Manufacturing now a primary target for cyber attacks: report

Dragos has released the ‘Dragos 2025 OT/ICS Cybersecurity Report’, which details two new OT cyberthreat groups, reports ransomware activity surging at an increase of more than 87% over last year, and describes the emergence of new malware families designed specifically for OT environments.

“This year’s report demonstrates two important trends: that OT has become a mainstream target, and that even advanced cyber operations are employing unsophisticated tactics to compromise and disrupt critical infrastructure,” said Robert Lee, Co-founder and CEO of Dragos. “Skilled adversaries from state-sponsored groups are hiding in critical infrastructure, and hacktivists and criminal groups are increasingly using ransomware and exploiting known vulnerabilities, weak remote access configurations, and exposed OT assets to penetrate industrial environments. Meanwhile lack of visibility into OT conceals the full scope of these attacks.

“However, it’s important to recognise the progress made by OT defenders,” Lee added. “We’ve seen organisations implement stronger network segmentation, improve visibility into their OT environments, and develop more robust incident response capabilities. These proactive measures are making it harder for adversaries to operate undetected and are key to the long-term resilience of industrial cybersecurity.”

Two new OT cyberthreat groups identified

With the addition of BAUXITE and GRAPHITE, Dragos says its analysts now track 23 threat groups worldwide, nine of which were active in OT operations in 2024.

BAUXITE

This group has been implicated in multiple global campaigns targeting industrial entities and specific devices. The group shares substantial technical overlaps, based on capabilities and network infrastructure, with the hacktivist persona CyberAv3ngers, which has explicit affiliations with the Iranian Revolutionary Guard Corps — Cyber and Electronic Command (IRGC-CEC), as reported by the US Government.

Since late 2023, Dragos observed four BAUXITE campaigns, including those with Stage 2 ICS Cyber Kill Chain impacts via trivial compromises of exposed devices. Confirmed victims of BAUXITE are in the United States, Europe, Australia and the Middle East in multiple critical infrastructure sectors, including energy (oil and natural gas, and electric), water and wastewater, food and beverage, and chemical manufacturing.

GRAPHITE

GRAPHITE targets entities in the energy, oil and gas, logistics, and government sectors across Eastern Europe and the Middle East. The group has strong technical overlaps with APT28 and other names. GRAPHITE focuses on organisations with relevance to the military situation in Ukraine. Observable since Russia’s invasion of Ukraine in February 2022, this focus may indicate a specialised subunit or an expansion of mission goals.

GRAPHITE has been identified conducting spear-phishing campaigns targeting hydroelectric generation and natural gas pipeline operators and facilities and near-constant phishing operations using known vulnerabilities and custom script-based malware to target organisations in critical industries across its targeted geography.

Two new ICS-focused malware threats identified

The development of new malware strains specifically targeting industrial control systems (ICS) underscores an increasing adversarial focus on disrupting industrial operations.

Fuxnet

This malware, attributed to a pro-Ukraine hacktivist group BlackJack, is designed to target industrial sensor networks for Moskollektor, a municipal organisation that maintains Moscow’s communication system for a gas, water and sewage network. Using the Fuxnet malware, BlackJack claimed to disable thousands of sensors and destroy sensor gateway devices, rendering them unable to transmit information.

FrostyGoop

First identified in early 2024, FrostyGoop is a more destructive malware designed to manipulate Modbus TCP/502 communications within ICS environments. It can alter or spoof normal industrial process commands, enabling it to evade antivirus software and cause physical damage to infrastructure, as seen in its documented attack on the energy supply for district heating systems in Ukraine. The malware caused heating outages for over 600 apartment buildings in Ukraine in January 2024. Dragos’s investigation of FrostyGoop revealed that there were over 46,000 internet-exposed ICS devices communicating over Modbus worldwide.

Updated threat group activity

VOLTZITE

VOLTZITE is arguably the most crucial threat group to track in critical infrastructure. Due to its dedicated focus on OT data, the group is a capable threat to ICS asset owners and operators. This group shares extensive technical overlaps with the Volt Typhoon threat group tracked by other organisations. It utilises the same techniques as in previous years, setting up complex chains of network infrastructure to target, compromise and steal compromising OT-relevant data — GIS data, OT network diagrams, OT operating instructions, etc — from victim ICS organisations. VOLTZITE is a key reason for monitoring OT networks and hunting for malicious activity. With careful monitoring and investigation of ‘odd’ network communication, VOLTZITE can be identified and defended against.

KAMACITE

This group shifted from solely targeting Ukraine by introducing new, custom Windows-based malware strains and expanded its focus to European oil and natural gas (ONG) entities. This coincided with the expiration of an agreement allowing Russian state-owned company Gazprom to supply gas to Eastern and Central Europe.

ELECTRUM

ELECTRUM continues wiper campaigns with a new capability, AcidPour, a binary compiled for Linux operating systems that can search and wipe Unsorted Block Images (UBI) directories in embedded devices, including devices in OT environments. AcidPour is a variant of AcidRain but with extended capability to Memory Technology Devices (MTDs) often found in embedded systems. Dragos determined ELECTRUM used the resources and reputation of the hacktivist persona Solnetspek to obfuscate its operational activities in the December 2023 cyber-attack on Kyivstar, Ukraine’s primary telecommunications provider.

Other key findings

A number of other key findings from the report indicate:

• Geopolitical conflicts fuel OT-centric cyber operations: Adversaries aligned with state-backed initiatives continued to launch cyber operations targeting critical infrastructure in Ukraine, Russia and the Middle East, often as a direct extension of military conflicts.
• Hacktivist groups escalate attacks on critical infrastructure: Hacktivists leveraged new attack vectors to target OT environments, disrupting energy and water utilities while aligning their actions with geopolitical motivations. In 2023 and into early 2024, Dragos observed a trend of hacktivist groups, or self-proclaimed hacktivist groups, actively targeting and achieving Stage 2 of the ICS Cyber Kill Chain against industrial organisations and critical infrastructure and services worldwide.
• State-sponsored threat actors and hacktivism converge: Increasing collaboration between hacktivist groups and state-backed cyber actors has led to a hybrid threat model where hacktivists amplify state objectives, either directly or through shared infrastructure and intelligence. State actors increasingly look to exploit hacktivist groups as proxies to conduct deniable cyber operations, allowing for more aggressive attacks with reduced attribution risks.
• Hacktivists start using ransomware: Hacktivist and self-proclaimed hacktivist groups are now employing ransomware as part of an evolution of their operations against a variety of industrial targets. Three notable hacktivist groups were actively using ransomware within their operations in 2024: Handala, Kill Security, and CyberVolk.
• Ransomware activity surges: The number of ransomware groups targeting industrial organisations jumped to 80, a 60% increase from the 50 groups observed in 2023. Collectively, these groups attacked an average of 34 industrial organisations per week during the first half of 2024. That number more than doubled during the second half of the year. Manufacturing remains the most affected sector, accounting for more than 50% of observed ransomware victims. 25% of the ransomware cases Dragos observed involved full shutdown of an OT site, and 75% involved disruption to operations to some degree.
• Vulnerabilities carry risk of deep impact on industrial processes: In 2024, Dragos found that 70% of the vulnerabilities researched were deep within the ICS network, 39% could cause both a loss of view and a loss of control, and 22% of advisories were network-exploitable and perimeter-facing, rising from 16% in 2023.

It’s time to hunt

Adversaries have evolved, leveraging increasingly sophisticated attack methods to infiltrate industrial environments. The data from this year’s report is clear: organisations that took proactive security measures experienced shorter recovery times, reduced financial losses and minimised operational disruptions. Threat hunting is no longer an option: it is a necessity.

Industrial organisations must move beyond reactive security measures and embrace threat hunting as a fundamental defence strategy. Attackers are exploiting known vulnerabilities, remote access weaknesses, and supply chain gaps at an accelerating rate. Organisations that proactively search for threats and adversarial activity within their environments gain a crucial advantage in preventing attacks before they escalate.

ICS defenders must be relentless. Attackers like VOLTZITE are already inside networks, and the ability to hunt them down before they cause damage is the next evolution of industrial cybersecurity. Now, more than ever, it’s time to hunt.

Further information

The ‘2025 Dragos OT Cybersecurity Year in Review’ can be downloaded here.

Dragos is also holding its 2025 OT/ICS Cybersecurity Executive Briefing featuring the report on 4 March, with Dragos CEO and Co-founder Robert Lee.

An Australia and New Zealand-focused Year in Review Action Guide will be published mid-March.

Image credit: iStock.com/Bill Oxford