A recent report by Trellix reveals that cybercriminals are increasingly exploiting information technology (IT) vulnerabilities to infiltrate operational technology (OT) systems that support critical industrial processes. Covering the period from April to September 2025, the Operational Technology Threat Report outlines a troubling trend involving state-sponsored groups, criminal organizations, and hybrid operators blending espionage and extortion with cyber operations linked to geopolitical conflicts.
The manufacturing sector suffered the most, accounting for 41.5% of the detections, while transportation and shipping were responsible for 27.6%. Other sectors, including utilities, energy, and aerospace and defense, made up the remainder of the reported activity. These findings underscore the high stakes involved in these industries, given their reliance on integrated systems and the severe impact of operational disruptions.
Most detected attacks targeted IT infrastructure within organizations focused on OT. Attackers commonly used entry points such as mail systems, perimeter gateways, and endpoints. Rather than attempting direct assaults on fortified controllers, they targeted exposed business systems connected to Level 3 and Level 4 environments.
One particularly concerning group, Sandworm, was responsible for nearly one-third of observed OT-related intrusions in recent years. Their activities during the reporting period primarily targeted Ukrainian energy and telecommunications networks. Sandworm employed the malicious software Industroyer2 to manipulate substation operations and deployed wipers to hinder recovery efforts. This strategic use of destructive tools highlights a deliberate intent to align cyberattacks with physical conflict.
Another advanced threat, TEMP.Veles, also known as XENOTIME, poses significant risks to safety instrumented systems. The group’s previous attempts to alter safety logic in their operations, particularly with the TRITON malware, emphasize their evolving tactics. Recent reconnaissance efforts targeting energy and chemical organizations suggest an ongoing strategy to maintain access for future operations of strategic value.
In addition, Iranian groups APT33 and APT34 have shifted focus from espionage to more destructive activities. Their operations, which target aviation, petrochemical, and government networks, rely on credential theft, exploitation of web-facing infrastructure, and wiper deployment. This evolution indicates a move towards coercive tactics that blend theft with disruption.
Criminal organizations are also demonstrating a growing understanding of industrial dependencies. The Qilin group has executed 63 confirmed attacks against industrial entities since mid-2024, particularly focusing on energy distribution and water utilities. Their use of both Windows and Linux payloads allows for broader infiltration across mixed environments. Several incidents have involved the encryption of shared engineering resources and historian systems, causing operational delays despite controllers remaining untouched.
The convergence of financial motives and OT-aware methods is evident in these trends. Ransomware operators have recognized that operational disruptions increase their leverage. Consequently, they are adapting their payloads to target systems positioned between IT and OT. The report highlights that attackers often exploit weak segmentation, with PowerShell activity making up the largest share of detections, followed closely by Cobalt Strike.
Findings suggest that adversaries rarely require ICS-specific exploits at the onset of an attack. Instead, they often rely on stolen credentials, remote access tools, and administrative shares to navigate towards engineering assets. Once within the appropriate network segment, they can switch to industrial protocols such as Modbus, DNP3, and IEC 61850, allowing malicious commands to mingle with legitimate traffic. This complicates detection efforts for defenders who may not conduct continuous inspections of process-level communications.
The vulnerability data emphasizes the critical need for robust boundaries between enterprise and industrial systems. Ongoing exploitation of devices such as Cisco ASA and FTD has been reported, including attacks that modify device firmware. Additionally, critical flaws in SAP NetWeaver and other manufacturing operations software have created direct entry points into factory workflows. Recent disclosures affecting Rockwell ControlLogix and GuardLogix platforms raise concerns due to their potential for remote code execution or forcing controllers into a non-operational state, posing immediate availability and safety risks.
Patching within OT networks typically takes over 180 days, as updates necessitate scheduled downtime. Consequently, vulnerable services often remain unpatched long after fixes are available. John Fokker, Vice President of Threat Intelligence Strategy at Trellix, emphasizes the importance of regular training sessions for employees. He states, “Coaching employees about emerging threats, phishing attempts, and safe handling of sensitive information can significantly reduce risks. Furthermore, involving employees in security best practices and readiness testing fosters a culture of resilience across the entire organization.”
As cyber threats increasingly target industrial systems, the need for enhanced security measures and employee awareness is more critical than ever. The insights from Trellix’s report serve as a wake-up call for organizations to prioritize their defenses against these evolving threats.
