OT teams are losing the time advantage against industrial threat actors
In many industrial environments, internet-facing gateways, remote access appliances, and boundary systems sit close enough to production networks that attackers can move from IT intrusion to operational disruption with limited resistance. Dragos’ 2026 OT/ICS Year in Review describes a threat landscape where adversaries are spending more time learning how physical processes work and less time treating OT access as a passive foothold.
A shift in 2025 involved multiple state-aligned groups moving into control-loop mapping. That includes identifying engineering workstations, pulling configuration and alarm files, and collecting enough operational context to interfere with physical outcomes. Control-loop mapping removes a key barrier between unauthorized access and physical impact, since attackers no longer need to guess how a process behaves.
“Adversaries are mapping how control systems work, understanding where commands originate, how they propagate, and where physical effects can be induced,” said Robert M. Lee, CEO of Dragos. “We’re seeing the ecosystem evolve with specialized threat groups systematically building access pathways for more capable adversaries to reach OT environments. Meanwhile, ransomware groups are causing more operational disruption and multi-day outages that require OT-specific recovery. Yet industrial organizations significantly underestimate the reach of ransomware into OT environments because they think it’s ‘just IT.’”
Dragos tracked 26 threat groups targeting OT environments, including three new groups identified in 2025: AZURITE, PYROXENE, and SYLVANITE. The activity across these groups shows more specialization and a growing division of labor, where one team focuses on gaining access and another focuses on OT operations.
Initial access groups are feeding OT-capable operators
SYLVANITE was tracked as a large-scale initial access group targeting industrial organizations through internet-facing systems. Its operations relied heavily on rapid exploitation of vulnerabilities in products from Ivanti, F5, SAP, and ConnectWise. The group also used tooling such as Cobalt Strike, Sliver, and multiple web shells, then handed access to other actors, including VOLTZITE.
A May 2025 incident involved exploitation of Ivanti Endpoint Manager Mobile (EPMM) at a U.S. utility through CVE-2025-4427 and CVE-2025-4428. Attackers extracted data from the backend MySQL database, including LDAP user details and Office 365 tokens, then replayed those credentials internally for lateral movement. The incident response effort was limited by lack of telemetry in adjacent networks, leaving responders unable to confirm whether attackers moved toward OT systems.
This type of access brokering compresses the time between vulnerability disclosure and operational risk. It also increases the number of industrial organizations exposed to follow-on OT attacks, even when the initial compromise appears limited to a DMZ or enterprise-adjacent system.
Control-loop reconnaissance is becoming routine
KAMACITE and ELECTRUM remained central examples of how access-building translates into disruptive operations. KAMACITE has historically operated as an access development group supporting ELECTRUM, the actor tied to Ukraine’s 2015 and 2016 power outages.
In late 2024 through early 2025, KAMACITE expanded beyond Ukraine and targeted the European OT supply chain. Activity included spear phishing aimed at engineering and vendor personnel and long-running conversations using industry-specific terms.
After that campaign, KAMACITE shifted into sustained reconnaissance against internet-exposed industrial devices in the United States between March and July 2025. The scanning focused on specific components including Schneider Electric Altivar variable frequency drives, Smart HMIs, Accuenergy AXM modules, and Sierra Wireless Airlink gateways. The sequencing suggested deliberate mapping of entire control loops, moving from operator interfaces to actuators, metering points, and remote gateways.
Dragos found no evidence of successful exploitation during the scanning activity. The reconnaissance still indicates that exposed edge devices are being treated as operational intelligence sources, with collected data that could support future disruption planning.
Destructive malware development continues to mature
ELECTRUM activity in 2025 included destructive operations targeting Ukrainian infrastructure. In late May 2025, the group targeted eight Ukrainian ISPs, with responsibility claimed through the pro-Russian hacktivist persona Solntsepek. Dragos verified outages, including a four-hour disruption affecting Corbina’s autonomous system.
In parallel, researchers identified a destructive malware family called PathWiper, linked by Dragos to ELECTRUM with moderate confidence. PathWiper was identified in June 2025, with samples appearing in the wild beginning in March 2025. The malware overwrote filesystem structures, enumerated mounted volumes, and targeted all accessible storage media to cause irreversible data loss. Dragos also identified another destructive wiper variant in December 2025, reinforcing ongoing iteration in ELECTRUM’s malware pipeline.
Ransomware remains an OT outage driver
Ransomware groups continued to target industrial organizations at scale. Dragos tracked 119 ransomware groups impacting more than 3,300 industrial organizations in 2025, up from 80 groups in 2024. Manufacturing accounted for more than two-thirds of observed victims.
A recurring issue involved misclassification of ransomware events as IT-only incidents. In multiple cases, engineering workstations and HMI systems were treated as standard Windows endpoints, even when they supported SCADA or other operational workloads. The operational disruption often came through boundary systems such as VMware ESXi hosts and OT-support servers that ran historian and engineering functions.
Visibility gaps are leaving defenders blind
Dragos found that 30 percent of its incident response cases in 2025 began with operational staff reporting abnormal behavior, not with alerts or confirmed detection. In many cases, the telemetry required to determine whether cyber activity was involved had never been collected. Dragos estimated fewer than 10 percent of OT networks worldwide have visibility and monitoring in place.
The overall pattern across 2025 showed attackers moving faster, operating deeper, and relying on weak segmentation and exposed access paths. The most urgent challenge remains basic: collect OT network data before an incident, monitor remote access pathways, and treat engineering workstations and OT boundary systems as high-value operational assets.