3 New Threat Groups Emerge Targeting Industrial Control Systems (ICS) and Operational Technology (OT) in 2025, According to Dragos

Post Views: 34

Three New Threat Groups Targeting Industrial Control Systems Identified

A recent report from cybersecurity firm Dragos reveals that three new threat groups have begun targeting industrial control systems (ICS) and operational technology (OT) in 2025. The report, which is the company’s 9th annual Year in Review OT/ICS Cybersecurity Report, identifies the groups as Sylvanite, Azurite, and Pyroxene.

Sylvanite

According to Dragos, Sylvanite operates as a “rapid exploitation broker,” providing access to critical infrastructure for another group known as Voltzite. Sylvanite has been observed quickly exploiting vulnerabilities, including those in Ivanti VPNs, and installing persistent web shells on F5 appliances. The group has targeted organizations in the electric power, oil and gas, water, manufacturing, and public administration sectors in North America, Europe, Japan, South Korea, the Philippines, Saudi Arabia, and Guam.

Sylvanite’s activities have been linked to groups previously associated with China, including UNC5221, which has been known to use the Brickstorm malware. However, Dragos notes that attribution remains challenging, and overlapping activity between groups does not necessarily mean they are the same entity.

Azurite

The second new group, Azurite, has also been linked to threat groups tied to China, including Flax Typhoon, Ethereal Panda, and UNC5923. Azurite has been seen stealing operational information from manufacturing, automotive, electric, defense, oil and gas, and government organizations in Taiwan, the United States, Japan, South Korea, Australia, and Europe. The group has compromised small office/home office (SOHO) routers to build proxy infrastructure and has leveraged compromised edge devices to pivot to OT networks.

Dragos reports that Azurite has exfiltrated OT network diagrams and operational data, including alarm data, PLC configurations, and HMI data. While the primary goal may be intellectual property theft, the stolen information could also be used to cause disruption in the targeted organization.

Pyroxene

The third new group, Pyroxene, has been active since at least 2023 and specializes in cross-domain access, enabling movement from IT to OT networks. Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East. The group has been observed using social engineering tactics, including creating fake profiles posing as aerospace recruiters, and has employed wipers to destroy data.

Dragos notes that Pyroxene’s activity and techniques overlap with groups known to be associated with Iran, including APT35 (Charming Kitten). The security firm assesses with moderate confidence that Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies.

Other Threat Groups and Activities

In addition to the new threat groups, Dragos’ report provides updates on known threat groups targeting ICS/OT. Kamacite, a Russia-linked group, has been seen expanding its targets beyond Ukraine, scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs). Electrum, a group responsible for disruptive attacks, has also expanded beyond Ukraine, targeting Poland’s power grid.

According to Dragos CEO Robert M. Lee, threat groups are still largely focused on the theft of intellectual property, but are increasingly collecting data that can later be used to cause disruption or damage.

The full report includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.