However, Dragos noted that precise attribution remains challenging, and overlapping activity between two groups does not necessarily mean they are the same entity.The second group, Azurite, has also been linked to threat groups tied by other cybersecurity firms to China, including toFlax Typhoon, Ethereal Panda, and UNC5923. Some links have also been found to Voltzite.The threat group has been seen stealing operational information from manufacturing, automotive, electric, defense, oil and gas, and government organizations in Taiwan, the United States, Japan, South Korea, Australia, and Europe.The hackers have compromised SOHO routes to build proxy infrastructure. They have also leveraged compromised edge devices to pivot to OT, including engineering workstations, from which they could conduct malicious activities using existing software to evade detection.According to Dragos, Azurite has exfiltrated OT network diagrams and operational data, including alarm data, PLC configurations, and HMI data. While the goal may be intellectual property theft, the stolen information could also be used to cause disruption in the targeted organization.“Azurite has not been observed manipulating, stopping, or modifying OT-specific software; it has only identified and exfiltrated information already on target assets,” the security firm said in its report. “This activity is highly likely to support capability development, target designation, and environment awareness for the preparation of offensive operations in case of geopolitical conflict.”The third new group is Pyroxene, whose activity and techniques overlap with groups known to be associated with Iran, including APT35 (Charming Kitten).Pyroxene, which has been around since at least 2023, specializes in cross-domain access, enabling movement from IT to OT networks.The group stands out for its use of social engineering, includingcreating fake LinkedIn profilesthat pose as aerospace recruiters, and the use of wipers.Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.“Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted.It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.”Updates on known threat groups targeting ICS/OTKamacite, a Russia-linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs).Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaigntargeting Poland’s power grid.According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war.In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage.Dragos’full 2026 reportalso includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.Related:ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix ContactRelated:5 Bills to Boost Energy Sector Cyber Defenses Clear House PanelRelated:Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
The second group, Azurite, has also been linked to threat groups tied by other cybersecurity firms to China, including toFlax Typhoon, Ethereal Panda, and UNC5923. Some links have also been found to Voltzite.The threat group has been seen stealing operational information from manufacturing, automotive, electric, defense, oil and gas, and government organizations in Taiwan, the United States, Japan, South Korea, Australia, and Europe.The hackers have compromised SOHO routes to build proxy infrastructure. They have also leveraged compromised edge devices to pivot to OT, including engineering workstations, from which they could conduct malicious activities using existing software to evade detection.According to Dragos, Azurite has exfiltrated OT network diagrams and operational data, including alarm data, PLC configurations, and HMI data. While the goal may be intellectual property theft, the stolen information could also be used to cause disruption in the targeted organization.“Azurite has not been observed manipulating, stopping, or modifying OT-specific software; it has only identified and exfiltrated information already on target assets,” the security firm said in its report. “This activity is highly likely to support capability development, target designation, and environment awareness for the preparation of offensive operations in case of geopolitical conflict.”The third new group is Pyroxene, whose activity and techniques overlap with groups known to be associated with Iran, including APT35 (Charming Kitten).Pyroxene, which has been around since at least 2023, specializes in cross-domain access, enabling movement from IT to OT networks.The group stands out for its use of social engineering, includingcreating fake LinkedIn profilesthat pose as aerospace recruiters, and the use of wipers.Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.“Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted.It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.”Updates on known threat groups targeting ICS/OTKamacite, a Russia-linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs).Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaigntargeting Poland’s power grid.According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war.In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage.Dragos’full 2026 reportalso includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.Related:ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix ContactRelated:5 Bills to Boost Energy Sector Cyber Defenses Clear House PanelRelated:Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
The threat group has been seen stealing operational information from manufacturing, automotive, electric, defense, oil and gas, and government organizations in Taiwan, the United States, Japan, South Korea, Australia, and Europe.The hackers have compromised SOHO routes to build proxy infrastructure. They have also leveraged compromised edge devices to pivot to OT, including engineering workstations, from which they could conduct malicious activities using existing software to evade detection.According to Dragos, Azurite has exfiltrated OT network diagrams and operational data, including alarm data, PLC configurations, and HMI data. While the goal may be intellectual property theft, the stolen information could also be used to cause disruption in the targeted organization.“Azurite has not been observed manipulating, stopping, or modifying OT-specific software; it has only identified and exfiltrated information already on target assets,” the security firm said in its report. “This activity is highly likely to support capability development, target designation, and environment awareness for the preparation of offensive operations in case of geopolitical conflict.”The third new group is Pyroxene, whose activity and techniques overlap with groups known to be associated with Iran, including APT35 (Charming Kitten).Pyroxene, which has been around since at least 2023, specializes in cross-domain access, enabling movement from IT to OT networks.The group stands out for its use of social engineering, includingcreating fake LinkedIn profilesthat pose as aerospace recruiters, and the use of wipers.Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.“Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted.It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.”Updates on known threat groups targeting ICS/OTKamacite, a Russia-linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs).Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaigntargeting Poland’s power grid.According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war.In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage.Dragos’full 2026 reportalso includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.Related:ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix ContactRelated:5 Bills to Boost Energy Sector Cyber Defenses Clear House PanelRelated:Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
The hackers have compromised SOHO routes to build proxy infrastructure. They have also leveraged compromised edge devices to pivot to OT, including engineering workstations, from which they could conduct malicious activities using existing software to evade detection.According to Dragos, Azurite has exfiltrated OT network diagrams and operational data, including alarm data, PLC configurations, and HMI data. While the goal may be intellectual property theft, the stolen information could also be used to cause disruption in the targeted organization.“Azurite has not been observed manipulating, stopping, or modifying OT-specific software; it has only identified and exfiltrated information already on target assets,” the security firm said in its report. “This activity is highly likely to support capability development, target designation, and environment awareness for the preparation of offensive operations in case of geopolitical conflict.”The third new group is Pyroxene, whose activity and techniques overlap with groups known to be associated with Iran, including APT35 (Charming Kitten).Pyroxene, which has been around since at least 2023, specializes in cross-domain access, enabling movement from IT to OT networks.The group stands out for its use of social engineering, includingcreating fake LinkedIn profilesthat pose as aerospace recruiters, and the use of wipers.Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.“Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted.It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.”Updates on known threat groups targeting ICS/OTKamacite, a Russia-linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs).Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaigntargeting Poland’s power grid.According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war.In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage.Dragos’full 2026 reportalso includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.Related:ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix ContactRelated:5 Bills to Boost Energy Sector Cyber Defenses Clear House PanelRelated:Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
According to Dragos, Azurite has exfiltrated OT network diagrams and operational data, including alarm data, PLC configurations, and HMI data. While the goal may be intellectual property theft, the stolen information could also be used to cause disruption in the targeted organization.“Azurite has not been observed manipulating, stopping, or modifying OT-specific software; it has only identified and exfiltrated information already on target assets,” the security firm said in its report. “This activity is highly likely to support capability development, target designation, and environment awareness for the preparation of offensive operations in case of geopolitical conflict.”The third new group is Pyroxene, whose activity and techniques overlap with groups known to be associated with Iran, including APT35 (Charming Kitten).Pyroxene, which has been around since at least 2023, specializes in cross-domain access, enabling movement from IT to OT networks.The group stands out for its use of social engineering, includingcreating fake LinkedIn profilesthat pose as aerospace recruiters, and the use of wipers.Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.“Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted.It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.”Updates on known threat groups targeting ICS/OTKamacite, a Russia-linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs).Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaigntargeting Poland’s power grid.According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war.In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage.Dragos’full 2026 reportalso includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.Related:ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix ContactRelated:5 Bills to Boost Energy Sector Cyber Defenses Clear House PanelRelated:Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
“Azurite has not been observed manipulating, stopping, or modifying OT-specific software; it has only identified and exfiltrated information already on target assets,” the security firm said in its report. “This activity is highly likely to support capability development, target designation, and environment awareness for the preparation of offensive operations in case of geopolitical conflict.”The third new group is Pyroxene, whose activity and techniques overlap with groups known to be associated with Iran, including APT35 (Charming Kitten).Pyroxene, which has been around since at least 2023, specializes in cross-domain access, enabling movement from IT to OT networks.The group stands out for its use of social engineering, includingcreating fake LinkedIn profilesthat pose as aerospace recruiters, and the use of wipers.Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.“Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted.It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.”Updates on known threat groups targeting ICS/OTKamacite, a Russia-linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs).Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaigntargeting Poland’s power grid.According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war.In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage.Dragos’full 2026 reportalso includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.Related:ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix ContactRelated:5 Bills to Boost Energy Sector Cyber Defenses Clear House PanelRelated:Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
The third new group is Pyroxene, whose activity and techniques overlap with groups known to be associated with Iran, including APT35 (Charming Kitten).Pyroxene, which has been around since at least 2023, specializes in cross-domain access, enabling movement from IT to OT networks.The group stands out for its use of social engineering, includingcreating fake LinkedIn profilesthat pose as aerospace recruiters, and the use of wipers.Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.“Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted.It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.”Updates on known threat groups targeting ICS/OTKamacite, a Russia-linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs).Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaigntargeting Poland’s power grid.According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war.In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage.Dragos’full 2026 reportalso includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.Related:ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix ContactRelated:5 Bills to Boost Energy Sector Cyber Defenses Clear House PanelRelated:Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
Pyroxene, which has been around since at least 2023, specializes in cross-domain access, enabling movement from IT to OT networks.The group stands out for its use of social engineering, includingcreating fake LinkedIn profilesthat pose as aerospace recruiters, and the use of wipers.Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.“Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted.It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.”Updates on known threat groups targeting ICS/OTKamacite, a Russia-linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs).Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaigntargeting Poland’s power grid.According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war.In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage.Dragos’full 2026 reportalso includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.Related:ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix ContactRelated:5 Bills to Boost Energy Sector Cyber Defenses Clear House PanelRelated:Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
The group stands out for its use of social engineering, includingcreating fake LinkedIn profilesthat pose as aerospace recruiters, and the use of wipers.Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.“Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted.It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.”Updates on known threat groups targeting ICS/OTKamacite, a Russia-linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs).Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaigntargeting Poland’s power grid.According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war.In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage.Dragos’full 2026 reportalso includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.Related:ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix ContactRelated:5 Bills to Boost Energy Sector Cyber Defenses Clear House PanelRelated:Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
Pyroxene has targeted the manufacturing, transportation, logistics, aerospace, aviation, and utilities sectors in the United States, Europe, and the Middle East.“Wiper malware targeting IT systems can have a severe downstream impact on ICS operations. Destructive wiping of IT systems can render systems unbootable and disrupt operational dependencies, resulting in loss of availability. Even without direct PLC targeting, the loss of supporting IT services can halt operations, delay recovery, and increase safety risk across industrial environments,” the security firm noted.It added, “Dragos assesses with moderate confidence Pyroxene is actively positioning for future ICS-impacting operations by exploiting supply chains, trusted relationships, and IT-OT dependencies, creating a credible risk of disruption or destruction even when OT networks are not directly targeted.”Updates on known threat groups targeting ICS/OTKamacite, a Russia-linked group tracked by Dragos for more than a decade and responsible for reconnaissance and initial access in Electrum attacks, has been seen expanding its targets beyond Ukraine. The security firm has observed the hackers scanning for industrial devices in the US, including HMIs, gateways, meters, and variable-frequency drives (VFDs).Electrum has been conducting disruptive attacks, often targeting Ukraine. However, this threat group has also recently expanded beyond Ukraine, including for the recent campaigntargeting Poland’s power grid.According to Dragos, this appears to be a result of the conflict in Ukraine — or at least the cyber aspect of the war — winding down, and Russian threat actors resuming global operations in the interests of Moscow, as they did before the war.In a briefing with the media, Dragos CEO Robert M. Lee pointed out that threat groups are still largely focusing on the theft of intellectual property. However, they are also increasingly focused on collecting data that can later be used to cause disruption or damage.Dragos’full 2026 reportalso includes information on other known threat groups, ransomware attacks on industrial organizations, vulnerabilities affecting ICS/OT products, and recommendations for defenders.Related:ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix ContactRelated:5 Bills to Boost Energy Sector Cyber Defenses Clear House PanelRelated:Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
Source: SecurityWeek
