Known groups targeting operational technology, industrial control systems, and critical infrastructure. All entries are from publicly documented sources.
First identified early 2024. Global OT threat. Purpose-built malware that manipulates Modbus TCP (port 502) communications within ICS environments. Can alter or spoof normal industrial process commands, evade antivirus, and cause physical damage to infrastructure. Caused heating outages for over 600 apartment buildings in Ukraine during sub-zero temperatures by attacking district heating systems. Uses Modbus/TCP to directly interact with ICS devices โ a first-of-its-kind attack technique in Dragos's catalog: direct protocol-level manipulation instead of just targeting IT systems around the OT environment. Dragos investigation found over 46,000 internet-exposed Modbus devices worldwide as context for this threat.
Attribution
Unknown (likely state-sponsored or IRGC-proxy)
Identified
January 2024
Primary Target
District heating, energy, utility ICS
ICS Protocols
Modbus TCP/502
Known Malware
FrostyGoop (9th ICS malware family Dragos documented)
Operational Impact
Physical damage confirmed โ 600+ buildings lost heating in January 2024
Sources: Dragos 2025 Year in Review, ENISA Threat Landscape 2025
BlackJack / Fuxnet
Pro-Ukraine Hacktivist ICS Targeting Group
HIGH
Pro-Ukraine hacktivist group with ICS malware capability. Developed Fuxnet โ destructive malware designed to target industrial sensor networks for Moskollektor, a municipal organization maintaining Moscow's gas, water, and sewage communication systems. BlackJack claimed to have disabled thousands of sensors and destroyed sensor gateway devices, rendering them unable to transmit information. Demonstrates that hacktivist groups now develop purpose-built ICS malware, not just DDoS campaigns.
Attribution
Pro-Ukraine hacktivist
Identified
2024
Primary Target
Russian municipal infrastructure (gas, water, sewage)
ICS Protocols
Industrial sensor networks
Known Malware
Fuxnet
Operational Impact
Thousands of sensors disabled, gateway devices destroyed
Dragos-identified OT threat group (2025). Strong technical overlaps with APT28 (Russian GRU). Targets entities in the energy, oil and gas, logistics, and government sectors across Eastern Europe and the Middle East. Observed since Russia's invasion of Ukraine (Feb 2022), focus indicates a specialized subunit or expanded APT28 mission goals. Conducts spear-phishing campaigns targeting hydroelectric generation and natural gas pipeline operators, plus near-constant phishing operations using known vulnerabilities and custom script-based malware. Represents the blending of traditional APT tradecraft with OT/ICS targeting โ not just IT espionage.
Attribution
Russia (APT28-linked, GRU)
Identified
February 2025 (Dragos 2025 Year in Review)
Primary Target
Energy, oil/gas, logistics, government (EE/ME)
ICS Protocols
Multiple โ industrial network targeting
Known Malware
Custom script-based malware
Operational Impact
Persistent phishing, credential theft, OT network pre-positioning
Techniques
Spear PhishingHydroelectric TargetingPipeline TargetingCustom Script MalwareKnown Vulnerability ExploitationPre-PositioningCredential Theft for OT Access
Sources: Dragos 2025 Year in Review (new OT threat group)
BAUXITE
CyberAv3ngers-linked, IRGC-CEC-Affiliated
CRITICAL
Dragos-identified OT threat group (2025). Shares substantial capabilities and infrastructure with the hacktivist persona CyberAv3ngers, which has explicit affiliations with the Iranian Revolutionary Guard Corps โ Cyber and Electronic Command (IRGC-CEC), as reported by the US Government. Dragos observed four BAUXITE campaigns since late 2023, including those with Stage 2 ICS Cyber Kill Chain impacts via trivial compromises of exposed devices. Deployed two custom wiper malware variants against Israeli targets during the Iran-Israel conflict in June 2025 โ escalating from access/disruption to destructive operations. Victims confirmed in United States, Europe, Australia, and the Middle East across energy (oil, gas, electric), water/wastewater, food/beverage, and chemical manufacturing. Exemplifies the trend where hacktivist-branded operations move from symbolic defacements into operationally capable, destructive campaigns.
Sources: Dragos 2025 Year in Review, US Government reporting on IRGC-CEC/CyberAv3ngers, Dragos 2026 Press Release
VOLTZITE
Volt Typhoon OT Variant
CRITICAL
Arguably the most crucial OT threat group to track. Extensive technical overlaps with Volt Typhoon (CISA-tracked). Dedicated focus on stealing OT-relevant data: network diagrams, operating instructions, GIS data from victim ICS organizations. Sets up complex chains of network infrastructure to target and compromise ICS assets. VOLTZITE is likely already inside networks of critical infrastructure operators. This is pre-positioning for future kinetic action.
Attribution
China (state-sponsored, Volt Typhoon-linked)
Identified
February 2025 (Dragos 2025 Year in Review)
Primary Target
ICS network diagrams, OT operating instructions, GIS data
Operational Impact
Pre-positioning, OT data theft, living off the land
Techniques
OT Data TheftNetwork Infrastructure ChainsPre-PositioningNetwork Diagram CollectionOperating Instructions TheftGIS Data ExfiltrationLiving off the Land
Sources: Dragos 2025 Year in Review, CISA Volt Typhoon advisories
Sandworm
Voodoo Bear, Telebots, GRU Unit 74455, APT44
CRITICAL
Russian GRU cyber operations unit. Responsible for the 2015 Ukraine grid blackout โ first confirmed cyberattack to cause widespread power outages. Developed Industroyer (CrashOverride), the only known malware purpose-built for ICS protocol manipulation, and Industroyer2 targeting IEC 60870-5-104. Also created NotPetya (2017) โ the most destructive cyberattack in history at the time, causing $10B+ in damages.
Attribution
Russia (GRU)
Active Since
2009
Primary Target
Energy grids (Europe, Asia)
ICS Protocols
IEC 60870-5-101/104, Modbus
Known Malware
Industroyer, Industroyer2, KillDisk, BlackEnergy3
Operational Impact
Confirmed power outages, $10B+ damages
Techniques
ICS Protocol ManipulationSCADA TargetingSubstation CompromiseDestructive MalwareSpear PhishingLiving off the LandPre-Positioning
Sources: CISA AA22-141A, ESET Industroyer2 Report (2022), Dragos Year in Review
Triton / Trisis
TEMP.Veles
CRITICAL
State-sponsored ICS threat group. Deployed TRISIS malware at a Saudi Arabian petrochemical plant in 2017 โ the first known cyberattack designed to manipulate Safety Instrumented Systems (SIS) and Triconex safety controllers. Triton is unique because it targets the systems designed to prevent catastrophic failure, not the control systems themselves. A successful SIS bypass can kill.
Attribution
Russia (suspected)
Active Since
2014
Primary Target
Petrochemical, oil and gas
ICS Protocols
TriStation (Triconex), Modbus
Known Malware
TRISIS/HatMan
Operational Impact
Safety system manipulation โ potential mass casualty
Techniques
SIS/Safety Controller TargetingEngineering Workstation CompromiseLogic ManipulationCustom ICS MalwareLateral Movement
Long-running Russian state-sponsored threat group. Campaigns since 2011 targeting energy, manufacturing, and defense sectors across the US and Europe. Dragonfly 2.0 (2014-2016) specifically targeted ICS/SCADA environments, with operators gaining access to operator workstations at nuclear power plants and energy companies. Known for extensive pre-positioning without deployment โ suggesting preparation for future disruption, not the disruption itself.
Sources: CISA/NCCIC Alert (TA18-074A), ESET Havex Report, Dragos
Kimsuky
Velvet Chollima, APT43, Kimstaff, Black Banshee
HIGH
North Korean state-sponsored reconnaissance group. Targets US, South Korean, and European critical infrastructure for intelligence gathering. Not known for direct ICS disruption campaigns, but conducts extensive spear phishing against energy and defense sector employees to map network infrastructure โ creating access pathways for follow-on operations.
North Korean supply-chain targeting campaign. April-May 2026: 250+ emails sent to ~100 organizations offering fake coding challenges and malicious VSIX extensions. Targets developers at organizations with ICS infrastructure, including energy, manufacturing, and defense contractors. The campaign uses social engineering to gain access to development environments that can bridge to OT networks.
Attribution
North Korea (suspected Lazarus)
Active Since
April 2026
Primary Target
Developers at ICS-adjacent organizations
Known Malware
Malicious VSIX extensions
Operational Impact
Supply-chain access
Techniques
Supply Chain CompromiseDeveloper TargetingFake Job/Coding ChallengesMalicious ExtensionsOT Lateral Movement
Sources: Community reporting, April-May 2026 email campaign analysis
GordonFreeman / Shukaku_Daemon
Unknown
CRITICAL
Venezuela-linked SCADA compromise group. Active as of June 2026. Direct SCADA control observed targeting Guri Hydroelectric Plant โ Venezuela's largest power generation facility (70% of national capacity). Active IEC 604/5-104 and DNP3 manipulation on 765kV transmission backbone infrastructure. This is one of the few confirmed cases of active SCADA control by threat actors in real-time operations.
Attribution
Venezuela-linked
Active Since
June 2026
Primary Target
Hydroelectric, 765kV grid
ICS Protocols
IEC 60870-5-104, DNP3
Operational Impact
Active SCADA control, energy distribution compromise
Sources: Active monitoring, June 2026 intelligence
APT33
HOLMIUM, RefineDog, Elfin
ELEVATED
Iranian state-sponsored threat group. Conducted campaigns targeting the energy, aviation, and petrochemical sectors since 2013. Known for deploying Shamoon-like destructive malware and targeting industrial control systems in Saudi Arabian and US organizations. Elfin malware (2019) was specifically designed for ICS targeting.
Chinese state-sponsored threat group. Known for targeting government, defense, and technology organizations with focus on intelligence collection. Increasing attention to ICS and OT environments as geopolitical tensions rise. Not confirmed for ICS disruption campaigns, but maintains persistent access to organizations with ICS infrastructure.
Attribution
China (MSS)
Active Since
2012
Primary Target
Government, defense, technology, ICS
Operational Impact
Intelligence gathering
Techniques
Spear PhishingCredential HarvestingSupply Chain TargetingCloud Service Abuse
Sources: Microsoft Threat Intelligence, Dragos
BlackMatter
DarkSide successor
HIGH
Ransomware group with active OT targeting. Successor to DarkSide (Colonial Pipeline attackers). BlackMatter explicitly targeted industrial organizations and had capabilities to disrupt OT operations via IT-side ransomware spread. Known to target manufacturing, food processing, and energy companies.
Ransomware group targeting critical infrastructure. Part of TA505 threat cluster. Known for leveraging MOVEit transfer zero-days to breach hundreds of organizations. Successfully targeted Schneider Electric, Siemens, and other ICS vendors in 2023 supply-chain operations.
All threat actor profiles are compiled from publicly documented sources โ CISA advisories, Dragos reports, Mandiant/FireEye publications, Microsoft Threat Intelligence, and ESET research. We do not conduct independent attribution. Threat levels reflect confirmed operational impact on ICS/OT infrastructure, not just capability or intent. No private intelligence or undisclosed sources are used.