2025
OT Cybersecurity Report
8th Annual Year in Review

Dragos identified VOLTZITE-controlled infrastructure interacting heavily with a telecommunications provider in the United States. Additionally, network communications consistent with command-and-control (C2) beaconing activity were discovered from a major U.S. city’s emergency service’s Geographic Information Systems (GIS). Although VOLTZITE has not yet demonstrated disruptive ICS capabilities, their consistent interest in U.S. critical infrastructure suggests a long-term data collection campaign. The data collected could either aid in constructing an ICS-capable disruption tool or inform contingency planning in response to a rapidly shifting global strategic landscape. The persistent activity of VOLTZITE underscores the critical need for robust ICS network monitoring. By identifying and responding to suspicious activities, organizations can protect their operational technology (OT) environments from potential disruptions and data breaches.

In 2024, CyberArmyofRussia_Reborn (CARR) launched a series of cyber attacks on industrial facilities, starting with a confirmed disruption in Texas in January. By April, CARR had posted videos showing further attacks on water facilities in Indiana and New Jersey, and an oil and gas facility in Texas, demonstrating their access to Human Machine Interface (HMI) devices and ability to manipulate operational processes. In May, additional victims were likely impacted in California, Florida, and Pennsylvania, as CARR continued targeting the water and wastewater and oil and natural gas sectors. These incidents highlight significant security risks to operational technology (OT), including unauthorized control, operational disruptions, property damage, and denial of control.

Multiple global government agencies issued a joint Cybersecurity Advisory (CSA) in 2024, highlighting APT28’s activities dating back to early 2022. APT28, which overlaps with the Dragos-designated threat group GRAPHITE, exploited vulnerable Ubiquiti EdgeRouters for credential harvesting, proxies, spearphishing operations, and command and control infrastructure. Many impacted industries heavily rely on OT/ICS technologies, underscoring significant security risks. The advisory also noted the reuse of several malicious domains from STIBNITE operations between 2020 and 2021, indicating infrastructure overlap between the two threat groups.

The VARTA Group experienced a cyber attack targeting its IT systems, affecting five battery manufacturing plants and administrative operations. The company proactively shut down its IT systems and production to ensure data integrity and security, disrupting production for several weeks. The attack also caused an unplanned delay in finalizing the company’s financial reports. The attack highlighted significant security risks to OT, including prolonged operational disruptions, data integrity concerns, and the complexity of restoring full functionality.

Dragos identified an ongoing KAMACITE campaign from June 2023 through at least mid-July utilizing the Dark Crystal remote access trojan (RAT) (DCRat) in initial access operations against Ukrainian entities. KAMACITE functions as an initial access provider for ELECTRUM, which has demonstrated the capability to achieve operational disruption in electric power networks due to loss of view and control. While KAMACITE’s current focus remains on Ukrainian targets, its operational trajectory shifts in response to changes in Russia’s geopolitical and security situation. Defenders need to maintain constant vigilance and operational awareness of these adversaries.

A new malware variant named AcidPour was uploaded to a malware repository from Ukraine. Shortly after, an adversary claimed responsibility for disrupting critical infrastructure in Ukraine via their Telegram channel. AcidPour, a wiper malware associated with ELECTRUM, was later analyzed and found to have similarities to AcidRain, which was used against ViaSat modems in February 2022. AcidPour extends the functionality of its predecessor, posing significant risks to operational technology (OT) by targeting and irreversibly deleting data from critical systems.

E-ISAC was notified of a network intrusion involving a North American utility operator. The operator detected suspicious activity on their IT network, where a backup Cisco virtual private network (VPN) appliance was beaconing to three suspicious IP addresses. Upon confirming the compromise, the utility operator isolated the VPN appliance and took precautionary measures to separate the operational technology (OT) network segments from the IT infrastructure. Thanks to these active defense measures, no utility services were impacted. This incident underscores the importance of robust security protocols to protect OT systems from potential threats originating in IT networks.

A coordinated cyber attack known as “MOSCOLLECTOR TAKEDOWN” was executed by the adversary group “Blackjack,” targeting Russia’s Industrial Sensor and Monitoring Infrastructure, moscollector.ru. The attack allegedly disabled 87,000 sensors across Russian critical infrastructures, including emergency services and utilities. Blackjack used custom ICS malware, Fuxnet, to manipulate and destroy OT systems and technology. Publicly disclosed information suggests that many impacted OT/ICS systems were accessible online and used default usernames and passwords. This incident highlights significant security risks to OT, including unauthorized access, operational disruptions, and the potential for widespread damage to critical infrastructure.

The adversary known as Sandworm is attributed to the deployment of a novel backdoor named Kapeka, used in a broader campaign to destabilize critical infrastructure in Ukraine. Sandworm has substantial technical overlap with Dragos-designated threat groups KAMACITE and ELECTRUM. This incident underscores significant security risks to operational technology (OT), including unauthorized access, potential operational disruptions, and the ongoing threat posed by sophisticated adversaries targeting critical infrastructure.

Rockwell Automation issued an urgent notice advising customers to immediately disconnect specifc devices from the internet due to seven identified CVEs affecting Logix Controllers, Studio 5000 Logix Designer, specific Rockwell Communications Modules, and FactoryTalk. The CVEs include CVE-2021-22861, CVE-2022-1159, CVE-2023-3595, CVE-2023-46290, CVE-2024-21914, CVE-2024-21915, and CVE-2024-21917. Dragos assessed that threat groups such as CHERNOVITE and ELECTRUM may likely target one or more of these vulnerabilities. This notice underscores significant security risks to OT, including potential unauthorized access, operational disruptions, and exploitation of critical vulnerabilities.

FrostyGoop, an ICS malware targeting Modbus TCP devices, was discovered by Dragos in a publicly available malware scanning repository. This malware can manipulate control, modify parameters, and send unauthorized command messages, posing significant risks to OT systems. In January 2024, adversaries conducted a disruption attack against a municipal district energy company in Ukraine, causing a two-day loss of heating to over 600 apartment buildings during sub-zero temperatures. Dragos associated this attack with the deployment of the FrostyGoop malware. The attackers sent commands to ENCO controllers, resulting in incorrect system operation. The incident highlights the potential for severe operational disruptions and the importance of robust cybersecurity measures to protect critical infrastructure

The hacktivist group Hunt3r Kill3rs claimed to have gained unauthorized access to numerous industrial control systems (ICS) across various industrial facilities in Europe and the United States by compromising Unitronics PLCs, specifically the Unistream and Vision series. Impacted companies included four renewable energy facilities, two ICS manufacturing and engineering companies, and a water treatment facility. The hacktivists inserted the phrase “Hacked by Hunt3r Kill3rs” into the HMI mail recipient field, changed HMI values, and restarted services. Although the legitimacy of Hunt3r Kill3rs’ access was verified, the full impact of their actions remains unknown.

The NERC Board of Trustees adopted CIP-015-1 – Cyber Security – Internal Network Security Monitoring in response to Executive Order No. 887 directing the development of requirements within the Critical Infrastructure Protection (CIP) Reliability Standards for Internal Network Security Monitoring (INSM) of all High Impact Bulk Electric System (BES) Cyber Systems and Medium Impact BES Cyber Systems with External Routable Connectivity (ERC). Proposed Reliability Standard CIP-015-1 mandates network security monitoring within a CIP-networked environment for High and Medium Impact BES Cyber Systems. INSM requirements mandate network security monitoring within trusted zones, such as Electronic Security Perimeters (ESP). The Dragos Platform enables electric utilities to meet INSM requirements through advanced network monitoring for NERC CIP environments.

The US Transportation Security Administration (TSA) released an updated version of the TSA Pipeline Security Directive on Enhancing Pipeline Cybersecurity, known as Security Directive Pipeline-2021-01D. The updated version emphasizes the need for timely and detailed reporting, clarifies specific roles to ensure continuous availability and coordination, and defines “business critical functions” as those “necessary to meet operational needs and supply chain expectations.” The Dragos Platform offers comprehensive solutions to help oil and gas companies comply with the updated TSA Pipeline Security Directive through incident reporting, cybersecurity coordinator availability, and cybersecurity assessments.

Dragos observed a new variant of the VOLTZITE compiled version of the frpc (Fast Reverse Proxy Client) tool. The frpc tool has been utilized by VOLTZITE in 2023 operations and continuing into 2024. Dragos discovered the new variant uploaded to a public malware repository. It is unclear whether this VOLTZITE -related variant of frpc has been recently compiled and distributed or is an undocumented remnant of VOLTZITE’s early 2023 operations where they heavily utilized frpc. VOLTZITE presents an ever-present threat to critical infrastructure sectors, and has exhibited previous interest in looking for, and then exfiltrating key operational technology (OT) data from victim networks. VOLTZITE operations within OT or OT adjacent networks may cause availability issues with key OT resources, resulting in operational disruption to critical services.

CyberAv3ngers, tracked as Dragos-designated threat group BAUXITE, conducted reconnaissance and research against OT/ICS entities and devices through June and July. Dragos did not observe any follow-on activity. However, BAUXITE will likely use the discovered information in later operations to cause loss of availability, loss of view, and manipulation of control and view. This marks the fifth campaign by BAUXITE targeting or impacting OT/ICS entities. BAUXITE is geopolitically motivated and engages in targeted cyber operations with documented Stage 2 ICS Cyber Kill Chain impacts.

Hunt3r Kill3rs claimed to have gained unauthorized access to several Internet-exposed Rockwell Micrologix 1400 controllers in the United States and a Siemens SIMATIC controller in Italy. The compromised assets were verified to be accessible from the public internet and easily found using open-source scanning tools. Hunt3r Kill3rs targets Internet-exposed devices with missing or default authentication settings, exploiting vulnerabilities that allow remote and authenticated adversaries to manipulate the PLC’s logic and configuration. These incidents highlight significant security risks to OT, including unauthorized access, potential operational disruptions, and manipulation of critical industrial processes.

Following Dragos research into VOLTZITE activity in Guam and Palau, Dragos observed VOLTZITE-related activity targeting the United States, New Zealand, and Europe. VOLTZITE compromised internet-facing small-office and home-office (SOHO) perimeter routers on several electric and telecommunications internet service provider (ISP) infrastructures for use in adversary-controlled, peer-to-peer relay networks. These networks target and enumerate internet-exposed infrastructure at electric, oil and gas, water and wastewater, government, and military organizations.

Dragos identified new malware variants associated with the WASSONITE Threat Group. The WASSONITE Threat Group was responsible for compromising the Kudankulam Nuclear Power Plant (KNPP) in India in 2019 and deploying the Dtrack and Appleseed malware variants. The newly identified variants—SmallTiger, Andardoor, and Nukesped—exhibit technical and behavioral consistencies with historical WASSONITE operations. The consistent targeting of high-value infrastructure at Stage 1 of the ICS Cyber Kill Chain highlights the need for ongoing situational awareness. Intellectual property theft related to control systems or industrial environments can lead to reputational damage, loss of sensitive technology, and increased exposure to other adversaries with disruptive and destructive ICS capabilities. Stolen data can also reduce the preparation time needed to execute Stage 2 of the ICS Cyber Kill Chain.

The Cyber Security Agency of Singapore (CSA) released an updated Operational Technology (OT) Cybersecurity Masterplan (“Masterplan”) as part of continuous efforts to enhance the security and resilience of organizations operating industrial control systems, as well as those utilizing OT technologies that support physical control functions. The updated Masterplan 2024 reflects the evolving maturity of the OT ecosystem and the dynamic nature of cyber threats targeting OT systems in the wake of geopolitical and technological shifts.

Halliburton Company discovered that an unauthorized third party had accessed its systems. The company activated its cybersecurity response plan, took specific systems offline, and launched an investigation with external advisors. The incident caused disruptions and limited access to business applications, with ongoing efforts to restore systems and assess the impact. By the end of September 2024, Halliburton reported $35 million in expenses related to the incident. The company continues to face risks such as potential litigation, regulatory scrutiny, and changes in customer behavior.

A new custom multi-stage backdoor named Tickler, which Dragos associates with MAGNALLIUM, was deployed against various critical infrastructure sectors, including satellite communications, oil and gas, and government organizations in the U.S. and the UAE. Despite a relative decline in activity since 2019-2020, MAGNALLIUM likely continues to evolve its tools and capabilities while maintaining its focus on initial access and intelligence gathering in critical infrastructure sectors. MAGNALLIUM, active since at least 2013, has been consistently observed targeting critical infrastructure, particularly in the Middle East. Dragos continued to observe intermittent activity from the group, including a likely password-spraying campaign targeting defense and mining organizations in 2023.

An adversary with technical overlaps with the Dragos-designated threat group PARASITE exploited vulnerabilities in remote external services and VPNs to conduct ransomware attacks against U.S. organizations since April 2024. Dragos used distinct patterns in open ports and services configured on publicly exposed hosts to identify many hosts on Amazon AWS suspected of being operated by the same adversary. Further investigations into these hosts have uncovered suspicious self-signed X.509 certificates that are likely components of an ongoing cyber operation. The activity suggests continued focus on initial access through the exploitation of remote services and VPNs vulnerable to recently publicized CVEs, with a specific focus on ICS/OT-entities in Canada, Ukraine, Israel, and United States.

Dragos has identified malicious activity targeting multiple North American critical infrastructure networks with brute-force operations, primarily those belonging to electric, oil and gas, water and wastewater, and manufacturing sectors. This activity suggests early-stage reconnaissance behavior, focused on initial access to Cisco Secure Socket Layer (SSL) Virtual Private Network (VPN), Fortinet VPN, and Palo Alto Global Protect VPN appliances. The adversary has used a mix of random and genuine employee information in the login attempts. The observed reconnaissance activity could lead to unauthorized access to OT/ICS assets and systems, which could result in theft of operational information, loss of control, or manipulation of control.

On September 23, 2024, Arkansas City, Kansas, reported a cyber attack on its water treatment facility, prompting an investigation by the Federal Bureau of Investigation (FBI) and the U.S. Department of Homeland Security. Despite the incident, city officials assured residents that the water supply remains safe and services have not been disrupted. As a precaution, the facility switched to manual operations pending resolving the situation, suggesting a possible ransomware attack. Costs from the attack are reported to exceed $160,000. This incident highlights the risks associated with relying on manual backups, which can introduce inefficiencies and security risks over time, though necessary as a last resort.

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), in partnership with CISA, the U.S. government, and international partners, released the Principles of Operational Technology Cybersecurity. This guidance provides critical information on creating and maintaining a safe, secure operational technology (OT) environment. The guide outlines six principles: safety is paramount; knowledge of the business is crucial; OT data is valuable and needs to be protected; segment and segregate OT from all other networks; the supply chain must be secure; and people are essential for OT cybersecurity.

Deadline for member states to comply with NIS2. The NIS2 Directive aims to harmonise cybersecurity practices across member states, and it requires Operators of Essential Services (OES) to adopt appropriate security measures to protect their assets and that they also notify relevant national authorities when serious cyber incidents occur.

The Canadian Centre for Cyber Security (Cyber Centre) published a suite of voluntary guidelines designed to further protect essential services for people in Canada and enhance cyber security resilience overall. The Cyber Security Readiness Goals (CRGs) are designed to be an evergreen resource that can be used by all critical infrastructure sectors. They will be updated by the Cyber Centre based on feedback from partners and as the threat landscape evolves. The CRGs feature six pillars and 36 goals. The six pillars include: Govern, Identify, Protect, Detect, Respond, and Recover. The CRGs align with the recent work of the Cyber Centre’s international partners.

Between early October and late November 2024, an adversary conducted a highly targeted spear-phishing campaign targeting European oil and natural gas organizations. Dragos is attributing it to the Dragos-designated Threat Group KAMACITE. KAMACITE is assessed to function as an initial access provider for the Dragos-designated Threat Group ELECTRUM. The campaign exploited the 2024 Gas Infrastructure Europe (GIE) conference as a social engineering pretext and leveraged rented commodity malware and loader infrastructure and at least three custom Windows malware variants.

VOLTZITE, which overlaps with Volt Typhoon, is reportedly rebuilding its “KV-Botnet” malware botnet after it was disrupted by law enforcement in January. They target outdated Cisco and Netgear routers and have compromised many devices in just over a month. The main operation of the KV-Botnet appears to be obfuscating malicious activities by routing traffic through the compromised legitimate infrastructure. Scanning activity observed from the botnet is targeted against the public-facing IP subnet ranges of organizations within the global energy, oil and natural gas, manufacturing, and defense industrial base sectors.

Dragos observed the BAUXITE threat group impacting devices using a specific Linux-based malware. The iocontrol malware deploys a backdoor communicating via Message Queuing Telemetry Transport (MQTT) over port 8883, connecting to a hardcoded adversary-owned command and control (C2) domain. The known impacted devices include Orpak, Phoenix Contact, Unitronics, Baiells, Node-RED, Red Lion Controls, Hikvision, Teltonika, Orange Livebox, Tridium, Sonicwall, Ubiquiti, Watchguard, and Fortinet. Dragos has confirmed approximately 400 victims within this campaign. Based on Dragos analysis of the malware, iocontrol does not contain any ICS functionality.