A new report from operational technology (OT) cybersecurity expert Dragos paints a concerning picture of the escalating cyber threats targeting industrial organisations.

The Dragos 2025 OT/ICS Cybersecurity Report, the company’s eighth annual review, highlights a surge in ransomware attacks, the emergence of new malware designed specifically for OT environments, and the identification of two new OT cyber threat groups.

The report details that ransomware activity targeting industrial entities has surged by over 87 per cent compared to last year.

This increase underscores a growing trend of cybercriminals focusing on OT as a lucrative target.

According to Robert M. Lee, Co-founder and CEO of Dragos, OT has become a mainstream target, and even advanced cyber operations are employing unsophisticated tactics to compromise and disrupt critical infrastructure.

He emphasised that skilled adversaries from state-sponsored groups are infiltrating critical infrastructure, while hacktivists and criminal groups are increasingly exploiting known vulnerabilities and weak remote access configurations to penetrate industrial environments.

Dragos identified two new OT cyber threat groups, named GRAPHITE and BAUXITE, bringing the total number of tracked groups to 23, with nine being active in OT operations in 2024.

BAUXITE has been implicated in multiple global campaigns targeting industrial entities and specific devices, sharing technical overlaps with the hacktivist persona CyberAv3ngers, which has affiliations with the Iranian Revolutionary Guard Corps — Cyber and Electronic Command (IRGC-CEC).

Confirmed victims of BAUXITE are in the United States, Europe, Australia, and the Middle East, spanning sectors such as energy, water, food and beverage, and chemical manufacturing.

GRAPHITE, on the other hand, targets entities in the energy, oil and gas, logistics, and government sectors across Eastern Europe and the Middle East, with strong technical overlaps with APT28.

The report also sheds light on two new ICS-focused malware threats: Fuxnet and FrostyGoop.

Fuxnet, attributed to the pro-Ukraine hacktivist group BlackJack, is designed to target industrial sensor networks, while FrostyGoop is a more destructive malware capable of manipulating Modbus TCP communications within ICS environments, potentially causing physical damage to infrastructure.

One of the most concerning threat groups, VOLTZITE, remains a significant threat due to its focus on OT data.

The group utilises complex network infrastructure to target, compromise, and steal OT-relevant data from victim ICS organisations, emphasising the importance of continuous OT network monitoring and threat hunting.

Other key findings in the report include the convergence of state-sponsored threat actors and hacktivism, with hacktivist groups increasingly employing ransomware and leveraging new attack vectors to target OT environments.

Additionally, the report highlights that 70 per cent of the vulnerabilities researched were deep within the ICS network, with a significant percentage capable of causing both a loss of view and a loss of control.

The Dragos report emphasises the importance of proactive security measures, including threat hunting, to enhance industrial cybersecurity resilience.

Organisations that embrace threat hunting as a fundamental defence strategy experience shorter recovery times, reduced financial losses and minimised operational disruptions.