Attackers targeting critical infrastructure OT/ICS operations are moving beyond access and reconnaissance to now have the ability to develop, test and launch attacks on critical infrastructure networks.
These were some of the major findings in the Dragos 2025 OT/ICS Cybersecurity Report released on Feb. 25, which found that nine of the 23 threat groups Dragos follows were active in 2024.
Threat actors targeted nearly every important critical infrastructure sector, from manufacturing, oil and gas, and telecommunications, to the defense industrial base, mining, and the electrical grid.
“This year’s report demonstrates two important trends,” said Robert M. Lee, co-founder and CEO of Dragos. “That OT has become a mainstream target, and that even advanced cyber operations are employing unsophisticated tactics to compromise and disrupt critical infrastructure.”
Here are some highlights:
Dragos identified two new OT cyber threat groups, Bauxite and Graphite. According to Dragos, Bauxite has been implicated in multiple global campaigns targeting industrial entities and devices. The group shares substantial technical overlaps, based on capabilities and network infrastructure, with the hacktivist persona CyberAv3ngers, which has affiliations with the Iranian Revolutionary Guard Corps—Cyber and Electronic Command (IRGC-CEC), as reported by the U.S. Government.
Graphite targets companies in the energy, oil and gas, logistics, and government sectors across Eastern Europe and the Middle East. The group has strong technical overlaps with Russia-based APT28 and focuses on organizations with relevance to the military situation in Ukraine. Observable since Russia’s invasion of Ukraine in February 2022 three years ago, Dragos said this focus may indicate a specialized subunit or an expansion of mission goals.
Heath Renfrow, co-founder and CISO at Fenix24, said the identification of Bauxite and Graphite reinforces that nation-state adversaries continue to evolve, leveraging specialized malware like IOCONTROL and AcidPour to target industrial systems.
Renfrow added that four of the active groups now possess ICS Cyber Kill Chain Stage 2 capabilities.
“This is a significant escalation because it means they can go beyond access and reconnaissance to develop, test, and potentially execute attacks that directly manipulate industrial processes,” said Renfrow. “These aren’t just espionage operations—they are active threats capable of physical disruption.”
Trey Ford, chief information security officer at Bugcrowd, noted that the findings in the Dragos report suffer from “recency and selection biases,” specifically focused on how to protect vulnerable technologies, rather than ending the trend of allowing vulnerable systems to operate as an acceptable reality.
“The team at Dragos is partnering with defenders to protect known-vulnerable technologies,” said Ford. “OT owners and operators need to require vulnerability disclosure programs or public bug bounty programs, in an effort to drive increasingly resilient OT ecosystem. Continuing the posture of ‘protect the vulnerable environment’ will only see these trends persist.”
