China-linked hackers target US energy control systems, report finds

China targets the control loop

Three new threat groups began targeting global critical infrastructure in 2025 as state-sponsored hackers shifted their focus toward physical disruption. Cybersecurity firm Dragos identified these groups in its annual threat report, which tracks adversaries capable of compromising industrial control systems (ICS). The total number of tracked groups worldwide has now reached 26, with 11 of those groups remaining active throughout the last year. The Beijing-linked group known as Voltzite, which correlates with the Volt Typhoon crew, maintained long-term persistence inside American electric, oil, and gas companies. These hackers did not prioritize traditional espionage or the theft of intellectual property. Instead, they focused on the "control loop" systems that manage industrial processes to prepare for future destructive attacks. Dragos CEO Robert M. Lee confirmed that Voltzite remained embedded in strategic utility networks to ensure they could take the infrastructure down when ordered. The group specifically targeted Sierra Wireless AirLink devices to gain entry into the operational technology (OT) networks of U.S. pipeline operators. Once inside, they exfiltrated sensor data and stole configuration files that detailed how to force an emergency stop of operations. Voltzite also utilized the JDY botnet to scan for public-facing IP addresses and VPN appliances across the defense and energy sectors. Dragos analysts believe this scanning served as pre-staging for future intrusions. The group’s ability to access engineering workstations allowed them to view alarm data and network diagrams, providing a blueprint for physical sabotage.

New groups exploit edge devices

A new threat group called Sylvanite emerged in 2025 to act as an initial access broker for Voltzite’s operations. Sylvanite specializes in weaponizing vulnerabilities in internet-facing products from F5, Ivanti, and SAP. Once they secure a foothold in a network, they hand off access to other Chinese state-sponsored teams for deeper industrial penetration. Sylvanite moves with extreme speed, often reverse-engineering vulnerabilities within 48 hours of their public disclosure. They target the edge devices that contractors and remote employees use to connect to sensitive operational networks. This rapid exploitation cycle allows them to bypass traditional patch management schedules at many utilities. The group's activity spans several critical sectors across North America, Europe, and the Middle East, including:

• Electric power generation and distribution
• Water and sewage treatment facilities
• Oil and gas extraction and refining
• Global manufacturing and transportation hubs

Another new Chinese group, Azurite, overlaps with activity previously attributed to Flax Typhoon. Azurite focuses on gaining long-term access to OT engineering workstations rather than the broader corporate network. They prioritize the theft of network diagrams and process information to develop downstream capabilities for future conflicts.

Iran pivots to industrial targets

The third new group identified in the report, Pyroxene, overlaps with the Iranian-backed Imperial Kitten (also known as APT35). Pyroxene expanded its operations from the Middle East into North America and Western Europe during 2025. This group utilizes supply chain attacks to target defense contractors and industrial sectors. Pyroxene frequently employs social engineering via recruitment-themed lures to compromise specific individuals. Hackers create fake social media profiles to interact with targets before delivering backdoors and custom malware. In June 2025, the group deployed data-wiping malware against multiple organizations in Israel during a period of heightened regional military conflict. This group often collaborates with an access provider known as Parisite to enter critical infrastructure organizations. By leveraging existing access, Pyroxene can deploy its tools quickly without needing to find new vulnerabilities. Their shift toward Western industrial targets suggests a broader mandate from the Islamic Revolutionary Guard Corps (IRGC) to develop disruptive capabilities outside of their immediate region. The Iranian activity highlights a growing trend of "wiper" malware being used in industrial settings. Unlike ransomware, which seeks a payout, wiper malware is designed solely to destroy data and paralyze operations. Dragos noted that Pyroxene’s tactics are evolving to include more sophisticated methods of bypassing endpoint detection systems.

Russia monitors American water systems

Russian threat actors continued to pose a significant risk to Western utilities and any nations supporting Ukraine. Dragos attributed the December 2025 cyberattacks against Poland’s power grid to Electrum. This group overlaps with the Sandworm unit operated by the Russian GRU, which previously executed the 2022 attack on Ukrainian power facilities. A group called Kamacite serves as the primary access provider for Electrum's grid-focused attacks. Between March and July 2025, Kamacite conducted a massive reconnaissance campaign against internet-exposed industrial devices in the United States. They focused specifically on the water, energy, and manufacturing sectors to identify vulnerable entry points. While Dragos found no evidence of successful exploitation during this specific scanning window, the precision of the campaign signals a shift in Russia's operational posture. The hackers are no longer just scanning the entire internet; they are building a database of specific American targets. This reconnaissance allows for faster deployment of malware if geopolitical tensions escalate. Industrial organizations face several persistent challenges when defending against these state-sponsored groups:

• Lack of visibility into "east-west" traffic between different industrial controllers
• The use of "living off the land" techniques that employ legitimate administrative tools to hide malicious activity
• Shared credentials between IT and OT environments that allow hackers to jump across network boundaries
• Aging hardware that cannot support modern security protocols or encryption

The state of industrial vulnerabilities

The 2025 report highlights a concerning trend in how industrial vulnerabilities are reported and patched. Dragos found that many common vulnerabilities and exposures (CVEs) lack the necessary detail for OT operators to prioritize fixes. The current system often fails to account for the physical impact of a digital breach. Many organizations struggle with the 48-hour exploitation window established by groups like Sylvanite. Patching a critical industrial controller often requires a full system shutdown, which can cost millions of dollars in lost production. This creates a "security debt" where critical systems remain vulnerable for months or years. Adversaries are increasingly targeting the software supply chain to bypass these defenses. By compromising a single software vendor, a threat group can gain access to hundreds of downstream industrial customers. Pyroxene’s recent success with this method suggests it will remain a primary tactic for state-sponsored actors in the coming years. Dragos recommends that critical infrastructure providers implement five key controls to mitigate these risks. These include a defensible architecture, OT-specific monitoring, remote access authentication, vulnerability management, and an incident response plan that accounts for physical safety. Without these measures, the "control loop" remains an open target for global adversaries.