An 87% surge in ransomware attacks against industrial organizations over the past year has brought to light a troubling trend: OT systems are increasingly becoming mainstream targets for sophisticated threat actors. These findings, outlined in Dragos’ 2025 OT/ICS Cybersecurity Report, underscore the vulnerability of industrial operations to cyber threats.
The report highlights the emergence of new malware families designed specifically for OT environments, showcasing the adaptability of cyber adversaries in targeting critical infrastructure. State-sponsored groups, hacktivists, and cybercriminals are exploiting known vulnerabilities, weak remote access configurations, and exposed OT assets to infiltrate and disrupt industrial operations.
Despite the efforts of organizations to implement stronger network segmentation, improve visibility into their OT environments, and enhance incident response capabilities, the persistent lack of visibility into OT environments continues to obscure the full scale of cyber attacks on industrial organizations.
Two notable threat groups, GRAPHITE and BAUXITE, have been implicated in multiple global campaigns targeting industrial entities across various critical infrastructure sectors. BAUXITE, with technical overlaps with the hacktivist group CyberAv3ngers, has conducted campaigns impacting ICS Cyber Kill Chain via compromises of exposed devices in critical infrastructure sectors like energy, water, and chemical manufacturing.
GRAPHITE, on the other hand, targets entities in the energy, oil and gas, logistics, and government sectors across Eastern Europe and the Middle East. This group has been identified conducting spear-phishing campaigns targeting hydroelectric generation and natural gas pipeline operators, highlighting the diverse range of industries affected by cyber threats.
The report also sheds light on ICS-focused malware threats such as Fuxnet and FrostyGoop, which are specifically designed to target industrial control systems and disrupt industrial operations. Fuxnet, attributed to the pro-Ukraine hacktivist group BlackJack, targets industrial sensor networks to disrupt critical infrastructure operations.
FrostyGoop, a more destructive malware, manipulates Modbus TCP/502 communications within ICS environments, causing physical damage to infrastructure. This malware was responsible for heating outages in over 600 apartment buildings in Ukraine, showcasing the potential impact of cyber attacks on essential services.
As industrial cybersecurity threats continue to evolve, threat groups like VOLTZITE, KAMACITE, and ELECTRUM are actively targeting OT data, expanding their focus to critical infrastructure sectors and introducing new malware strains to disrupt industrial operations.
The report also emphasizes the convergence of hacktivist groups and state-sponsored threat actors, leading to a hybrid threat model where hacktivists amplify state objectives through cyber operations. The use of ransomware by hacktivist groups has further escalated the threat landscape, with an increase in ransomware groups targeting industrial organizations and disrupting operations.
To enhance industrial cybersecurity resilience, organizations are urged to adopt proactive security measures, embrace threat hunting as a fundamental defense strategy, and remain vigilant against evolving cyber threats. With attackers leveraging increasingly sophisticated attack methods, the need for proactive threat hunting and continuous monitoring of OT environments has never been more critical in safeguarding industrial operations against cyber threats.