Three new threat groups began targeting critical infrastructure last year, while a well-known Beijing-backed crew - Volt Typhoon - continued to compromise cellular gateways and routers, and then break into US electric, oil, and gas companies in 2025, according to Dragos' annual threat report published on Tuesday.

Dragos specializes in operational technology (OT) security, and as such, its customers include energy, water, manufacturing, transportation, and other critical industries. Unsurprisingly, these are key sectors for Chinese, Russian, and other government-linked cyber operatives to hack for espionage and warfare purposes.

In its yearly cybersecurity report, Dragos said state-sponsored crews haven't let up on their attempts to compromise America's critical infrastructure, with three new OT-focused threat groups joining the fray. This brings the total number worldwide to 26, and of these, 11 were active in 2025.

Additionally, an existing group that Dragos tracks as Voltzite and is "highly correlated" with Volt Typhoon, according to Dragos CEO Robert M. Lee, kept up its intrusion activities last year. This is the Beijing goon squad that the US government has accused of burrowing into critical American networks for years and readying destructive cyberattacks against those targets.

In 2025, Voltzite continued embedding its malware inside strategic American utilities "to maintain long-term persistence," Lee said.

"They [Voltzite] weren't just getting in and getting access - they were getting inside the control loop" system that manages utilities' industrial processes, Lee said in a briefing with reporters, adding that the PRC-backed crew's primary focus is causing future disruption.

Voltzite was embedded in that infrastructure for the purpose of taking it down

"Nothing that they were taking was useful for intellectual property," Lee said. "Everything they were doing and learning was only useful for disrupting or causing destruction at those sites. Voltzite was embedded in that infrastructure for the purpose of taking it down."

In one of these campaigns, the intruders compromised Sierra Wireless AirLink devices and used these to access US pipeline operations' OT networks. Dragos observed Voltzite exfiltrating operational and sensor data, and said the level of access the intruders had to the OT networks allowed them to potentially manipulate control systems. They also accessed engineering workstations and stole configuration files and alarm data, which included information about how to force stop operations.

In another Voltzite-linked campaign, Dragos spotted the crew using the JDY botnet to scan for public-facing Internet Protocol (IP) address ranges and VPN appliances across energy, oil, gas, and defense sectors.

"While no exploitation was confirmed during this phase, Dragos assesses with moderate confidence that the intent appeared to be pre-staging for future intrusions and exfiltration of operational data," according to the report.

New kids on the block

One of the three new groups that Dragos began tracking last year - Sylvanite - serves as Voltzite's initial access broker, responsible for weaponizing vulnerabilities and then handing off this access to Voltzite for deeper OT intrusions. 

"Usually that indicates a government team and their national lab, or a government team and a contractor, or two different government agencies," Lee said. 

Sylvanite exploits known vulnerabilities in internet-facing products from F5, Ivanti, and SAP to provide Voltzite access into electric power generation, transmission and distribution, water, sewage, and oil and gas organizations across North America, the UK, Europe, Asia and the Middle East.

"They're finding edge-device vulnerabilities - the things that a contractor or remote worker would use to get into operations networks," Lee said. "And within 48 hours of disclosure, they're reverse engineering [vulnerabilities] and hitting those devices."

A second group that emerged during 2025, Azurite, overlaps with China's Flax Typhoon and focuses on gaining long-term access to OT engineering workstations and exfiltrating operational files including network diagrams, alarm data, and process information for downstream capability development. 

This group targets manufacturing, defense, automotive, electric power, oil and gas, and government organizations across the US, Europe, and the Asia-Pacific region. 

• Cyberattack on Poland's power grid could have turned deadly in winter cold
• This is the FBI, open up. China's Volt Typhoon is on your network
• Malware variants that target operational tech systems are very rare – but 2 were found last year
• Amazon security boss blames Russia's GRU for years-long energy-sector hacks

Finally, the third new group, Pyroxene, overlaps with activity attributed to Imperial Kitten (aka APT35) - the cyber arm of the Islamic Revolutionary Guard Corps (IRGC).

Dragos spotted Pyroxene conducting "supply chain-leveraged attacks targeting defense, critical infrastructure, and industrial sectors, with operations expanding from the Middle East into North America and Western Europe," according to the report.

One such intrusion involved collaboration between Pyroxene and a group Dragos tracks as Parisite, which functions as an initial access provider into critical infrastructure orgs.

Pyroxene typically uses recruitment-themed social engineering against targeted individuals, interacting with victims via fake social media profiles before delivering backdoors and other malware. In June 2025, Dragos said the group deployed data-wiping malware against "multiple undisclosed organizations" in Israel around the time of the military conflict between Iran, Israel, and the US.

Don't discount Russia

Of course, China and Iran aren't the only nations targeting critical infrastructure in America and around the globe. Russia also poses a threat to Western water and utilities - along with any nations helping Ukraine in its ongoing war against the Kremlin's occupation. 

Dragos does not attribute cyberattacks to any nations. However, earlier this year, it blamed the December 2025 cyberattacks against Poland's power grid on a group it tracks as Electrum. This group overlaps with Russia's GRU-run Sandworm offensive cyber unit - the crew behind the 2022 attack on a Ukrainian power facility and earlier wiper attacks that coincided with Russia's ground invasion of Ukraine in 2022.

In its new report, Dragos said that Kamacite serves as the initial access provider for Electrum, and it detailed a reconnaissance campaign that Kamacite carried out against vulnerable internet-exposed industrial devices in US water, energy, and manufacturing sectors between March and July 2025.

"While Dragos found no evidence of successful exploitation during this period, the scope and precision of the scanning reveal a meaningful evolution in Kamacite's operational posture," the report said. ®