2025 OT/ICS Cybersecurity Report: Emerging Threats and Trends

By /

Listen to this Post

Industrial cybersecurity is facing an escalating battle against sophisticated threat actors. Dragos, a leading cybersecurity firm, has released its 2025 OT/ICS Cybersecurity Report, shedding light on the latest attacks, threat actors, and trends that shaped the industrial control systems (ICS) and operational technology (OT) security landscape in 2024.

The report identifies a total of 23 active threat groups that have targeted OT organizations over recent years, with nine groups actively operating in 2024. Among them, two newly discovered groups—Bauxite (linked to Iran) and Graphite (associated with Russia’s APT28)—have emerged as significant threats.

Cyberattacks have become more destructive, with certain groups reaching ICS Cyber Kill Chain Stage 2, meaning they are capable of launching advanced attacks specifically designed for industrial control systems. Additionally, ransomware attacks on industrial organizations surged by 87%, demonstrating the growing risk to critical infrastructure.

This article summarizes Dragos’ key findings and provides deeper analysis of the cybersecurity challenges facing industrial sectors in the years ahead.

Key Findings from Dragos’ 2025 OT/ICS Cybersecurity Report

  • 23 active threat groups, with nine operating in 2024.

– Two new groups added:

  • Bauxite (Iran-linked), operating under the alias CyberAv3ngers, has targeted energy, water, food, beverage, and chemical sectors across the US, Europe, Australia, and the Middle East.
  • Graphite (Russia-linked, aka APT28), focused primarily on Ukraine-related entities.
  • ICS Cyber Kill Chain Stage 2 capabilities observed in four groups:

– Chernovite (Pipedream/Incontroller attack)

  • Voltzite (aka Volt Typhoon, known for exfiltrating OT data)
  • Electrum (aka Sandworm, responsible for the new wiper malware AcidPour)

– Bauxite

  • Ransomware activity surged by 87%, with 80 different groups targeting industrial organizations (up from 50 in 2023).
  • No ICS-specific ransomware detected, but cybercriminals successfully disrupted operations and exfiltrated sensitive data.

– Two new ICS malware threats discovered:

  • Fuxnet – A destructive malware deployed by Ukraine against Russian infrastructure.
  • FrostyGoop – Responsible for cutting off heating in a Ukrainian city.

What Undercode Says:

The Dragos 2025 OT/ICS Cybersecurity Report highlights a growing cyber threat landscape that is more aggressive and sophisticated than ever before. The following analysis breaks down key takeaways from the report and what they mean for industrial cybersecurity moving forward.

1. The Rise of State-Backed OT Cyber Warfare

Both Bauxite (Iran) and Graphite (Russia) are clear indicators that nation-state actors are expanding their focus on industrial systems. These groups have evolved beyond espionage and data theft into disruptive and potentially destructive attacks, which can have severe consequences on infrastructure, economy, and public safety.

The use of IOCONTROL malware by Bauxite and AcidPour by Electrum suggests a strategic shift towards custom-built OT malware, specifically designed to compromise industrial operations. The targeting of critical infrastructure in the US, Europe, and Israel further reinforces the geopolitical nature of these attacks.

  1. The Surge in Ransomware Attacks on Industrial Sectors

Ransomware targeting industrial organizations has increased dramatically, with an 87% rise in attacks over the past year. While no ICS-specific ransomware was reported, the impact of general ransomware on industrial production, supply chains, and data security cannot be ignored.

Attackers are exploiting vulnerabilities in OT networks to gain a foothold, exfiltrate sensitive data, and demand ransoms. The lack of ICS-specific ransomware indicates that financially motivated groups still see IT-OT crossover points as lucrative entry points, even if they are not yet tailoring ransomware specifically for industrial systems.

3. The Emergence of Destructive ICS Malware

The discovery of Fuxnet and FrostyGoop highlights a concerning trend—OT-focused malware designed to cause physical disruption. Unlike traditional cyber espionage, these threats actively degrade critical infrastructure operations, such as power grids and heating systems.

Fuxnet, reportedly used by Ukraine against Russia, showcases how offensive cyber capabilities are being integrated into modern warfare. Similarly, FrostyGoop’s impact on a Ukrainian city’s heating system reveals how cyberattacks can have direct humanitarian consequences.

  1. The Growing Threat of ICS Cyber Kill Chain Stage 2 Actors

Threat groups reaching Stage 2 of the ICS Cyber Kill Chain indicates a critical escalation in their ability to cause real-world damage. This means that these actors are not only gaining access to OT environments but are also testing and deploying attacks that can disrupt or manipulate industrial control systems.

For instance, Chernovite’s involvement in Pipedream/Incontroller attacks and Voltzite’s OT data exfiltration suggest that adversaries are moving toward long-term, sophisticated attack planning rather than opportunistic hacking. The presence of AcidPour further raises concerns about wiper malware targeting OT devices, which could lead to massive operational disruptions.

5. The Need for Stronger OT Cybersecurity Strategies

As cyber threats against industrial control systems continue to rise, organizations must strengthen their cybersecurity posture to defend against both nation-state and financially motivated attacks. Key recommendations include:

  • Network segmentation to isolate IT and OT environments.
  • Continuous monitoring of OT networks for early detection of threats.

– Implementation of zero-trust security principles.

– Regular cybersecurity training for OT personnel.

  • Proactive threat intelligence gathering to stay ahead of evolving threats.

Fact Checker Results:

  1. Dragos’ report is a reputable source for industrial cybersecurity insights, widely referenced by experts in the field.
  2. The rise in ransomware attacks (87%) aligns with broader cybersecurity trends, showing an increasing focus on industrial targets.
  3. New malware threats like Fuxnet and FrostyGoop confirm the growing cyber-physical impact of attacks, reinforcing the need for stronger defenses.

References:

Reported By: https://www.securityweek.com/nine-threat-groups-active-in-ot-operations-in-2024-dragos/
Extra Source Hub:
https://www.instagram.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2

Join Our Cyber World:

Whatsapp
TelegramFeatured Image

Explore More: