Dragos Report: Industrial Cyber Adversaries Are Now Mapping Entire Control Loops

Industrial cybersecurity has entered a new phase. The Dragos 2026 OT/ICS Cybersecurity Year in Review, released in February, documents a threat landscape that has evolved from opportunistic intrusions into something more deliberate, coordinated, and operationally dangerous. For anyone running critical infrastructure or industrial control systems, the findings demand attention.

Three New Threat Groups

The headline finding: Dragos identified three previously unknown threat groups actively targeting industrial infrastructure worldwide.

SYLVANITE operates as an access broker, rapidly exploiting vulnerabilities in enterprise edge products from Ivanti, F5, SAP, and ConnectWise. But SYLVANITE doesn't act alone — it hands off established footholds to VOLTZITE for deeper OT intrusions. This division of labor between initial access and operational exploitation represents a maturation in how adversaries organize against industrial targets.

PYROXENE targets the United States, Western Europe, and the Middle East, and deployed destructive wiper malware against critical infrastructure during regional conflict in June 2025. This group represents the most direct threat — actors willing to destroy rather than just surveil.

AZURITE showed operational overlaps with Flax Typhoon and conducted sustained campaigns across the U.S., Europe, and Asia-Pacific. The geographic breadth and persistence of AZURITE's operations suggest state-level resources and strategic objectives.

From Devices to Control Loops

The most concerning trend in the report isn't any single group — it's the collective shift in adversary behavior. Dragos found that threat actors have advanced from targeting isolated devices and network segments to mapping entire industrial control loops. KAMACITE, a previously tracked group, systematically mapped control loops across U.S. infrastructure throughout 2025, while ELECTRUM targeted distributed energy systems in Poland with deliberate attempts to affect operational assets.

Control loop mapping is significant because it indicates preparation for operational disruption rather than data theft. An adversary who understands how a plant's control systems interact — which sensors feed which controllers, which actuators respond to which commands — can potentially cause physical consequences: equipment damage, production disruption, safety incidents.

Ransomware Continues to Surge

Ransomware groups targeting industrial organizations surged 49% year-over-year, impacting 3,300 organizations globally and disrupting operations across manufacturing, energy, water, and transportation. The industrialization of ransomware — with groups operating as structured businesses with specialized roles — continues to accelerate.

What's changed is targeting precision. Ransomware operators are increasingly aware of which systems will cause the most operational pain and are timing their attacks to maximize disruption and leverage during negotiations.

The NVIDIA-Siemens Response

The threat escalation has prompted a corresponding response from the vendor community. NVIDIA announced collaborations with Akamai, Forescout, Palo Alto Networks, Xage Security, and Siemens to bring accelerated computing and AI to OT cybersecurity. At the S4x26 security conference, Siemens demonstrated its AI-ready Industrial Automation DataCenter — a platform that consolidates IT and OT security into a unified architecture designed to detect and respond to the kind of coordinated, multi-stage attacks the Dragos report describes.

Meanwhile, CISA and the Australian Cyber Security Centre published joint guidance for critical infrastructure operators integrating AI into OT systems, outlining four principles for realizing AI's defensive benefits while managing the new attack surfaces it creates.

What Industrial Operators Should Do Now

The Dragos report makes one thing clear: the threat to industrial control systems is no longer theoretical or limited to nation-state targets. Ransomware groups and hacktivists now operate alongside state-sponsored actors, creating a layered threat environment where virtually any industrial organization is a potential target.

Operators who haven't invested in OT-specific threat detection, network segmentation between IT and OT environments, and incident response planning tailored to industrial systems are running out of time to treat cybersecurity as someone else's problem.