OT cyber threats shift from spying to disruption in 2025

Dragos has published its annual analysis of cyber threats to operational technology (OT) and industrial control systems (ICS), warning that attackers are moving beyond reconnaissance and increasingly attempting to disrupt critical infrastructure.

The 2026 OT/ICS Cybersecurity Report and Year in Review describes what Dragos calls a maturing threat landscape in 2025. Adversaries are increasingly operating in coordinated groups and focusing on how control systems function, rather than targeting isolated devices.

New groups

Dragos identified three new OT threat groups in 2025: AZURITE, PYROXENE, and SYLVANITE. It now tracks 26 OT threat groups globally, 11 of which were active in 2025.

SYLVANITE is described as an initial access broker that exploits vulnerabilities and then hands access to another group, VOLTZITE, for deeper intrusions into OT environments. Dragos observed SYLVANITE during incident response work at US electric and water utilities, where it exploited Ivanti vulnerabilities and extracted Active Directory credentials.

Dragos said AZURITE focuses on long-term access and OT data theft, targeting engineering workstations and exfiltrating operational data such as network diagrams, alarm data, and process information.

PYROXENE is described as using supply-chain compromise and social engineering. Dragos said it often uses initial access provided by PARISITE before attempting to move from IT networks into OT networks. Dragos also reported overlap between PYROXENE activity and operations the US government assesses as aligned with the Islamic Revolutionary Guard Corps Cyber Electronic Command.

Operational impact

The report describes a shift from information gathering to actions that could affect physical processes. Dragos said ELECTRUM conducted multiple destructive operations in 2025, including an attack on eight Ukrainian internet service providers and the deployment of new wiper malware variants.

Dragos also reported that ELECTRUM later targeted combined heat and power facilities and renewable energy management systems in Poland, with deliberate attempts to affect operational assets. It described this as an expansion beyond transmission infrastructure into parts of the decentralised grid.

The report also links enabling activity to KAMACITE. Dragos said KAMACITE expanded from Ukraine-focused operations into a European supply-chain campaign, then carried out sustained reconnaissance of US industrial devices between March and July 2025. Dragos said the group scanned "entire control loops" and targeted human-machine interfaces, variable frequency drives, metering modules, and cellular gateways.

Dragos said it elevated VOLTZITE to Stage 2 of the ICS Cyber Kill Chain. The company said VOLTZITE manipulated engineering workstation software, extracted configuration files and alarm data, and investigated operational conditions that could trigger process shutdowns.

In another example, Dragos said VOLTZITE compromised Sierra Wireless AirLink cellular gateways connected to US midstream pipeline operations and then pivoted to engineering workstations.

Hacktivist activity

Dragos said hacktivist groups continued to evolve from symbolic attacks into campaigns with operational intent. It reported that BAUXITE deployed two custom wiper malware variants against Israeli targets during the Iran-Israel conflict in June 2025.

The report also describes a trend of ideological messaging mixed with state-aligned operations. Dragos said targets included internet-exposed human-machine interfaces and misconfigured engineering workstations, and cited open-field protocols such as Modbus/TCP and DNP3 as part of the attack surface.

Ransomware

Ransomware remained the most disruptive threat category for industrial organisations, according to the report. Dragos said ransomware groups targeting industrial organisations increased 64% year on year. It tracked 119 groups in 2025, up from 80 in 2024, and said attacks affected 3,300 organisations.

Manufacturing accounted for more than two-thirds of victims, Dragos said. It also reported an average dwell time of 42 days for ransomware in OT environments.

Dragos attributed slow response partly to how organisations classify devices. OT assets such as engineering workstations and human-machine interfaces are sometimes misclassified as IT systems because they run Windows, leading incidents to be treated as "IT only".

Robert M. Lee, Dragos chief executive and co-founder, said adversaries are taking a systems-level view of industrial environments.

"The threat landscape in 2025 reached a new level of maturity," Lee said.

"Adversaries are mapping how control systems work, understanding where commands originate, how they propagate, and where physical effects can be induced. We're seeing the ecosystem evolve with specialized threat groups systematically building access pathways for more capable adversaries to reach OT environments. Meanwhile, ransomware groups are causing more operational disruption and multi-day outages that require OT-specific recovery. Yet industrial organizations significantly underestimate the reach of ransomware into OT environments because they think it's 'just IT.'"

Vulnerability quality

Dragos also criticised the quality of vulnerability scoring and ICS advisories. It said it found incorrect CVSS scores in 25% of ICS-CERT and National Vulnerability Database entries in 2025, and that 26% of advisories contained no patch or vendor-provided mitigation.

Dragos said only 2% of ICS-relevant vulnerabilities qualified as an immediate "Now" priority under its "Now, Next, Never" model. It also highlighted research into battery energy storage systems that found authentication bypass and command injection vulnerabilities. Dragos reported identifying more than 100 internet-exposed devices, including around 1MW power inverters designed to supply grid power to electric utilities.

Lee said organisations with stronger monitoring and detection responded faster to OT ransomware incidents. "There were meaningful defensive gains in 2025 too," he said.