Dragos Reports OT/ICS Cyber Threats Escalate Amid Geopolitical Conflicts and Increasing Ransomware Attacks

8^th Annual Year in Review Names Two New OT Cyber Threat Groups, Ongoing Infiltration by VOLTZITE, and Global Threat from FrostyGoop Malware

Dragos Reports OT/ICS Cyber Threats Escalate Amid Geopolitical Conflicts and Increasing Ransomware Attacks

Kesselring Communications for Dragos
Leslie Kesselring, 503-358-1012
leslie@kesscomm.com

Dragos, Inc., the global leader in cybersecurity for operational technology (OT) environments, today released the Dragos 2025 OT/ICS Cybersecurity Report, our 8^th Annual Year in Review, the industry’s most comprehensive report on cyber threats facing industrial organizations. The report detailed two new OT cyber threat groups, reported ransomware activity surging at an increase of more than 87% over last year, and described the emergence of new malware families designed specifically for OT environments.

“This year’s report demonstrates two important trends; that OT has become a mainstream target, and that even advanced cyber operations are employing unsophisticated tactics to compromise and disrupt critical infrastructure,” said Robert M. Lee, Co-founder and CEO of Dragos. “Skilled adversaries from state-sponsored groups are hiding in critical infrastructure and hacktivists and criminal groups are increasingly using ransomware and exploiting known vulnerabilities, weak remote access configurations, and exposed OT assets to penetrate industrial environments. Meanwhile lack of visibility into OT conceals the full scope of these attacks.”

“However, it’s important to recognize the progress made by OT defenders,” Lee added. “We’ve seen organizations implement stronger network segmentation, improve visibility into their OT environments, and develop more robust incident response capabilities. These proactive measures are making it harder for adversaries to operate undetected and are key to the long-term resilience of industrial cybersecurity.”

Details of the Dragos 2025 OT/ICS Cybersecurity Report:

Dragos identified two new OT Cyber Threat Groups—GRAPHITE and BAUXITE.

With these additions, Dragos analysts now track 23 Threat Groups worldwide, 9 of which were active in OT operations in 2024.

BAUXITE has been implicated in multiple global campaigns targeting industrial entities and specific devices. This group shares substantial technical overlaps, based on capabilities and network infrastructure, with the hacktivist persona CyberAv3ngers, which has explicit affiliations with the Iranian Revolutionary Guard Corps—Cyber and Electronic Command (IRGC-CEC), as reported by the U.S. Government.
- Since late 2023, Dragos observed four BAUXITE campaigns, including those with Stage 2 ICS Cyber Kill Chain impacts via trivial compromises of exposed devices. Confirmed victims of BAUXITE are in the United States, Europe, Australia, and the Middle East in multiple critical infrastructure sectors, including energy (oil and natural gas, and electric), water and wastewater, food and beverage, and chemical manufacturing.
GRAPHITE targets entities in the energy, oil and gas, logistics, and government sectors across Eastern Europe and the Middle East. The group has strong technical overlaps with APT28 and other names. GRAPHITE focuses on organizations with relevance to the military situation in Ukraine. Observable since Russia’s invasion of Ukraine in February 2022, this focus may indicate a specialized subunit or an expansion of mission goals.
- GRAPHITE has been identified conducting spear-phishing campaigns targeting hydroelectric generation and natural gas pipeline operators and facilities and near-constant phishing operations using known vulnerabilities and custom script-based malware to target organizations in critical industries across its targeted geography.

Dragos Identified Two New ICS-Focused Malware Threats—Fuxnet and FrostyGoop.

The development of new malware strains specifically targeting industrial control systems (ICS) underscores an increasing adversarial focus on disrupting industrial operations.

Fuxnet: This malware, attributed to a pro-Ukraine hacktivist group BlackJack, is designed to target industrial sensor networks for Moskollektor, a municipal organization that maintains Moscow’s communication system for a gas, water, and sewage network. Using the Fuxnet malware, BlackJack claimed to disable thousands of sensors and destroy sensor gateway devices, rendering them unable to transmit information.
FrostyGoop: First identified in early 2024, FrostyGoop is a more destructive malware designed to manipulate Modbus TCP/502 communications within ICS environments. It can alter or spoof normal industrial process commands, enabling it to evade antivirus software and cause physical damage to infrastructure, as seen in its documented attack on the energy supply for district heating systems in Ukraine. The malware caused heating outages for over 600 apartment buildings in Ukraine in January 2024. Dragos’s investigation of FrostyGoop revealed that there were over 46,000 internet-exposed ICS devices communicating over Modbus worldwide.

Updated Threat Group Activity:

VOLTZITE is arguably the most crucial threat group to track in critical infrastructure. Due to its dedicated focus on OT data, the group is a capable threat to ICS asset owners and operators. This group shares extensive technical overlaps with the Volt Typhoon threat group tracked by other organizations. It utilizes the same techniques as in previous years, setting up complex chains of network infrastructure to target, compromise, and steal compromising OT-relevant data—GIS data, OT network diagrams, OT operating instructions, etc.—from victim ICS organizations. VOLTZITE is a key reason for monitoring OT networks and hunting for malicious activity. With careful monitoring and investigation of “odd” network communication, VOLTZITE can be identified and defended against.
KAMACITE shifted from solely targeting Ukraine by introducing new, custom Windows-based malware strains and expanded its focus to European oil and natural gas (ONG) entities. This coincided with the expiration of an agreement allowing Russian state-owned company Gazprom to supply gas to Eastern and Central Europe.
ELECTRUM continues wiper campaigns with a new capability, AcidPour, a binary compiled for Linux operating systems that can search and wipe Unsorted Block Images (UBI) directories in embedded devices, including devices in OT environments. AcidPour is a variant of AcidRain but with extended capability to Memory Technology Devices (MTDs) often found in embedded systems. Dragos determined ELECTRUM used the resources and reputation of the hacktivist persona Solnetspek to obfuscate its operational activities in the December 2023 cyber attack on Kyivstar, Ukraine’s primary telecommunications provider.

Other Key Findings:

Geopolitical Conflicts Fuel OT-Centric Cyber Operations: Adversaries aligned with state-backed initiatives continued to launch cyber operations targeting critical infrastructure in Ukraine, Russia, and the Middle East, often as a direct extension of military conflicts.
Hacktivist Groups Escalate Attacks on Critical Infrastructure: Hacktivists leveraged new attack vectors to target OT environments, disrupting energy and water utilities while aligning their actions with geopolitical motivations. In 2023 and into early 2024, Dragos observed a trend of hacktivist groups, or self-proclaimed hacktivist groups, actively targeting and achieving Stage 2 of the ICS Cyber Kill Chain against industrial organizations and critical infrastructure and services worldwide.
State-Sponsored Threat Actors and Hacktivism Converge: Increasing collaboration between hacktivist groups and state-backed cyber actors has led to a hybrid threat model where hacktivists amplify state objectives, either directly or through shared infrastructure and intelligence. State actors increasingly look to exploit hacktivist groups as proxies to conduct deniable cyber operations, allowing for more aggressive attacks with reduced attribution risks.
Hacktivists Start Using Ransomware: Hacktivist and self-proclaimed hacktivist groups are now employing ransomware as part of an evolution of their operations against a variety of industrial targets. Three notable hacktivist groups were actively using ransomware within their operations in 2024: Handala, Kill Security, and CyberVolk.
Ransomware Activity Surges: The number of ransomware groups targeting industrial organizations jumped to 80, a 60% increase from the 50 groups observed in 2023. Collectively, these groups attacked an average of 34 industrial organizations per week during the first half of 2024. That number more than doubled during the second half of the year. Manufacturing remains the most affected sector, accounting for more than 50% of observed ransomware victims. 25% of the ransomware cases Dragos observed involved full shutdown of an OT site, and 75% involved disruption to operations to some degree.
Vulnerabilities Carry Risk of Deep Impact on Industrial Processes: In 2024, Dragos found that 70% of the vulnerabilities researched were deep within the ICS network, 39% could cause both a loss of view and a loss of control, and 22% of advisories were network-exploitable and perimeter-facing, rising from 16% in 2023.

It's Time to Hunt: Enhancing Industrial Cybersecurity Resilience

Adversaries have evolved, leveraging increasingly sophisticated attack methods to infiltrate industrial environments. The data from this year’s report is clear: organizations that take proactive security measures experience shorter recovery times, reduced financial losses, and minimized operational disruptions. Threat hunting is no longer an option—it is a necessity.

Industrial organizations must move beyond reactive security measures and embrace threat hunting as a fundamental defense strategy. Attackers are exploiting known vulnerabilities, remote access weaknesses, and supply chain gaps at an accelerating rate. Organizations that proactively search for threats and adversarial activity within their environments gain a crucial advantage in preventing attacks before they escalate.

ICS defenders must be relentless. Attackers like VOLTZITE are already inside networks, and the ability to hunt them down before they cause damage is the next evolution of industrial cybersecurity. Now, more than ever, it’s time to hunt.

YIR Report and Resources:

The 2024 Dragos OT Cybersecurity Year in Review is an annual overview and analysis of OT-focused global threat activities, vulnerabilities, and industry insights and trends. The full report can be downloaded here.

To attend the virtual 2025 OT/ICS Cybersecurity Executive Briefing featuring the report with Dragos CEO and Co-founder Robert M. Lee, register here.

About Dragos, Inc.

Dragos provides the most effective OT cybersecurity technology for industrial and critical infrastructure to deliver on our global mission: to safeguard civilization. After nearly a decade of real-world experience handling landmark attacks on OT networks, Dragos understands the complexity and risks of industrial environments, which operate on massive scale with unique systems and exacting availability requirements and are not protected by IT cybersecurity.

The Dragos Platform provides visibility and monitoring of OT environments for asset identification, vulnerability management, and threat detection with continuous insights generated by the industry’s most experienced OT threat intelligence and services team. It discovers and monitors OT, IT, IoT, and IIoT assets within the OT environment and integrates with IT security infrastructure. Dragos protects customers across a range of industrial sectors including electric, oil & gas, manufacturing, water, transportation, mining, and government. Dragos is privately held and headquartered in the Washington, DC area with presence around the world and offices in North America, EMEA, and APAC.