Dragos report reveals rise in industrial cyber threats

Dragos has highlighted significant increases in cyber threats against industrial organisations, citing a marked rise in ransomware attacks and the exposure of sensitive data in their latest report.

The 2025 OT/ICS Cybersecurity Report from Dragos details a sharp 87% rise in ransomware activity targeting industrial organisations compared to the previous year. Additionally, a 60% increase in the number of ransomware groups affecting operational technology and industrial control systems was recorded in 2024.

Robert M. Lee, Co-founder and CEO of Dragos, remarked on the shifting cyber landscape: "This year's report demonstrates two important trends; that OT has become a mainstream target, and that even advanced cyber operations are employing unsophisticated tactics to compromise and disrupt critical infrastructure."

The report also introduces two newly identified OT cyber threat groups, GRAPHITE and BAUXITE. Over the past year, nine out of the 23 global threat groups tracked by Dragos were engaged in OT operations. BAUXITE in particular has been implicated in several global campaigns targeting energy, water, and chemical sectors, amongst others.

The GRAPHITE group targets entities in Eastern Europe and the Middle East, focusing notably on organisations tied to the military situation in Ukraine. This group has been engaged in spear-phishing and other techniques aimed at disrupting critical industries in these regions.

Dragos has also identified two malware strains with the potential to disrupt industrial control systems: Fuxnet and FrostyGoop. Fuxnet, associated with the hacktivist group BlackJack, targets industrial sensor networks in Moscow. FrostyGoop has been involved in attacks on Ukrainian infrastructure, manipulating communication protocols to cause substantial damage.

In addressing ongoing threats, Lee noted progress in defensive measures: "We've seen organisations implement stronger network segmentation, improve visibility into their OT environments, and develop more robust incident response capabilities. These proactive measures are making it harder for adversaries to operate undetected and are key to the long-term resilience of industrial cybersecurity."

The report further notes the activities of VOLTZITE, described as a significant threat to critical infrastructure. VOLTZITE shares similarities with other known threat groups and has been involved in compromising OT-related data.

State-sponsored threats continue to pose a major risk, often using hacktivist groups to carry out operations with reduced risk of attribution. The report highlights the convergence of hacktivism and state-sponsored cyber operations, noting a hybrid threat model that complicates attribution and response efforts.

Ransomware has become a key tool for many threat actors, with 80 groups identified as targeting industrial organisations. This marks a substantial increase and underscores the growing risk these threats pose to industrial sectors, particularly manufacturing. A significant portion of observed ransomware incidents resulted in disruption, impacting operations to varying extents.

Lee emphasised the necessity of proactive security measures to mitigate these risks, stating, "Threat hunting is no longer an option—it is a necessity. Organisations that proactively search for threats and adversarial activity within their environments gain a crucial advantage in preventing attacks before they escalate."