Three new OT threat groups identified including SYLVANITE linked to VOLTZITE/Volt Typhoon operations; ransomware groups with reach into OT environments surged 49 percent

Dragos Inc., the global leader in cybersecurity for operational technology (OT) environments, today released the Dragos 2026 OT/ICS Cybersecurity Report and Year in Review report. In its 9^th year, the report is the most comprehensive analysis of cyber threats facing industrial and critical infrastructure. The report identified three new threat groups targeting critical infrastructure globally and found adversaries progressing from reconnaissance to operational disruption. The findings demonstrate a maturation in adversary operations, with threat groups working as coordinated ecosystems and advancing from isolated device targeting to mapping entire industrial control systems.

KAMACITE systematically mapped control loops across U.S. infrastructure throughout 2025, while ELECTRUM targeted distributed energy systems in Poland with deliberate attempts to affect operational assets. Dragos also identified three new threat groups, including SYLVANITE, which hands off established footholds to VOLTZITE for deeper OT intrusions. PYROXENE targets the United States, Western Europe, and the Middle East and deployed destructive wiper malware against critical infrastructure during regional conflict in June. AZURITE showed OT overlaps with Flax Typhoon and conducted sustained operations across the U.S., Europe, and Asia-Pacific. Ransomware groups targeting industrial organizations surged 49 percent year-over-year, impacting 3,300 organizations globally and disrupting operations.

“The threat landscape in 2025 reached a new level of maturity,” said Robert M. Lee, CEO and co-founder of Dragos. “Adversaries are mapping how control systems work, understanding where commands originate, how they propagate, and where physical effects can be induced. We’re seeing the ecosystem evolve with specialized threat groups systematically building access pathways for more capable adversaries to reach OT environments. Meanwhile, ransomware groups are causing more operational disruption and multi-day outages that require OT-specific recovery. Yet industrial organizations significantly underestimate the reach of ransomware into OT environments because they think it’s ‘just IT.’”

“There were meaningful defensive gains in 2025 too," continued Lee. “Organizations with comprehensive OT visibility detected and contained OT ransomware incidents in an average of 5 days compared to the industry-wide average of 42 days, proving that detection maturity directly correlates with response success. But the gaps that remain are serious. Establishing comprehensive OT visibility now is critical. If organizations cannot monitor their systems today, they’ll find that future adoption of technologies like AI, battery storage, and distributed energy resources creates exponentially greater blind spots.”

Details of the 2025 Year in Review:

Dragos identified three new OT Threat Groups—AZURITE, PYROXENE, and SYLVANITE:

With these additions, Dragos analysts now track 26 Threat Groups worldwide, 11 of which were active in 2025.

• SYLVANITE operates as an initial access broker, rapidly weaponizing vulnerabilities and handing off established footholds to VOLTZITE for deeper OT intrusions. Dragos directly observed SYLVANITE while conducting incident response at U.S. electric and water utilities, where the group exploited Ivanti vulnerabilities and extracted Active Directory credentials. SYLVANITE shares technical overlaps with UNC5221, UNC5174, and UNC5291.
• AZURITE focuses on long-term access and OT data theft, targeting OT engineering workstations and exfiltrating operational data including network diagrams, alarm data, and process information for downstream capability development. The group targets manufacturing, defense, automotive, electric, oil and gas, and government organizations across the United States, Australia, Europe, and Asia-Pacific. AZURITE shares technical overlaps with Flax Typhoon.
• PYROXENE conducts supply chain compromises and social engineering campaigns, often leveraging initial access provided by PARASITE, to enable movement from IT into OT networks. The group targets aviation, aerospace, defense, and maritime sectors across the U.S., Western Europe, Israel, and the United Arab Emirates. PYROXENE exhibits substantial technical overlap with activity the U.S. Government assesses is aligned with the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC).

Threat groups progressed from reconnaissance to attempted operational effects:

ELECTRUM conducted multiple destructive operations throughout 2025, including a coordinated attack against eight Ukrainian ISPs in May and deployment of new wiper malware variants. In December 2025, ELECTRUM targeted combined heat and power (CHP) facilities and renewable energy management systems in Poland with deliberate attempts to impact operational assets—an expansion beyond transmission infrastructure to the decentralized grid. ELECTRUM shares technical overlaps with Sandworm. Its operations are enabled by KAMACITE, which expanded from Ukraine-focused targeting to a European supply chain campaign before conducting sustained reconnaissance of U.S. industrial devices from March through July 2025, systematically scanning entire control loops including HMIs, variable frequency drives, metering modules, and cellular gateways.

VOLTZITE was elevated to Stage 2 of the ICS Cyber Kill Chain:

Dragos observed the group manipulating engineering workstation software to extract configuration files and alarm data, specifically investigating what operational conditions would trigger process shutdowns. VOLTZITE compromised Sierra Wireless Airlink cellular gateways to access U.S. midstream pipeline operations and then pivoted to engineering workstations. VOLTZITE shares technical overlaps with Volt Typhoon.

Hacktivists continued to evolve from symbolic attacks to operationally capable campaigns:

BAUXITE deployed two custom wiper malware variants against Israeli targets during the Iran-Israel conflict in June 2025, escalating from prior access and disruption to destructive intent. Hacktivist groups increasingly blended ideological messaging with state-aligned operations, targeting internet-exposed HMIs, misconfigured engineering workstations, and open field protocols such as Modbus/TCP and DNP3. BAUXITE exhibits technical overlap with activity the U.S. Government assesses is aligned with CyberAv3ngers and IRGC-CEC.

Ransomware remained the most impactful threat to industrial organizations, with attacks increasing 64% year-over-year:

Dragos tracked 119 ransomware groups targeting industrial organizations in 2025, up from 80 in 2024, collectively impacting 3,300 organizations. Manufacturing accounted for more than two-thirds of all victims. Industry-wide, the average dwell time for ransomware in OT environments was 42 days. Dragos noted persistent mischaracterization of OT incidents as "IT only" due to OT devices such as engineering workstations and HMIs misclassified as IT for running Windows operating systems.

Vulnerability scoring and advisories remained unreliable for ICS prioritization:

Dragos determined 25% of ICS-CERT and NVD vulnerabilities had incorrect CVSS scores in 2025, and 26% of advisories contained no patch or mitigation from vendors. Only 2% of ICS-relevant vulnerabilities qualified as “Now” priority requiring immediate action under Dragos’s risk-based “Now, Next, Never” model. Dragos research into battery energy storage systems (BESS) identified authentication bypass and command injection vulnerabilities, with over 100 internet-exposed devices found including ~1MW power inverters designed to supply grid power to electric utilities.

Report and Resources:

The Dragos 2026 OT/ICS Cybersecurity Report and Year in Review is an annual overview and analysis of OT-focused global threat activities, vulnerabilities, and industry insights and trends.

About Dragos, Inc.

Dragos provides the most effective OT cybersecurity technology for industrial and critical infrastructure to deliver on our global mission: to safeguard civilization. After nearly a decade of real-world experience handling landmark attacks on OT networks, Dragos understands the complexity and risks of industrial environments, which operate on massive scale with unique systems and exacting availability requirements and are not protected by IT cybersecurity.

The Dragos Platform provides visibility and monitoring of OT environments for asset identification, vulnerability management, and threat detection with continuous insights generated by the industry’s most experienced OT threat intelligence and services team. It discovers and monitors OT, IT, IoT, and IIoT assets within the OT environment and integrates with IT security infrastructure. Dragos protects customers across a range of industrial sectors including electric, oil & gas, manufacturing, water, transportation, mining, and government. Dragos is privately held and headquartered in the Washington, DC area with presence around the world and offices in North America, EMEA, and APAC.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260217364132/en/