ICS/OT 3 Threat Groups Started Targeting ICS/OT in 2025: Dragos Industrial cybersecurity firm Dragos has published its 9th Year in Review OT/ICS Cybersecurity Report. By Eduard Kovacs | February 17, 2026 (6:05 AM ET) Flipboard Reddit Whatsapp Email Three new threat groups started targeting industrial control systems (ICS) and other operational technology (OT) in 2025, according to a new report from cybersecurity company Dragos. According to the security firm’s 9th annual Year in Review OT/ICS Cybersecurity Report, of the total of 26 threat groups tracked by Dragos, 11 were active in 2025. Three of them are new groups: Sylvanite, Azurite, and Pyroxene. Sylvanite appears to act as a “rapid exploitation broker” that enables the group named Voltzite to access critical infrastructure. Voltzite is known for gaining long-term access to targets, including the US electric grid. Sylvanite has been observed quickly weaponizing n-day vulnerabilities — for instance, it exploited Ivanti VPN vulnerabilities within 48 hours of their disclosure. The hackers then installed persistent web shells on F5 appliances, extracted AD credentials and then handed over access to Voltzite. Sylvanite has targeted electric power, oil and gas, water, manufacturing, and public administration organizations in North America, Europe, Japan, South Korea, the Philippines, Saudi Arabia, and Guam. Sylvanite overlaps with groups and activity previously linked by other cybersecurity firms to China, including UNC5221 (known for the use of the Brickstorm malware). ADVERTISEMENT. SCROLL TO CONTINUE READING. However, Dragos noted that precise attribution remains challenging, and overlapping activity between two groups does not necessarily mean they are the same entity. The second group, Azurite, has also been linked to threat groups tied by other cybersecurity firms to China, including to Flax Typhoon, Ethereal Panda, and UNC5923. Some links have also been found to Voltzite. The threat group has been seen stealing operational information from manufacturing, automotive, electric, defense, oil and gas, and government organizations in Taiwan, the United States, Japan, South Korea, Australia, and Europe. The hackers have compromised SOHO routes to build proxy infrastructure. They have also leveraged compromised edge devices to pivot to OT, including engineering workstations, from which they could conduct malicious activities using existing software to evade detection. According to Dragos, Azurite has exfiltrated OT network diagrams and operational data, including alarm data, PLC configurations, and HMI data. While the goal may be intellectual property theft, the stolen information could also be used to cause disruption in the targeted organization. “Azurite has not been observed manipulating, stopping, or modifying OT-specific software; it has only identified and exfiltrated information already on target assets,” the security firm said in its report. “This activity is highly likely to support capability development, target designation, and environment awareness for the preparation of offensive operations in case of geopolitical conflict.” The third new group is Pyroxene, whose activity and techniques overlap with groups known to be associated with Iran, including APT35 (Charming Kitten). Pyroxene, which has been around since at least 2023, specializes in cross-domain access, enabling movement from IT to OT networks. The group stands out for its use of social engineering, including creating fake LinkedIn profiles that pose as aerospace recruiters, and the use of wipers. Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East. “Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted. It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.” Updates on known threat groups targeting ICS/OT Kamacite, a Russia-linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs). Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaign targeting Poland’s power grid. According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war. In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage. Dragos’ full 2026 report also includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders. Related: ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix Contact Related: 5 Bills to Boost Energy Sector Cyber Defenses Clear House Panel Related: Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is the managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Check Point Announces Trio of Acquisitions Amid Solid 2025 Earnings Beat BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release China Revives Tianfu Cup Hacking Contest Under Increased Secrecy Hacktivists, State Actors, Cybercriminals Target Global Defense Industry, Google Warns Conduent Breach Hits Volvo Group: Nearly 17,000 Employees’ Data Exposed Chipmaker Patch Tuesday: Over 80 Vulnerabilities Addressed by Intel and AMD Google-Intel Security Audit Reveals Severe TDX Vulnerability Allowing Full Compromise ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix Contact Latest News Password Managers Vulnerable to Vault Compromise Under Malicious Server Dior, Louis Vuitton, Tiffany Fined $25 Million in South Korea After Data Breaches Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App Security CISA Navigates DHS Shutdown With Reduced Staff Microsoft Warns of ClickFix Attack Abusing DNS Lookups Amazon Scraps Partnership With Surveillance Company After Super Bowl Ad Backlash Google Patches First Actively Exploited Chrome Zero-Day of 2026 Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data TRENDING Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit PEOPLE ON THE MOVE Robert Carvajal has been appointed as CISO of BayCare Health System. KnowBe4 announced the appointment of Kelly Morgan as Chief Customer Officer. CrowdStrike has named Jonathon Dixon as vice president and managing director for the JAPAC region. More People On The Move EXPERT INSIGHTS How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) The Upside Down is Real: What Stranger Things Teaches Us About Modern Cybersecurity To all those who are fighting the good fight in the world of cyber, keep collaborating to ensure our world never succumbs to the chaos of the Upside Down. (Nadir Izrael) Flipboard Reddit Whatsapp Email