Organizations’ Tactical Advantage Eroding Against Industrial-Scale Cyber Threats
Industrial Organizations Losing Ground to Threat Actors in OT Space
Industrial organizations are losing ground to threat actors in the operational technology (OT) space, with adversaries spending more time understanding physical processes and less time treating OT access as a passive foothold.
Threat Actors Shifting Focus to Control-Loop Mapping
According to a recent report, multiple state-aligned groups have shifted their focus to control-loop mapping, which involves identifying engineering workstations, collecting configuration and alarm files, and gathering operational context to interfere with physical outcomes.
Increased Specialization and Division of Labor Among Threat Groups
Dragos tracked 26 threat groups targeting OT environments in 2025, including three new groups identified during the year: AZURITE, PYROXENE, and SYLVANITE. The activity across these groups shows increased specialization and a growing division of labor, where one team focuses on gaining access and another focuses on OT operations.
Notable Threat Groups and Their Tactics
One notable group, SYLVANITE, was identified as a large-scale initial access group targeting industrial organizations through internet-facing systems. The group relied heavily on rapid exploitation of vulnerabilities in products from Ivanti, F5, SAP, and ConnectWise, and used tooling such as Cobalt Strike, Sliver, and multiple web shells. SYLVANITE handed access to other actors, including VOLTZITE.
In one incident, attackers exploited Ivanti Endpoint Manager Mobile (EPMM) at a U.S. utility through CVE-2025-4427 and CVE-2025-4428, extracting data from the backend MySQL database and replaying credentials internally for lateral movement.
Control-Loop Reconnaissance and Access Brokering
Control-loop reconnaissance is becoming routine, with groups like KAMACITE and ELECTRUM operating as access development groups supporting disruptive operations. KAMACITE expanded its operations beyond Ukraine and targeted the European OT supply chain, using spear phishing aimed at engineering and vendor personnel.
ELECTRUM activity in 2025 included destructive operations targeting Ukrainian infrastructure, with the group claiming responsibility for outages through the pro-Russian hacktivist persona Solntsepek.
Ransomware Groups Targeting Industrial Organizations
Ransomware groups continued to target industrial organizations at scale, with Dragos tracking 119 ransomware groups impacting more than 3,300 industrial organizations in 2025. Manufacturing accounted for more than two-thirds of observed victims.
Urgent Challenges Facing Industrial Organizations
The overall pattern across 2025 showed attackers moving faster, operating deeper, and relying on weak segmentation and exposed access paths. The most urgent challenge remains basic: collecting OT network data before an incident, monitoring remote access pathways, and treating engineering workstations and OT boundary systems as high-value operational assets.
About Author
English