Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Dragos’ eighth annual OT/ICS year in review reveals two new threat groups and a massive increase in malicious activity year-on-year.
As malicious and criminal cyber activity continues to increase across the globe, it’s not just small to medium businesses that are bearing the brunt – cyber attacks against operational technology and industrial control systems have also seen a marked increase.
According to Dragos’ latest year-in-review roundup, the 2025 OT/ICS Cybersecurity Report, ransomware attacks against OT systems increased by 87 per cent in 2024 compared to the previous 12-month period.
New threat actors
As of publication, Dragos is tracking 23 OT-focused threat groups worldwide, with nine of them engaging in active operations throughout 2024, including two new groups, tracked as GRAPHITE and BAUXITE by the cyber security firm’s analysts.
GRAPHITE appears to have overlaps with several other threat actors, including the Russia-based APT28, also known as Fancy Bear. The group has been observed targeting energy, oil and gas, logistics, and government entities throughout the Middle East
and Eastern Europe. GRAPHITE appears to have been active since Russia’s illegal invasion of Ukraine, and engages in what Dragos calls “near-constant phishing operations”.
BAUXITE, on the other hand, has significant technical overlap with a hacktivist linked to the Iranian Revolutionary Guard Corps – Cyber and Electronic Command (IRGC-CEC) and has targeted critical infrastructure entities in the United States, Europe, Australia, and the Middle East.
New malware strains
It’s not just new groups on Dragos’ radar, but also new strains of malware – Fuxnet and FrostyGoop.
Fuxnet is the brainchild of pro-Ukrainian hacktivist group BlackJack. The malware was custom-designed to target Russia’s gas, water, and sewage network communications, maintained by the municipal organisation Moskollektor. The hacktivists claim to have disabled sensors and destroyed gateway devices throughout the Moskollektor network.
FrostyGoop targets Modbus TCP/502 communications within ICS environments, however, and is far more destructive. It can interfere with industrial process commands via spoofing or simple alteration, can evade antivirus software, and is capable of causing serious physical damage. In a January 24 attack against Ukrainian energy infrastructure, FrostyGoop was able to turn off the heat to more than 600 apartment buildings in a single district.
"This year’s report demonstrates two important trends; that OT has become a mainstream target, and that even advanced cyber operations are employing unsophisticated tactics to compromise and disrupt critical infrastructure,” Robert M. Lee, Co-founder and CEO of Dragos, said in a statement.
“Skilled adversaries from state-sponsored groups are hiding in critical infrastructure and hacktivists and criminal groups are increasingly using ransomware and exploiting known vulnerabilities, weak remote access configurations, and exposed OT assets to penetrate industrial environments. Meanwhile, lack of visibility into OT conceals the full scope of these attacks.”
The bigger picture
Dragos noted that geopolitical tensions are a key driver of attacks against OT operations, while hacktivist groups are using unique new attack vectors against energy and water utilities. Together, state-based actors and hacktivists are increasingly part of a hybrid threat model, with ransomware becoming a tool to promote geopolitical aims.
However, Lee added that “it’s important to recognise the progress made by OT defenders.”
"We’ve seen organisations implement stronger network segmentation, improve visibility into their OT environments, and develop more robust incident response capabilities, Lee said.
“These proactive measures are making it harder for adversaries to operate undetected and are key to the long-term resilience of industrial cyber security."
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
