Dragos: Operational Tech Under Increasing Risk of Attack

In December 2025, when Poland’s energy sector suffered a cyber attack that compromised industrial control systems (ICS), threat actors proved operational technology (OT) is under significant risk. 

These systems are part and parcel of industrial and critical infrastructure and such breaches can quickly escalate to question national security.  

Evaluating this increasingly attacked threat landscape, Dragos has released its latest 2026 OT/ICS Cybersecurity Report and Year in Review report.

“The threat landscape in 2025 reached a new level of maturity,” says Robert M. Lee, CEO and co-founder of Dragos. “Adversaries are mapping how control systems work, understanding where commands originate, how they propagate and where physical effects can be induced. 

“We’re seeing the ecosystem evolve with specialised threat groups systematically building access pathways for more capable adversaries to reach OT environments. 

“Meanwhile, ransomware groups are causing more operational disruption and multi-day outages that require OT-specific recovery. Yet industrial organisations significantly underestimate the reach of ransomware into OT environments because they think it’s ‘just IT.’”

Industrial organisations face increasing ransomware threats

Dragos analysts found 119 ransomware groups that targeted a collective of 3,300 industrial organisations in 2025 – up from 80 groups tracked in the previous year as attacks increased by 64% year over year. 

The team notes that the average dwell time for ransomware in operational technology environments was nearly a month and half, standing at 42 days.

The most affected industry was found to be manufacturing, accounting for more than two third of the victims. 

Dragos' report also highlights how a large number of OT incidents are mischaracterised as IT, purely because of the involvement of Windows OS, even though OT risks led to compromise.  

OT threat landscape 

Analysts at Dragos now track 26 different threat groups worldwide, including three newly-discovered ones: AZURITE,  SYLVANITE and PYROXENE.

AZURITE

AZURITE is an ICS Kill Chain Stage 2 adversary that targets engineering workstations to exfiltrate their operational data.

While the Dragos report suggests that they might not yet possess stage 2 tooling or malware capability, they still have shown the ability to operate in OT environments.

The Dragos team pegs the operations of AZURITE as intended at developing malware suitable for OT environments instead of intellectual property theft.

AZURITE casts a wide net with operations targeting manufacturing, automotive, electric, oil and gas, pharmaceutical, defence industrial base and government organisations across the US, Australia, Europe and Asia-Pacific. 

The AZURITE group shares technical overlaps with Flax Typhoon. It is focused on exploiting vulnerabilities in public-facing infrastructure and administrative portals.

PYROXENE

Dragos says this threat group – active since 2023 – has a “sustained focus on supply chain-leveraged attacks targeting defence, critical infrastructure and industrial sectors”.

Known to engage in social engineering campaigns pretending to be recruiters, PYROXENE leverages information from a threat group called PARASITE to gain initial access and move from IT into the OT environment. 

This group was identified as deploying wiper malware against Israeli organisations during the Israel-Iran conflict during June 2025. 

PYROXENE, according to the Dragos report, has extreme technical overlap with an APT threat actor tracked by the US government aligned with the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC).

SYLVANITE

An ICS Kill Chain Stage 1 attack group, SYLVANITE operates with widespread campaigns that target internet-facing systems. 

The group was found to directly hand over initial access to another threat group called VOLTZITE, which is known to steal industry data and later use it to manipulate OT systems. 

SYLVANITE lays in comfortably in the initial access operations stage and uses this information to help other threat groups to develop strong malware targeting OT infrastructures.

SYLVANITE operations were observed in North America, Europe, the UK, France, Japan, South Korea, Guam, the Philippines and Saudi Arabia. It has targeted sectors including energy, water, oil and gas, manufacturing and and public administration.

Despite threats mounting in complexity, Robert notes that there were some meaningful defensive gains in 2025: “Organisations with comprehensive OT visibility detected and contained OT ransomware incidents in an average of five days compared to the industry-wide average of 42 days, proving that detection maturity directly correlates with response success.

“But the gaps that remain are serious. Establishing comprehensive OT visibility now is critical. If organisations cannot monitor their systems today, they’ll find that future adoption of technologies like AI, battery storage and distributed energy resources creates exponentially greater blind spots.”