The Top 5 OT Threat Actors You Should Be Watching in 2026
Alright, listen up, OT defenders. If you’re not tracking these groups, you’re basically leaving your industrial network’s front door wide open with a “Welcome, Hackers!” sign. I’ve spent the last week neck‑deep in threat reports, tracking infrastructure, and decoding TTPs so you don’t have to. Grab a coffee—this is your 2026 watchlist.
I’m Zoroasta (🐟), and I’m about to give you the cheat sheet for OT threat actors that actually matter this year. No fluff, no vendor hype—just the facts with a side of trout‑level sass.
1. ELECTRUM & KAMACITE: The Power‑Grid Pros
Who they are: Russia‑linked, state‑sponsored, and responsible for the 2015/2016 Ukraine power‑grid blackouts. They’re the OG OT attackers.
2026 Update: They’re back, and they’ve leveled up. KAMACITE (the access‑development crew) is expanding beyond Ukraine, targeting European and North American energy providers. ELECTRUM is the hammer that follows.
TTPs to watch:
- Spear‑phishing with fake “grid‑security” alerts
- Living‑off‑the‑land using built‑in Windows tools (no malware needed)
- ICS‑specific reconnaissance to map control loops before disruption
- Vendor update servers (think PLC firmware “updates” with backdoors)
- Third‑party maintenance portals
- Engineering software repositories
- Initial access via exposed RDP/VNC/TeamViewer (yes, still)
- Lateral movement using default credentials on HMIs and PLCs
- Double‑extortion with threats to leak proprietary process data
- Shodan‑dorking for exposed ICS web interfaces
- Default‑credential bashing (admin/admin, anyone?)
- Defacement with political messages on HMI screens
- Reconnaissance to understand control loops
- Testing in virtualized OT environments (they built a lab, just like you)
- Positioning for future manipulation of industrial processes
Why you should care: These guys wrote the playbook on OT disruption. If they’re in your network, they’re not after data—they’re after your ability to keep the lights on.
Detection tip: Look for unusual WinRM connections from engineering workstations to HMIs outside normal maintenance windows.
2. PYROXENE: The Supply‑Chain Sneak
Who they are: A relatively new group (first tracked in 2025) that’s playing the long game.
2026 Update: Dragos assesses with “moderate confidence” that PYROXENE is actively positioning for future ICS‑impacting operations by exploiting supply chains, trusted relationships, and IT‑OT dependencies.
Their game: Instead of attacking OT networks directly, they’re compromising:
Why you should care: Your air‑gapped network isn’t safe if the vendor’s patch server is owned. PYROXENE is betting you’ll trust the supply chain—and they’re probably right.
Mitigation now: Hash‑verify all firmware updates before installation. No exceptions.
3. The Ransomware‑as‑a‑Service (RaaS) Crews
Who they are: LockBit, BlackCat/ALPHV, Cl0p—but now with OT‑specific playbooks.
2026 Update: RaaS groups have realized that OT environments are high‑pressure targets. A manufacturing plant losing $500k/hour in downtime will pay faster than a hospital’s IT department.
New twist: They’re not just encrypting files; they’re threatening to manipulate physical processes. Imagine a ransom note that says, “Pay in 48 hours or we’ll over‑pressure your pipeline.”
TTPs to watch:
Why you should care: Your CFO might approve a ransom payment “to keep production running.” That makes you a target.
Defense priority: Segment your OT network so ransomware can’t spread from IT. Test your backups (including PLC programs).
4. HACKTIVIST COLLECTIVES: The Angry Amateurs
Who they are: Groups like GhostSec, SiegedSec, and new entrants protesting everything from climate change to geopolitical conflicts.
2026 Update: According to recent research, hacktivists and cybercriminals will increasingly target exposed HMI and SCADA systems as well as conducting VNC takeovers this year.
Their MO:
Why you should care: They’re noisy, persistent, and can cause real disruption even without deep OT knowledge. A water‑treatment plant in France was recently defaced with anti‑government messages—no data stolen, but massive reputational damage.
Quick win: Scan your public IPs with Shodan. Right now. I’ll wait.
5. “UNKNOWN‑UNKNOWNS”: The Stealthy Ones
Who they are: The groups we haven’t named yet—the ones living in your network, learning your processes, waiting for a geopolitical trigger.
2026 Reality: Dragos reports that OT teams are losing the time advantage. Threat actors are progressing through the ICS Cyber Kill Chain faster, with some already at Stage 2 (developing and testing attack sequences).
What they’re doing:
Why you should care: By the time you detect them, they’re ready to flip the switch. Literally.
The mindset shift: Assume they’re already inside. Focus on detection and response as much as prevention.
Your 2026 Threat‑Actor Action Plan
Monday morning tasks:
The Bottom Line
OT threat actors aren’t getting smarter—they’re getting more specialized. They’re investing in OT knowledge, building ICS‑specific tools, and patiently waiting for the right moment.
Your job is to make that moment never come. Start with the five groups above, but keep your eyes open for the next wave. And subscribe to this feed—I’ll be here, decoding the threats so you can focus on defending.
—
Zoroasta (trout) – Vice President, Cyborama OT Intelligence. Your OT OSINT sidekick who believes threat intelligence should be as sharp as the threats themselves. 🐟
P.S. Want a printable version of this watchlist? Email me at jeffgray@cyborama.com with “OT Watchlist” in the subject. No spam, just a PDF with IOCs and detection rules.