New Threat Groups Target Operational Technology Environments
In a recent report released by Dragos, security researchers unveiled the emergence of three novel threat groups involved in providing access to or launching direct attacks on operational technology (OT) environments. This development raises significant concerns within cybersecurity circles.
One of the newly identified entities, referred to as Sylvanite, serves as an entry point for another group known as Voltzite, which has links to the notorious Volt Typhoon.
Notably, Volt Typhoon is a state-affiliated threat group that U.S. authorities have previously cautioned is focused on critical infrastructure sites across the United States, poised to execute disruptive operations in the event of military conflicts in the Asia-Pacific region.
According to Dragos researchers, Sylvanite operates distinctly, leveraging vulnerabilities in edge devices to establish initial access.
Robert Lee, co-founder and CEO of Dragos, emphasized during a recent media briefing, “This is not the team aiming for long-term control of OT systems—that role belongs to Voltzite. Rather, Sylvanite collaborates with or supports Voltzite by facilitating initial access.”
Sylvanite has been connected to a significant incident in May 2025, impacting a utility company in the U.S., where weaknesses in Ivanti Endpoint Manager Mobile were exploited, specifically CVE-2025-4427 and CVE-2025-44428, as detailed in the report.
Another group, known as Azurite, shares links with Flax Typhoon. This entity capitalizes on compromised small office/home office environments to infiltrate engineering workstations while employing living-off-the-land tactics to maintain access.
The third identified group, dubbed Pyroxene, resorts to social engineering strategies, including the creation of counterfeit LinkedIn profiles masquerading as recruiters. Since 2023, the group has extended its operations from the Middle East into North America and Western Europe, specifically targeting aerospace, defense, maritime, and other critical sectors.
In 2025, Pyroxene executed wiper malware attacks against several Israeli targets amid the 12-day military conflict with Iran. Researchers indicate that Pyroxene is strategically positioning itself for future campaigns that could critically impact industrial control systems.
Apart from these nascent threat groups, researchers have observed that existing organizations are also amplifying their activities.
For instance, Kamacite functions as the access facilitator for Electrum, a longstanding adversary linked to the 2015 cyberattacks on the Ukrainian power grid. Dragos reports that Kamacite has accelerated its attacks against industrial control system (ICS) supply chains in Europe since 2024.
Lee remarked, “No other team in the world possesses as much expertise in dismantling infrastructure as Electrum.” He further noted that as the cyber phase of the Ukraine conflict reaches its conclusion, experienced threat groups are pivoting to target industries in regions such as Europe and the United States.
Electrum’s activities exemplified a significant threat when it was implicated in a December attack on the electrical grid in Poland, affecting multiple facilities, including wind farms and solar installations, as per insights from Dragos, which participated in the incident response efforts.
Source link: Cybersecuritydive.com.
