© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al.
Dragos 2026 OT Cybersecurity Report
Year in Review, O&G and Petrochemicals Focus

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 2
• 26 years of experience across automation and ICS/OT security, with roles in O&G
downstream, upstream, and global technical leadership
• Past titles have included Principal Consultant, Principal ICS Security Engineer, Controls &
Automation Specialist, Process/CEMS Analyzer Specialist, and Instrumentation & Electrical
Technician
• Certified SANS Instructor ICS410/ICS612, GSE #320, Master's in Information Security
Engineering from SANS Technology Institute
Mike Hoffman
Field CTO, Oil & Gas and Petrochemicals linkedin.com/in/mjhoffman7

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 3
Middle East Developments
Kinetic Attacks impact to the global O&G and Petrochemical markets
• Qatar LNG assets have been impacted and have declared Force Majeure. Over 17% reduction in
global LNG output
• Bahrain Refinery production was affected due to a drone strike, and has declared Force Majeure
• Kuwait Refineries are at reduced capacity and have declared Force Majeure
• Saudi Arabia's refineries targeted
• UAE Refineries, Gas Fields, and Oil Terminals targeted
• Oman Oil Terminas targeted
• Strait of Hormuz shipping lane effectively blocked – affecting 20% of global oil supply

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 4
What is going on How to be ready
Middle East Developments
Cyber Attacks
• Considerable amount of GPS attacks around
the Strait of Hormuz
• Reported Adversarial activity and data
exfiltration in LNG companies
• BAUXITE claimed Jordanian wheat silo
compromise
• MuddyWater increased activity against the
US. Israel (historically targeting the EU, but it's
shifting focus to the US and Israel)
• Hacktivism is on the rise (claims have doubled
since the start of the war)
• Expect Stage1 Activity
• Primary Operational Risk
• Adversaries Will Target Exposed ICS/OT
Assets
• Eliminate or lock down internet-facing devices
• Prepare for Manual Operations
• Ensure you have offline tested backups
• Expect & Accept Hacktivist Noise
• DDoS campaigns, exaggerated claims of
operational disruption

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 6
9th Annual Dragos Year in Review
New specialized threat groups with diverse
approaches lower the barrier for established
groups to achieve OT impact
Control loop mapping demonstrates
adversaries understand industrial
operations at the process level
Shift from reconnaissance to attempted
operational effects throughout 2025
Ransomware incidents are OT
by consequence despite frequent
oversimplification and mislabeling
Organizations still struggle to implement
basic controls, preventing an effective
response when attacks occur

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 7
Dragos Identifies 3 New Threat Groups
Of the 26 threat groups tracked by Dragos, 11 were active in 2025
2017 2018 2019 2020 2021 2022 2023 2024 2025

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 8
of Dragos IR cases involved
active exploitation or credential
reuse of VPN/jumphosts
New: SYLVANITE
Rapid exploitation broker enabling
VOLTZITE access to critical infrastructure
Overlaps with: UNC5221, UNC5174, UNC5291, UNC3236,
HOUKEN, Red Dev 61, CL-STA-0048, UTA0178
73%
Exploited Ivanti VPN vulnerabilities
within 48 hours of disclosure
Installed persistent web
shells on F5 devices
Extracted Active
Directory credentials
Handed off access to
VOLTZITE or deeper intrusions
Targets:
Electric Power Water Oil & Gas Manufacturing Public
Administration

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 9
Rapid Vulnerability
Exploitation Campaigns
1 2 3 4
Dec 2023
Ivanti Connect
Secure CVE-2023-
46805, CVE-2024-
21887
2024
F5 BIG-IP & ConnectWise
ScreenConnect;
F5: CVE-2023-46747;
ConnectWise:
CVE-2024-1709
Apr 2025
SAP NetWeaver
Zero-Day
CVE-2025-31324
May 2025
Ivanti EPMM
(U.S. Utility Victim)
CVE-2025-4427,
CVE-2025-4428
26%
of advisories
had NO
patch when
announced
4%
had public
POC & were
actively
exploited
52%
Dragos provided
alternate
mitigations when
vendors couldn't

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 10
VOLTZITE
Demonstrated capability to access
& manipulate OT/ICS assets
Overlaps with: VOLT TYPHOON, BRONZE SILHOUETTE, VANGUARD PANDA, INSIDIOUS TAURUS
Exploited VPN gateways to access utility networks
Extracted SCADA configuration files from engineering workstations
Observed operational data to understand process shutdown conditions
Maintained access through web shells on internet-facing appliances

© 20 26 Dragos, In c. Al l R igh ts Reserved. Propri etary & Confidential . 11
VOLTZITE Attack Path
ORB botnets
including JDY -
comprised of mostly
SOHO devices
C2 Nodes
Command
& Control
Reconnaissance
Vulnerable Internet-facing
Remote Access Gateway
Webshell &
C2 agent
installation
Credentials &
access tokens from
edge device
Exploits
vulnerabilities
Stolen Credential
Reuse
EWS
Software
manipulation
Sensor data &
operational process
data
Exfiltration via C2
Network perimeter
reconnaissance
Compromise Internet-facing edge devicesEstablish edge
device persistence
Exfiltrate credential
data from internet-facing edge devices
Replay legitimate
credentials for
lateral movement
Exfiltrate OT sensor
and operational
process data
01 02 03 04 05 06

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 12
Accessed engineer workstations
through compromised edge devices
Maintained persistent access for extended
periods using living off the land techniques
New: AZURITE
Theft of operational information, long-term access enablement
Overlaps with: Flax Typhoon, Ethereal Panda, UNC5923, Raptor Train, Red Dev 54
Compromised SOHO routers to build proxy
infrastructure across multiple countries
Exfiltrated OT network
diagrams and
operational data
Targets:
Manufacturing Defense Automotive Electric Government
What Dragos Observed in 2025
Oil & Gas

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 13
AZURITE
VPN Access to OT Environment and Engineer Workstation
AZURITE
Vulnerability
exploitation &
compromised
credentials
VPN
Deploy webshell to
exploited VPN
VPN
Adversary at
controlled IPs
Lateral
Movement
SOCKS Tunnel Jump server
into OT network
Engineer
Workstation
Collect OT
Information
Exploit vulnerabilities or
use VPN credentials from
other credential stuffing
Deploy webshell
to VPN device
Access OT jump server
with compromised
credentials
Access engineer
workstation to exfiltrate OT
operational information
Exfiltrate alarm data, PLC
configurations, HMI data, operational
information via SOCKS tunnels
01 02 03 04 05
SOCKS Tunnel SOCKS Tunnel

© 20 26 Dragos, In c. Al l R igh ts Reserved. Propri etary & Confidential . 14
AZURITE
SOHO Device Compromise to Achieve OT Access
SOCKS Tunnel SOCKS Tunnel
Adversary
Network Access
SOHO router, NAS, LTE device
on OT network border
Vulnerability
Exploitation or Default
Credentials Engineer Workstation
Direct access
to exposed
SOHO devices
Enroll device into ORB
network and/or stage
capabilities on ORB
Pivot into OT network
segment connection
with the edge device
Identify and then
access engineering
workstations
Exfiltrate alarm data, PLC
configurations, HMI data, operational
information via SOCKS tunnels
01 02 03 04 05

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 15
New: PYROXENE
Cross-domain access enabling
movement from IT into OT networks
Compromised defense contractor
websites to target employees
Moved from corporate IT into
operational technology networks
Overlaps with: APT35, Tortoiseshell, UNC1549, Imperial Kitten, assessed by the U.S. Government to be aligned with the Islamic Revolutionary
Guard Corps Cyber Electronic Command (IRGC-CEC)
Created fake LinkedIn profiles
posing as aerospace recruiters
Used stolen credentials to access
Citrix and VMware systems
Targets:
Transportation Logistics Aerospace Aviation Utilities
What Dragos Observed in 2025
Manufacturing

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 16
Infected Host
PYROXENE Attack Path
Adversary
Malicious
Fingerprinting
JavaScript
Adversary Infrastructure Adversary
Compromised
Supply Chain
Websites
Sends
Victim’s
System
Fingerprint
Visits
Persistence
Social Engineering
(LinkedIn, DMs)
Sends
Malware
Documents
Downloads
Malware Fake
Installers
Directs to Spoofed
Careers Portal
Compromised
Steals System
Credentials
Secure Network Phishes Trusted Partners/Suppliers
Uses Compromised
Mail Server Account
C2 Server
Strategic website
compromises
Social engineering
campaign
Deploy RAT/Backdoor
Infect Victim Host
Lateral movement into
secure network
Supply
Chain Attack
01 02 03 04 05

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 17
Expansion of KAMACITE Targets
Targeted reconnaissance & access
establishment enabling ELECTRUM attacks
European supply chain campaign targeting 25+
Ukrainian ICS vendors and GIE conference attendees
with multi-week social engineering
U.S. reconnaissance scanning industrial devices:
Schneider Altivar VFDs, Smart HMIs, Accuenergy AXM modules, Sierra Wireless AirLink gateways
Industry-specific phishing using native languages and technical terminology
Hands off established access to ELECTRUM for destructive Stage 2 operations

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 18
Systematic Targeting of
Operational Workflows
KAMACITE U.S. Campaign (March-July 2025)
Adversaries are mapping entire control loops for future targets & attacks.
HMIs (command origin) VFDs (physical control)
Meters (process visibility) Gateways (remote access)
Targeted
Also Observed: VOLTZITE: Dumps configs
to find process stop triggers
AZURITE: Exfiltrates alarm data
for operational boundaries

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 19
ELECTRUM: 10 Years of Practice
From manual breaker commands to automated grid attacks
90% still can't detect Electrum-style attacks
1 2 3
December 2015
Coordinated attack on 3
Ukrainian distribution
operators causing power
outages during winter
December 2016
Deployed CRASHOVERRIDE
malware against Ukrainian
transmission substation
affecting hundreds of
thousands
2022-2025
Deployed Industroyer2,
LOTL scripts targeting
distribution automation,
and multiple custom
wipers

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 21
BAUXITE
Direct ICS manipulation and destructive operations targeting
internet-exposed operational technology
Overlaps with: CyberAv3ngers (hacktivist persona)
Threatening email campaign targeting cybersecurity
vendors, ICS researchers, and media
Continued Stage 2 activity: Direct manipulation of
internet-exposed HMIs, PLCs, and industrial devices
Targets:
Critical infrastructure globally, with focus on
organizations with internet-exposed OT devices
What Dragos Observed in 2025
Deployed two wiper malware variants against
Israeli targets during Iran-Israel conflict

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 22
BAUXITE 2025 Activity
BAUXITE
Uses VPS
Infrastructure
Distributes Wiper
Win/ Linux malware
Targeted Israeli
organizations
CyberAv3ngers
APTIran
Adversary-controlled Infrastructure
• CyberAv3ngers branded domains
• Associated email accounts
• Telegram channels
• X accounts
Sends threatening, coercive emails
Cybersecurity Vendors
ICS/OT Vendors
Targeted Individuals
Promotes Hacktivism claims of
Disruption, DDOS, Intrusions:
• ICS/OT Devices
• Perimeter Security Devices
• Energy & Utilites
• Oil & Gas
• Railways & Transport
Psychological, Influence Operations Destructive attacks against Israeli targets
01 02

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 23
Root Cause Analysis Problem
30%
of IR cases began with
“something is wrong”
82%
lack criteria for when operational
anomalies trigger cyber investigation
Is it cyber?
Is it mechanical?
Is it operator error?
Many attacks don’t
look like cyber
They’re just operational misuse
of legitimate equipment
VOLTZITE config dumping
looks like troubleshooting
KAMACITE VFD scanning
looks like standard system
enumeration
You can’t determine root cause if you lack monitoring BEFORE the incident.

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 24
AI Compounds the Visibility Problem
Establish visibility BEFORE deploying AI or risk creating exponentially greater blind spots.
Was this cyber, equipment
failure, AI error, or authorized
change?
Impossible to answer without OT
visibility & foundational telemetry
already in place beforehand
Organizations
are deploying
in operational
environments without
first establishing
visibility.
“
“

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 25
Ransomware by Sector
In 2025, 3300 ransomware attacks targeted industrial organizations
0
100
200
300
400
500
600
700
800
900
Q1 Q2 Q3 Q4
Manufacturing Transport ICS Communications Electric
Oil & Gas Government Renewables Mining Water
5 days
average dwell time
(getting faster)

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 26
Classify by consequence:
Did operations stop? It's an OT incident.
Ransomware in OT is
Mislabeled as IT Problem
Don’t call it an IT breach if OT stops working
It only hit
Windows systems.
Engineering workstations run
Windows. HMIs run Windows.
Historians run Windows.
If you classify by operating system,
you miss the operational impact.
If you classify by network segment,
you miss IT/OT dependencies.
“
“

© 20 26 Dragos, In c. Al l R igh ts Reserved. Propri etary & Confidential . 27
The State Of ICS/OT Vulnerabilities
15% of vulnerabilities Dragos assessed in 2025 had incorrect CVSS data
2
More Severe CVSS
52% of advisories required Dragos to provide mitigations vendors didn’t
64%
Less Severe CVSS
31%
The Same
4%

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 28
Where Vulnerabilities Reside
VULNERABLE
ASSETS
BORDERING THE
ENTERPRISE ARE
EXPLOITED FOR
INITIAL ACCESS LEVELS
3.5 | 4 | 5
22%
VULNERABLE
ASSETS
DEEP WITHIN
ICS NETWORKS
ARE CLOSE
TO CRITICAL
PROCESSES
SENSOR
OT
I
T
Enterprise Operations
Systems
Supervisory
Control
Basic
Control
Physical
Process
LEVEL 0 LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4
SOC SIEM
IT SECURITY
SENSORS ACTUATORS
PLC
s
RTUs
SCADA &
HMI
SENSORS ACTUATORS
DCS PLCs SIS
CONTROLLERS
HMI & SERVERS
HISTORIAN
DMZ JUMP SERVER,
AV, PATCH
HOST LOG
COLLECTORS
ACTIVE
LEVEL 3.5
EC
SENSOR ACTIVE
LEVEL 5
WEB SERVERS EMAIL SERVERS
LEVELS
0 | 1 | 2 | 3
73%

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 29
Necessity of Risk-Based Decision
Only some vulnerabilities need immediate action
Mitigate through network
monitoring, segmentation & MFA
Monitor these for
signs of exploitation
of ICS/OT
vulnerabilities
needed to be addressed
2%
are network exploitable with
no direct operational impact
These need to be addressed
pose a possible threat
but rarely require action
They likely never need to be addressed
NOW NEXT NEVER
71% 27%

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 30
Defenders Can’t Keep Up
Findings from pentests, tabletop exercises, assessments, and incident response
Can’t Respond Fast Enough
have no OT visibility, 56% impeding root cause analysis
detected ANY red team 50% activity below IT/OT boundary
Can't See Fast Enough
TTX struggled to detect &
respond before process
impact
80%
recovery times 1-3
week

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 31
Active Threat Groups
Who is targeting oil and gas – and how?
VOLTZITE Stage 2
Upgraded to Stage 2 — targeting pipeline operations
Compromised Sierra Wireless Airlink gateways across U.S. midstream,
upstream, and downstream pipeline operations. Pivoted to engineering
workstations to dump config files and alarm data - mapping what triggers
operational processes to stop.
▸ Sierra Wireless Airlink RV50/RV55 exploitation ▸ Sensor and operational data exfiltration from
OT ▸ JDY botnet pre-staging VPN appliances across O&G
SYLVANITE Stage 1
Initial access provider targeting O&G at scale
Targets O&G across North America and Saudi Arabia. Exploits internet-facing
edge devices and passes access to VOLTZITE within days. Port scanning alone
has caused unintended disruption to legacy OT devices.
▸ N-day exploitation of F5, Ivanti, SAP, and ConnectWise ▸ Credential harvesting; lateral
movement via SOCKS5/FRP ▸ Passes access to VOLTZITE for follow-on OT operations
AZURITE Stage 2
Stealing O&G operational data to enable future attacks
Targets oil and gas engineering workstations to exfiltrate alarm data, config
files, and process information. Not disrupting now, collecting the intelligence
needed to develop OT-specific attack capability later.
▸ Exploits internet-facing Ivanti, Fortinet, and F5 devices ▸ RDP access to EWS using
compromised credentials ▸ Data staged outside OT network via SOCKS5 tunneling
KAMACITE Stage 1
Mapping U.S. energy infrastructure to prepare ELECTRUM for operations
Between March and July 2025, KAMACITE conducted sustained reconnaissance of U.S.
internet-exposed industrial devices — targeting HMIs, VFDs, meters, and cellular gateways
in sequence to map entire control loops. O&G infrastructure was directly in scope.
KAMACITE's mission is building persistent access for ELECTRUM to operationalize.
▸ Systematic scanning of exposed HMIs, VFDs, meters, and Airlink gateways ▸ Spear-phishing of
operators, vendors, and integrators ▸ Passes persistent access to ELECTRUM

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 32
Oil & Gas Sector Risks
Key threat themes converging on oil & gas operations in 2025-2026
01 C E L L U L A R G A T E W A Y E X P L O I T A T I O N
Your most exposed OT entry point is a device IT doesn't know exists
VOLTZITE compromised Sierra Wireless Airlink gateways across midstream, upstream, and downstream
pipeline operations. These cellular routers create unauthorized OT pathways, bypass traditional
security controls, and are often invisible to IT teams. Once inside, VOLTZITE pivoted to engineering
workstations to map what triggers process shutdowns.
02 O T I N T EL L I G E N C E C O L L E C T I O N
Adversaries are building the capability to attack oil & gas
AZURITE targets O&G engineering workstations to exfiltrate alarm data, configuration files, and process
information. This is not disruption — it is the preparation for disruption. The data stolen today almost
certainly supports developing OT-specific attack tooling for future physical-consequence operations.
03 A C C E S S - P R O V I D E R EC O S Y S T E M
Ransomware reaches OT without touching a single industrial protocol
Affiliates authenticate into VPN portals using stolen credentials, pivot to ESXi hypervisors hosting
SCADA and historian VMs, and encrypt. Operations lose visibility and control without any ICS-specific
exploit. 73% of Dragos IR cases involved VPN or credential reuse as the entry point, and O&G has the
highest rate of default credentials of any sector.
OPER AT IONAL
CONSEQU E NCE S
Loss of View
Stolen config files and alarm data give
adversaries the intelligence to cause process
disruption while operators lose trust in their
own telemetry.
Loss of Control
VOLTZITE specifically mapped what triggers
pipeline processes to stop. That intelligence
enables targeted disruption of operations
when an adversary chooses to act.
Physical Impact
Ransomware encrypting OT-support
hypervisors causes multi-day operational
shutdowns. 100% of Dragos OT ransomware
cases in 2025 resulted in significant operational
disruption.

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 33
5
THE FIVE ICS CYBER SECURITY
CRITICAL CONTROLS
01 ICS Incident Response Plan
02 Defensible Architecture
03 ICS Network Monitoring Visibility
04 Secure Remote Access
05 Risk-based Vulnerability Management
RECOMMENDATIONS

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 34
Field Data, TTX Results & Priority Actions for Oil & Gas Operators
 O&G TTXs show Major Challenges in COMMUNICATE, CONTAIN, and DOCUMENT
When incidents occur, O&G operators struggle to coordinate, stop, and record what happened.
2025 TT X R ES UL T S — OI L & GAS SE CTOR
Dragos tabletop exercise performance across OT incident response capabilities
Activate Some Challenges
Detect Some Challenges
Respond Some Challenges
Communicate MAJOR Challenges
Recover Some Challenges
Contain MAJOR Challenges
Document MAJOR Challenges
PR IOR IT Y ACT IONS FOR O&G OPE RAT ORS
1
Audit every Sierra Wireless Airlink gateway
VOLTZITE specifically targeted these across midstream, upstream, and
downstream. Many O&G operators will find gateways IT didn't know existed.
2
Remove default credentials on field devices
26% of O&G sites still have them. Ransomware variants Fog and Greenlux
exploited exactly these weaknesses in 2025.
3
Segment OT from IT - especially vendor access
29% of O&G reports found poor IT/OT segmentation. Flat architectures allowed
ransomware to move laterally without resistance in 2025.
4
Deploy ICS-aware monitoring on SCADA and historians
AZURITE operated inside O&G OT environments undetected. 46% of
architecture reviews found significant visibility gaps in O&G.
5
Exercise O&G-specific incident response playbooks
TTXs show Major Challenges in three of seven core IR capabilities. Practice
coordinated IT/OT response before an incident forces it.

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 35
Field Data, Defensible Architecture Stats
 O&G is still struggling with basic controls

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 36
Field Data, OT Visibility Stats (All Engagements)
46.00%
56.00%
5.00%
0.00%
50.00%
100.00%
OT Visibility Gaps Detection Gaps
(Native Tools)
Powershell
Execution Logging
Enabled
Network and Host Visibility

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 37
Field Data, Secure Remote Access
 50% of engagements included SRA findings

© 20 26 Dragos, In c. Al l R igh ts Reserved. Propri etary & Confidential . 38
Field Data, Vulnerability Findings
 80% of engagements included vulnerability findings

© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 39
Q U E S T I O N S A N D A N S W E R S

© 20 26 Dragos, In c. Al l R igh ts Reserved. Propri etary & Confidential . 40
Thank you

Q U E S T I O N S A N D A N S W E R S 
© 2 026 Dragos, Inc. All R ights R eserved. Prop rietary & Confiden ti al. 39