2026年第九届OT/ICS网络安全年度回顾报告

Y E AR IN RE VIE W O T / I C SC Y B E R S E C U R I T Y R E P O R T Table of Contents Table of Contents (cont.) A Message From Our Founder Ten years ago, Jon Lavender, Justin Cavinee, and I founded Dragoswith a focused passion on protecting OT from those who meant it, andthe communities that depend on it, harm. When I started my careerin this field there was no compendium of knowledge of the threats,vulnerabilities, and what insights could be shared from engagementslike incident response. There were anecdotal insights and hushedrumors with lots of claims of classified insights hidden awaysomewhere. It is hard to build a professional community and havean understanding of what the right security efforts are on anecdotalinsights. With that in mind, I started the Year in Review 9 years ago asa freely available report capturing the Dragos team’s knowledge onthe threat landscape. Our goal was simple, keep the product pitchingout of it and share whatever we are legally and ethically allowed toshare that helps empower defenders. OT cybersecurity is obvious topeople as necessary now, but ten years ago it was not. I remembertelling the team early on that if Dragos failed it would at least be theYear in Review report we could leave behind; that every year we werecontributing something useful to the community that could outlast us.Ten years later I’m proud that we are not at risk of going away and weare still sharing with this community we all love so much. I hope you enjoy the report, take insights from it to drive your securityefforts, and are able to share the knowledge contained here to helpothers understand that OT is the critical part of critical infrastructure.It is worthy of protection and can be protected. It is not easy to be inthis field, you as the reader know that first hand. But OT cybersecurityisn’t a market, it isn’t a category, it’s a mission - focused on protectingpeople against some of the worst adversaries imaginable. Adversariesthat target civilian infrastructure, go after our communities, andwillfully accept risk up to and including the loss of human life of ourloved ones, families, of our children. Armed with knowledge you cango from being the victim to being the hunter against these adversaries.In this report my team professionally calls them Threat Groups.Internally to Dragos we just call them what they are, assholes. In 2025, adversaries targeting operational technology (OT) crossed a line that had previouslybeen limited to a small number of well-known attacks impacting industrial control systems (ICS).They are no longer simply gaining access and waiting. Multiple threat groups, independently andacross different geopolitical alignments, moved into actively mapping control loops: identifyingengineering workstations, exfiltrating configuration files and alarm data, and learning howphysical processes operate well enough to disrupt them. This is the removal of the last practicalbarrier between having access and being able to cause physical consequences. It indicates thatthe teams behind these operations are being told to prepare to act, not just to maintain options. Introduction This year’s report introduces three new threat groups - AZURITE, PYROXENE, and SYLVANITE- and documents significant evolution in established groups like VOLTZITE, KAMACITE,ELECTRUM, and BAUXITE. Several of these groups now operate in paired models where oneteam develops initial access and hands it off to a second team with ICS-specific capability. Thatdivision of labor compresses the timeline from compromise to operational readiness, in somecases from weeks to days, and lowers the barrier for the groups that ultimately cause impact. Adversaries AreMapping ControlLoops to CausePhysical Impact ELECTRUM, the group responsible for the Ukrainian power outages in 2015 and 2016 and themost operationally experienced infrastructure-attack group Dragos is aware of, expandedits targeting beyond Ukraine into Poland in late December 2025. That attack, which targeteddecentralized energy resources including combined heat and power facilities and renewableenergy management systems, was the first major coordinated cyberattack against DERsanywhere in the world. Meanwhile, KAMACITE, the access development team that feeds ELECTRUM, expanded fromUkrainian targets into the European OT supply chain and conducted sustained reconnaissanceof internet-exposed industrial devices across the United States between March and July2025. The scanning was not opportunistic. It targeted specific components in a sequencethat suggests intent to understand entire control loops, not isolated devices. The pattern isconsistent with what you would expect from a team being told to prepare for operations, not justcollect. Adversaries also moved faster on vulnerabilities in 2025. Median time from disclosure to publicexploit: 24 days. Four percent of ICS vulnerabilities were actively exploited at disclosure andin multiple incident response cases, Dragos rep