In a revealing assessment released on February 25, 2025, Dragos, Inc. has unveiled its 2025 OT/ICS Cybersecurity Report, marking the company's eighth annual review of cyber threats impacting operational technology (OT) environments. This year's findings indicate a staggering 87% increase in ransomware activity compared to the previous year, demonstrating an alarming trend in cybersecurity threats affecting industrial organizations globally.
"This year’s report demonstrates two important trends; that OT has become a mainstream target, and that even advanced cyber operations are employing unsophisticated tactics to compromise and disrupt critical infrastructure," said Robert M. Lee, Co-founder and CEO of Dragos. This assertion reflects a wider concern as skilled adversaries disguise their operations within critical infrastructure, exploiting weaknesses such as known vulnerabilities and insecure remote access to penetrate and disrupt industrial environments.
"This year’s report demonstrates two important trends; that OT has become a mainstream target, and that even advanced cyber operations are employing unsophisticated tactics to compromise and disrupt critical infrastructure,"
Dragos's report has also identified two new addition to its watchlist of OT cyber threat groups: GRAPHITE and BAUXITE. With these inclusions, Dragos now monitors a total of 23 global threat groups, nine of which were noted to be active in OT operations during 2024. The emergence of these groups underscores the increasing complexity and threat level faced by industrial organizations.
Impact and Legacy
The BAUXITE group has been linked to numerous global campaigns targeting industrial entities. This group shares significant technological similarities with the hacktivist group CyberAv3ngers, which has connections to the Iranian Revolutionary Guard Corps. "Since late 2023, Dragos observed four BAUXITE campaigns, including those with Stage 2 ICS Cyber Kill Chain impacts via trivial compromises of exposed devices,” Lee explained. The implications of these campaigns are significant, having impacted critical infrastructure sectors across multiple regions, including energy, water management, and chemical manufacturing.
Conversely, GRAPHITE has a distinct focus, targeting entities involved in the energy, oil and gas, logistics, and government sectors throughout Eastern Europe and the Middle East. Notably, this group has intensified its activities following the Russian invasion of Ukraine in February 2022, indicating a tailored mission relevant to the ongoing military crisis. "GRAPHITE has been identified conducting spear-phishing campaigns targeting hydroelectric generation and natural gas pipeline operators," continued Lee, pointing to the group’s significant operational footprint in areas critical for global stability.
"GRAPHITE has been identified conducting spear-phishing campaigns targeting hydroelectric generation and natural gas pipeline operators,"
In this context, Dragos has introduced two new malware threats specifically designed for industrial control systems (ICS): FrostyGoop and a yet-to-be-defined strain known as Fuxnet. These developments illustrate the increasing focus of threat actors on disrupting industrial functions.
Career Journey
FrostyGoop, initially identified in early 2024, aims to affect Modbus TCP/502 communications within ICS setups. Its capability to manipulate or spoof normal industrial commands poses a severe risk, potentially leading to physical damage to vital infrastructure. As highlighted in Dragos's report, this malware was implicated in an attack on the energy supply systems critical for district heating in Ukraine, showcasing its destructive potential.
Despite these escalating threats, Robert M. Lee emphasizes an optimistic viewpoint regarding the progress made by OT defenders. "However, it’s important to recognize the progress made by OT defenders. We’ve seen organizations implement stronger network segmentation and improve visibility into their OT environments," he stated. Lee noted that these proactive strategies are crucial for the long-term resilience of cybersecurity within the industrial sector.
Overall, the Dragos 2025 OT/ICS Cybersecurity Report paints a troubling picture of the current cybersecurity landscape for industrial organizations, where geopolitical tensions and sophisticated ransomware attacks are on the rise. The emergence of new threat groups and malware highlights an urgent need for enhanced protective measures in OT environments.
Looking Ahead
Looking ahead, the need for continuous improvements in cybersecurity defenses becomes clear. As threats evolve, organizations must adapt proactively to safeguard critical infrastructure and ensure the integrity of their operations against these growing cyber threats.
