Industrial Threat Actors Outpace OT Security Teams
▼ Summary
– Adversaries are increasingly mapping industrial control systems to understand physical processes, moving beyond mere access to enable direct operational disruption.
– A growing division of labor exists among threat groups, with specialized teams like SYLVANITE brokering initial access for OT-capable operators like VOLTZITE.
– Groups such as KAMACITE are conducting sustained reconnaissance on exposed industrial devices to map control loops, gathering intelligence for potential future attacks.
– Ransomware remains a major driver of OT outages, with attacks often misclassified as IT-only incidents despite causing significant operational disruption.
– Critical visibility gaps in OT networks leave defenders blind, as most lack proper monitoring and detection often begins only after staff report abnormal behavior.
The security landscape for industrial control systems is shifting in a dangerous direction, with adversaries now moving beyond simple network intrusion to actively study and manipulate physical processes. A recent industry review highlights a critical trend where threat actors are dedicating significant effort to “control-loop mapping,” a technique that removes the final barrier between a digital breach and real-world disruption. This involves attackers meticulously identifying engineering workstations, extracting configuration files, and gathering operational data to understand exactly how to interfere with industrial outcomes. Experts warn that specialized groups are systematically building access pathways for more capable adversaries, while many organizations dangerously underestimate the reach of ransomware into their operational technology environments, often misclassifying these events as confined to IT systems.
Dragos identified 26 distinct threat groups targeting industrial environments last year, including three newly named actors. The ecosystem shows increasing specialization, with a clear division of labor emerging. Some groups focus solely on gaining the initial foothold, then broker that access to other, more operationally capable teams. One such group, tracked as SYLVANITE, operated as a large-scale initial access broker, aggressively exploiting vulnerabilities in products from companies like Ivanti, F5, and ConnectWise. This model of access brokering dramatically shortens the time between a vulnerability being disclosed and it posing a direct operational risk, exposing more industrial organizations to potential follow-on attacks even when the initial compromise seems limited to a peripheral network.
A particularly concerning development is the routine nature of control-loop reconnaissance. Groups like KAMACITE, which historically supported the ELECTRUM actor linked to past power outages in Ukraine, have expanded their targeting. Their recent campaigns involved sophisticated spear-phishing against engineering personnel and sustained scanning of internet-exposed industrial devices in the United States. This scanning focused on specific components like variable frequency drives, human-machine interfaces, and remote gateways, suggesting a deliberate effort to map entire control systems from operator interfaces down to physical actuators. While no exploitation was confirmed from this reconnaissance, the activity treats these exposed edge devices as intelligence sources, collecting data that could pave the way for future disruptive attacks.
Parallel to this reconnaissance, the development of destructive malware continues to advance. ELECTRUM’s activities in 2025 included disruptive operations against Ukrainian infrastructure, such as targeting internet service providers. Researchers also identified a new destructive malware family called PathWiper, linked with moderate confidence to this group. This malware is designed to cause irreversible data loss by overwriting filesystem structures and targeting all accessible storage media. The discovery of another wiper variant later in the year indicates ongoing refinement in these destructive toolkits, underscoring a persistent and evolving threat to critical systems.
Ransomware remains a dominant driver of operational outages in industrial settings. The number of ransomware groups impacting industrial organizations grew significantly, with manufacturing bearing the brunt of the attacks. A key problem is the persistent misclassification of incidents; engineering workstations and HMI systems running SCADA software are often mistakenly treated as standard IT endpoints. This blind spot means the severe operational disruption caused by ransomware encrypting boundary systems, like VMware ESXi hosts or servers supporting engineering functions, is not fully appreciated until production halts for days.
A fundamental visibility gap is leaving defenders dangerously blind. In a significant portion of incident response cases, investigations began because operational staff reported abnormal behavior, not from any security alert. The necessary network telemetry to determine if cyber activity was involved often simply did not exist. Estimates suggest that fewer than ten percent of global OT networks have adequate visibility and monitoring in place. The overarching pattern from the past year is clear: attackers are moving faster, operating deeper within networks, and capitalizing on weak network segmentation and exposed access paths. The most urgent defensive challenge remains foundational: organizations must collect OT network data proactively, rigorously monitor all remote access pathways, and finally start treating engineering workstations and OT boundary systems as the high-value operational assets they truly are.
(Source: HelpNet Security)
