Volt Typhoon and related groups continue compromising American energy networks with destructive intent, while three new Chinese threat groups emerge targeting operational technology systems.
Three new Chinese state-sponsored hacking groups began targeting critical infrastructure in 2025, while Beijing-backed Volt Typhoon and its affiliates maintained persistent access to US energy networks with apparent destructive intent, according to Dragos' annual threat report.
Dragos, which specializes in operational technology (OT) security for critical infrastructure sectors, identified 26 global threat groups targeting industrial control systems in 2025, with 11 active that year. The report highlights an escalation in Chinese cyber operations against American utilities, oil and gas facilities, and manufacturing plants.
Volt Typhoon's destructive focus
The Beijing-linked Volt Typhoon crew, which US authorities have tracked for years, continued its campaign of embedding malware inside strategic American utilities throughout 2025. According to Dragos CEO Robert M. Lee, the group's activities went beyond simple reconnaissance.
"They weren't just getting in and getting access - they were getting inside the control loop" system that manages utilities' industrial processes, Lee told reporters. "Everything they were doing and learning was only useful for disrupting or causing destruction at those sites."
Lee emphasized that Voltzite, a group "highly correlated" with Volt Typhoon, was embedded in US infrastructure "for the purpose of taking it down." The intrusions targeted electric power generation, transmission and distribution, water systems, and oil and gas operations across North America.
In one campaign, the hackers compromised Sierra Wireless AirLink devices to access pipeline operations' OT networks. They exfiltrated operational and sensor data while maintaining access that could potentially manipulate control systems. The attackers also accessed engineering workstations and stole configuration files and alarm data, including information about how to force stop operations.
A separate campaign saw the group using the JDY botnet to scan for public-facing IP address ranges and VPN appliances across energy, oil, gas, and defense sectors. While no exploitation was confirmed during this phase, Dragos assessed with moderate confidence that the intent was pre-staging for future intrusions and exfiltration of operational data.
Three new Chinese threat groups emerge
Dragos began tracking three new Chinese state-sponsored groups in 2025, expanding the landscape of actors targeting Western critical infrastructure.
Sylvanite serves as an initial access broker for Voltzite, responsible for weaponizing vulnerabilities and providing access for deeper OT intrusions. The group exploits known vulnerabilities in internet-facing products from F5, Ivanti, and SAP to provide Voltzite access to electric power, water, sewage, and oil and gas organizations across North America, the UK, Europe, Asia, and the Middle East.
"They're finding edge-device vulnerabilities - the things that a contractor or remote worker would use to get into operations networks," Lee explained. "And within 48 hours of disclosure, they're reverse engineering [vulnerabilities] and hitting those devices."
Azurite, which overlaps with China's Flax Typhoon, focuses on gaining long-term access to OT engineering workstations and exfiltrating operational files including network diagrams, alarm data, and process information. This group targets manufacturing, defense, automotive, electric power, oil and gas, and government organizations across the US, Europe, and the Asia-Pacific region.
The third new group, Pyroxene, overlaps with activity attributed to Imperial Kitten (APT35) - the cyber arm of Iran's Islamic Revolutionary Guard Corps. Dragos observed Pyroxene conducting "supply chain-leveraged attacks targeting defense, critical infrastructure, and industrial sectors, with operations expanding from the Middle East into North America and Western Europe."
Pyroxene typically uses recruitment-themed social engineering against targeted individuals, interacting with victims via fake social media profiles before delivering backdoors and other malware. In June 2025, the group deployed data-wiping malware against "multiple undisclosed organizations" in Israel during the military conflict between Iran, Israel, and the US.
Russian operations continue
While the report focuses heavily on Chinese and Iranian activities, Dragos noted that Russia also poses a significant threat to Western critical infrastructure. Earlier in 2025, Dragos attributed December 2025 cyberattacks against Poland's power grid to Electrum, a group that overlaps with Russia's GRU-run Sandworm offensive cyber unit.
Kamacite serves as the initial access provider for Electrum and conducted a reconnaissance campaign against vulnerable internet-exposed industrial devices in US water, energy, and manufacturing sectors between March and July 2025. "While Dragos found no evidence of successful exploitation during this period, the scope and precision of the scanning reveal a meaningful evolution in Kamacite's operational posture," the report stated.
The findings underscore the persistent and evolving nature of state-sponsored cyber threats against critical infrastructure, with multiple nations maintaining active campaigns targeting the industrial control systems that underpin modern society's essential services.
Comments
Please log in or register to join the discussion