attack Campaign
Every exposed industrial protocol is a potential adversary entrypoint — whether the attacker is a ransomware group pivoting from an exposed VPN or a nation-state deploying protocol-native malware. ShiftSix enumerates what’s reachable from the internet and correlates it to the threats known to exploit it.
| Protocol | Known Malware / Threat Tool | Real-World Campaign | Year |
|---|---|---|---|
| Modbus TCP | FrostyGoop | Ukraine district heating system — ~600 apartment buildings lost heat for nearly two days. Circumstantial indicators point to Russian state-nexus activity; no formal attribution published. | 2024 |
| Modbus / OPC-UA / CODESYS | INCONTROLLERPIPEDREAM | Modular ICS attack framework targeting Schneider Electric + Omron PLCs; CISA advisory AA22-103A | 2022 |
| IEC 60870-5-104 | INDUSTROYERCrashoverride | Ukraine power grid — Kyiv Pivnichna substation blackout; one-fifth of the city’s power consumption disrupted for ~1 hour. Attributed to Sandworm. | 2016 |
| IEC 60870-5-104 | INDUSTROYER2 | Ukraine Ukrenergo high-voltage substation attack via IEC-104. Deployed alongside CaddyWiper. Attributed to Sandworm (APT44). | 2022 |
| IEC 61850 / OPC DA | INDUSTROYER | Ukraine power grid; IEC 61850 and OPC DA protocol modules for substation relay manipulation | 2016 |
| CODESYS V2/V3 | INCONTROLLERPIPEDREAM | PLC logic manipulation via legitimate CODESYS protocol functionality on Schneider controllers | 2022 |
| Triconex TriStation | TRITONTRISIS | Safety instrumented system sabotage — Saudi Arabian petrochemical plant | 2017 |
| EtherNet/IP (CIP) | INCONTROLLER | CIP protocol scanning and interaction capabilities for Rockwell/Allen-Bradley controllers | 2022 |
Malware That Runs on Your Protocols
These aren't hypothetical threats. They're documented ICS attack campaigns built around the same industrial protocols running in your environment.
2025 — Ongoing
Ransomware → OT Lateral Movement
The most common path to OT disruption doesn’t start with custom malware — it starts with an exposed VPN or edge device. In 2025, Akira exploited SonicWall SSLVPN flaws (CVE-2024-40766), Qilin targeted Fortinet and Citrix appliances, and Play leveraged Citrix and SonicWall vulnerabilities to gain initial access — then moved laterally into OT networks. Of Dragos’ industrial ransomware incident responses, 75% caused partial OT shutdown; 25% caused complete OT shutdown.
2024 — Active Threat
FrostyGoop
The first ICS malware confirmed to cause physical impact using only Modbus TCP. Deployed against a Ukrainian district heating utility — over 600 apartment buildings lost heating for nearly two days in sub-zero temperatures. Required zero OT-specific exploits; Modbus TCP had no authentication.
2022 — CISA Advisory AA22-103A
INCONTROLLER / PIPEDREAM
Among the most capable ICS attack frameworks ever discovered — a modular toolkit with discrete modules for each target protocol. Designed to interact directly with PLCs using native industrial protocols without requiring vendor engineering software. Mandiant assessed it as “exceptionally rare and dangerous.”
2022 — Ukraine Grid Attack
INDUSTROYER2
Targeted successor to the malware behind Ukraine’s 2016 blackout. Compiled specifically for Ukrenergo high-voltage substation relays using IEC 60870-5-104. Deployed alongside CaddyWiper for data destruction. Attributed to Sandworm (APT44).
Discover. Attribute. Prioritize.
ShiftSix operationalizes protocol intelligence from passive discovery through adversary-correlated attribution to compliance-mapped remediation — purpose-built for OT and industrial protocol exposures.
Discover
Enumerate Every Reachable Protocol Service
ShiftSix passively identifies all externally reachable OT protocol services — Modbus, DNP3, IEC 60870, IEC 61850, OPC-UA, EtherNet/IP, CODESYS, BACnet, and more — across your entire internet-facing footprint. No agents. No scan windows. No OT network interaction.
Attribute
Map Exposures to Active Threat Vectors
Each discovered protocol exposure is automatically correlated against two threat categories: ICS-specific malware families (FrostyGoop, INCONTROLLER, INDUSTROYER2, TRITON) targeting these protocols directly, and ransomware initial access vectors (exposed VPNs, edge devices, RDP) that provide lateral movement paths to your OT network.
Prioritize
Rank by Exploitability and Authentication State
Exposures are ranked by real-world adversary targeting: protocol authentication state, known exploitation in the wild, CISA KEV status, and compliance impact — mapped to NERC CIP, IEC 62443, and NIST CSF 2.0 controls for remediation guidance.
What ShiftSix Looks For
Protocol exposure alone doesn't tell the full story. ShiftSix layers four intelligence signals to deliver adversary-grade context on every OT protocol exposure it discovers.
ShiftSix Differentiator
External-Only — No Internal Deployment RequiredProtocol Banners & Device Fingerprints
Identifies vendor, firmware version, and device type from OT protocol responses — Modbus function codes, DNP3 object headers, BACnet device properties, EtherNet/IP identity responses. The same data attackers use to select the right malware module for the right PLC.
ShiftSix Differentiator
What Network Monitoring Tools Cannot SeeUnauthenticated Access Paths
Flags OT protocols reachable without authentication from the internet — the exact access condition FrostyGoop and INCONTROLLER required to execute payloads without a single credential. Unlike internal monitoring, ShiftSix identifies these from the adversary’s perspective.
Intelligence Enrichment
CISA KEV & ICS Advisory Correlation
Matches discovered devices and firmware to ICS-specific entries in CISA’s Known Exploited Vulnerabilities catalog and active ICS-CERT advisories — adding exploitation context to every protocol finding.
Intelligence Enrichment
MITRE ATT&CK for ICS Mapping
Every exposure is tagged with relevant ATT&CK for ICS techniques — remote system discovery, unauthorized command messages, manipulation of control — giving defenders adversary-aligned context for prioritization.
See Which Protocols in Your Environment
Are Reachable from the Internet.
ShiftSix performs passive, outside-in enumeration of your OT attack surface — no agents, no scan windows, no OT network interaction — and delivers a protocol exposure report correlated to active ICS malware families, ransomware initial access vectors, and CISA KEV advisories.
See how ShiftSix discovers your full external OT attack surface and prioritizes findings by active threat campaigns.