Several state-linked threat groups known for breaking into operational technology (OT) networks have shifted their focus over the past year from gaining and maintaining access to actively mapping out ways to disrupt physical industrial processes. The shift poses a significant threat because fewer than one in 10 OT networks have monitoring in place to detect such activity, according to industrial cybersecurity firm Dragos.
The group that Dragos tracks as Voltzite, which other researchers have linked to China’s Volt Typhoon campaign, was observed manipulating engineering workstations inside US energy and pipeline networks to determine what operational conditions could trigger process shutdowns — elevating the group to Stage 2 of Dragos’ ICS (industrial control system) Cyber Kill Chain.
Another group called Kamacite has shifted from corporate supply-chain targeting to directly scanning US industrial control devices for four months, mapping specific control loops. Its partner group Electrum, which has exhibited techniques that overlap with those of Russia’s GRU Sandworm team, struck Polish energy infrastructure in December in what Dragos calls the first major cyberattack on distributed energy resources (DERs).
“I think a reasonable assessment is that those teams — state teams, government, military, intelligence teams — are being told by their leadership: ‘You know what? It’s not just about getting access. We might want to leverage that access within a 12-month period,’” Robert M. Lee, CEO and co-founder of Dragos, said during a media briefing that accompanied the release of the company’s annual ICS/OT cybersecurity report. “And when you hear that as an offensive team, that’s when you go ahead and develop that out.”
Lee, who previously held defensive and offensive cyber roles in the US military and the intelligence community, warned that given how little visibility most OT asset owners have into their own networks, some compromised sites will likely never be cleaned up. And that’s a scary reality because the disruptive capabilities these groups are setting up now could be triggered in the event of a geopolitical conflict.
The access-broker model comes to ICS
Voltzite compromised Sierra Wireless Airlink cellular gateways used in US energy and midstream pipeline operations, then pivoted to engineering workstations where it dumped configuration files and alarm data to understand what conditions would trigger process shutdowns.
The group also used the JDY botnet for reconnaissance across the energy, oil and gas, and defense sectors, scanning VPN appliances from F5, Palo Alto, and Citrix. Less than 5% of environments Dragos assessed had the PowerShell execution logging needed to detect Voltzite’s techniques.
Sylvanite, one of three new threat groups that Dragos identified in 2025, acts as an access broker for Voltzite, rapidly weaponizing vulnerabilities in network-edge devices and handing off footholds to Voltzite for deeper infiltration. Sylvanite exploited an Ivanti EPMM zero-day vulnerability at a US utility in May 2025 before Ivanti issued a patch and separately used a SAP NetWeaver zero-day in April. It also installed persistent web shells on F5 appliances and harvested Office 365 tokens and credentials from LDAP databases.
Lee described the Sylvanite-Voltzite pairing as a two-team structure that suggests a mature, well-resourced state operation, either a government team working with a contractor or lab, or two separate agencies. This division of labor across multiple teams has been adopted by multiple nation-state threat actors as it shortens the compromise-to-operational-readiness timeline from weeks to days.
Another group dubbed Azurite which has overlaps with what other researchers track as the Chinese Flax Typhoon group, infiltrated OT environments across manufacturing, defense, automotive, electric, and oil and gas organizations in the US, Europe, Taiwan, Japan, and Australia.
The group exfiltrated alarm data, configuration files, project files, and process information from engineering workstations, and was not deterred by public exposure, law enforcement infrastructure takedowns, or government sanctions. Dragos believes this activity is highly likely preparation for offensive operations in the event of geopolitical conflict.
Last year, the company also began tracking Pyroxene, a group that has technical overlaps with activity the US government has attributed to Iran’s Islamic Revolutionary Guard Corps. Pyroxene specializes in supply-chain attacks to pivot from IT networks into industrial control environments and operates in tandem with another group dubbed Parisite, which provides initial access.
The group deployed wiper malware against multiple Israeli organizations during the 12-day Iran-Israel conflict in June 2025 and conducted a watering-hole attack against a water utility serving the Haifa Bay Port area in late 2024. Its targets span aviation, aerospace, defense, and maritime sectors across the US, Western Europe, Israel, and the UAE.
Russia’s OT attack teams expand beyond Ukraine
The Russia-linked pair Kamacite and Electrum, which Dragos has tracked since the mid-2010s and is responsible for the 2015 and 2016 cyberattacks that took down parts of Ukraine’s power grid, expanded operations into NATO territory in 2025 after years focused almost exclusively on Ukrainian targets.
Kamacite, which serves as the access-and-reconnaissance arm that enables Electrum’s destructive operations, ran a four-month campaign from March to July 2025 scanning internet-exposed US industrial control devices, including Schneider Electric variable-frequency drives, smart HMIs, Accuenergy power meters, and Sierra Wireless cellular gateways.
The scanning was not opportunistic, Dragos said. Kamacite targeted specific device types in sequence, suggesting the group was mapping entire control loops rather than probing for isolated vulnerabilities.
Earlier in the year, Kamacite targeted attendees of a Gas Infrastructure Europe conference in Munich, engaging targets in multi-day, native-language spear-phishing conversations. The group also targeted at least 25 Ukrainian industrial companies across 10 regions in a sustained supply-chain campaign.
Electrum, the operational arm that carries out destructive attacks, struck Polish energy infrastructure in late December 2025 in what Dragos describes as the first major coordinated cyberattack against DERs worldwide.
The attack targeted roughly 30 wind farms, solar installations, and a combined heat and power plant, exploiting internet-facing Fortinet devices configured with default credentials and no multi-factor authentication. The attackers deployed wiper malware that destroyed data on HMIs and corrupted firmware on OT devices, causing operators to lose visibility and control over the facilities.
Dragos attributed the Poland attack to Electrum with moderate confidence. Lee said the same style of attack in the US, Australia, or the Nordic countries, where grids rely more heavily on distributed energy resources, could have been “potentially catastrophic.”
“Some of the defender teams across NATO countries stopped worrying as much about certain Russian threat groups because they stopped seeing them,” Lee said. “I’m saying it looks like they might come back to a theater near you and now with a heck of a lot more experience. So keep up on what’s going on in Ukraine, and try to apply those lessons learned, because it could be very impactful for you.”
Electrum also developed two new wiper malware variants in 2025. PathWiper, discovered in June but active since March, uses a more thorough and methodical approach for data destruction compared to HermeticWiper, the wiper malware that Sandworm used against Ukrainian targets hours before the Russian invasion started. A second wiper variant was discovered in December.
The group is also known to use pro-Russia hacktivist personas to mask their involvement in attacks. In May, the Solntsepek persona that Electrum used on several occasions conducted destructive operations against eight Ukrainian internet service providers.
OT operators lack visibility to detect threats
Less than 10% of OT networks worldwide have any security monitoring in place, according to Dragos’ data. And 90% of asset owners the firm works with still cannot detect the techniques Electrum used to take down Ukraine’s power grid a decade ago, Lee said.
In tabletop exercises the company conducted in 2025, 88% of participants had trouble detecting threats, 94% had difficulty with containment, and 82% struggled to activate their incident response plans. During real-world engagements, a third of incident response cases began not with an alert from a product but with an operator noticing something seemed wrong, and in most of those cases, the data needed to investigate the incident had never been collected.
Dragos also found that 82% of OT asset owners lack defined criteria for when an operational anomaly should trigger a cybersecurity investigation. On top of that, 81% of environments assessed had poor IT/OT network segmentation, and 56% of penetration tests found that attackers could move laterally inside OT networks using legitimate system tools without being detected.
“We’ve told our community, build a big glass house, but the moment that perimeter is breached, like, I don’t know, good luck,” Lee said, noting that roughly 90% of security guidance for OT environments focuses on perimeter defense (“patch, passwords, antivirus, access controls, secure mode access”), with less than 10% addressing detection and response once intruders are inside the network.
Dragos calls visibility the foundational control so building network monitoring and improving segmentation is of utmost importance. The firm’s vulnerability analysis found that only 3% of ICS vulnerabilities require immediate patching, while 71% can be addressed through basic network hygiene and 27% pose minimal operational risk.
In the US new NERC CIP-015 regulations will require bulk electric system operators to implement internal network security monitoring within three years for high-criticality sites and five years for medium-criticality ones. But the requirement applies only to the electric sector, leaving water, oil and gas, and manufacturing without comparable mandates.
“We’re going to have to live with the reality that a portion of our infrastructure is currently compromised and will remain compromised at the current trajectory of the [ICS] community,” Lee said.