Threat Landscape and Security Posture
This chapter begins with the threat landscape in OT environments, examining publicly observed attacks throughout 2025 and comparing them with cybersecurity incidents reported by surveyed organizations to illustrate the overall level of OT exposure to cyber threats and the key areas of defense.
Active OT Threats
Compared with 2024, when threat actors developed numerous ICS malware variants, no new ICS malware was observed in 2025. However, the number of OT cybersecurity incidents increased significantly. Reflecting this shift, the European Union's cybersecurity agency, ENISA, in its Threat Landscape 2025, introduced OT threats as a new indicator, accounting for 18.2% of the threat landscape. Rather than developing custom malware, threat actors focused on exploiting legitimate access paths--ransomware groups targeted IT-to-OT convergence points and geopolitically motivated actors compromised security appliances and network infrastructure to gain strategic access.
Throughout 2025, ransomware groups and geopolitically motivated actors maintained sustained activity across all critical sectors. Both types of threats leveraged social media platforms to amplify their operations and recruit supporters, with attacks against OT environments serving as highly visible demonstrations of capability.
Representative 2025 OT Incidents
The following incidents illustrate the range and persistence of threats targeting OT environments throughout 2025:
April 2025 | Lake Risevatnet Dam
Sector: Water Infrastructure
Threat Actor: Z-Pentest (Geopolitically Motivated)
Impact: Threat actors manipulated water control valves at Norway's Lake Risevatnet Dam by exploiting weak authentication on an internet-exposed human-machine interface. Attackers maintained control for four hours, fully opening the valves and increasing water discharge by 497 liters per second. The incident demonstrated that basic security gaps in operational systems can enable direct physical control of critical infrastructure without the need for sophisticated exploits.
May 2025 | Global FortiOS/FortiProxy Exploitation
Sector: Multiple
Threat Actor: Qilin (Ransomware)
Impact: The Qilin ransomware group conducted a coordinated campaign that exploited CVE-2024-21762 and CVE-2024-55591 on Fortinet's FortiOS and FortiProxy security appliances. The zero-day exploit enabled attackers to gain super-admin privileges and bypass authentication on vulnerable devices worldwide, resulting in the widespread compromise of the security infrastructure that organizations rely on to protect their OT environments. The campaign demonstrated fully automated attack capabilities, with only victim selection performed manually.
July 2025 | Singapore Critical Infrastructure
Sector: Telecommunications and National Critical Infrastructure
Threat Actor: UNC3886 (State-Sponsored)
Impact: Chinese state-sponsored threat group UNC3886 compromised Singapore's telecommunications sector and critical infrastructure by exploiting CVE-2022-41328 in Fortinet systems and CVE-2025-21590 in Juniper routers—vulnerabilities that remained unpatched in operational environments for years after public disclosure. The sophisticated campaign, publicly disclosed in July 2025, triggered Operation CYBER GUARDIAN, Singapore's largest coordinated cyber defense operation, involving over 100 cyber defenders across multiple agencies, who worked for 11 months to contain the threat.
September 2025 | Major European Airports
Sector: Transportation
Threat Actor: HardBit (Ransomware)
Impact: HardBit ransomware attack on Collins Aerospace's MUSE passenger processing system disrupted operations at multiple European airports, including Heathrow, Brussels, Berlin Brandenburg, and Dublin. The attack, beginning September 19, forced airports to revert to manual check-in and boarding procedures using pen and paper, causing hundreds of flight delays and cancellations over multiple days. The incident exposed critical single-point-of-failure risks in centralized aviation infrastructure, as one vendor's compromise cascaded across numerous international airports simultaneously.
November 2025 | LG Energy Solution
Sector: Manufacturing (Energy Storage)
Threat Actor: Akira (Ransomware)
Impact: The Akira ransomware group compromised LG Energy Solution, one of the world's largest lithium-ion battery manufacturers serving the automotive and energy storage markets. The attack disrupted operations at an overseas facility, and the ransomware group claimed to have exfiltrated 1.67 terabytes of corporate data, including employee personal information (passports, medical records, identification documents), confidential projects, NDAs, financial records, and client information. Operations at the facility have since been restored.
Throughout 2025 | US and Global Critical Infrastructure
Sector: Energy, Water and Wastewater, Food and Agriculture
Threat Actor: Pro-Russia Hacktivist Groups (Geopolitically Motivated)
Impact: Pro-Russia hacktivist groups, including the Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057 (16), and Sector16, conducted persistent, opportunistic attacks against US and global critical infrastructure throughout 2025. Using crude yet effective tactics, these groups exploited weak authentication on internet-facing VNC connections to compromise SCADA systems across multiple sectors. The attacks caused varying degrees of impact, including physical damage to operational systems. A December 2025 multi-agency advisory from CISA, FBI, NSA, DOE, and EPA warned that these groups show an alarming lack of concern for human safety during real-world operational disruptions.
Surveyed Enterprises’ OT Security Posture
In addition to examining major cybersecurity incidents, we turn to the security posture of the enterprises we surveyed and the challenges they faced throughout 2025.
Incident Frequency
60% of respondents reported experiencing cybersecurity incidents in 2025, with half experiencing multiple incidents. We also observed significant variation across industries, ranging from 84% in Food Manufacturing to 37% in Oil and Gas. Differences in OT mission profiles and operational environments likely explain this pattern.
Figure 1.1: OT Cybersecurity Incident Frequency by Industry
Figure 1.2: IT-to-OT Incident Spillover by Industry
IT-to-OT Spillover
IT-origin incidents dominate across all industries, ranging from 87% (Automotive) to 100% (Oil & Gas, Food Manufacturing, Mass Transport). Overall, 96% of incidents were traced to IT systems, with 56% due to direct penetration attacks and 40% to collateral damage. The consistency of IT spillover across sectors underscores the fundamental challenge of IT-OT convergence.
IT Defenses Don’t Work for OT
Ransomware relies on known techniques and can be mitigated with basic measures (backups, patching, endpoint protection), unlike zero-day or custom ICS malware. This makes ransomware arguably easier to defend against. However, while this holds in IT environments, the 'basics' are exactly what OT lacks (patching, agent deployment). Therefore, in OT, even ransomware remains difficult to fend off. Among our respondents, 52% reported being impacted by ransomware in the past year, while 35% experienced APT-related incidents. In addition, 79% indicated that attackers exploited zero-day vulnerabilities.
Detection alone leaves a gap; by the time an alert fires, operational damage may already be underway. Organizations face multiple attack vectors simultaneously: over half experienced ransomware, more than one-third faced APT attacks, and the majority of attacks exploited zero-day vulnerabilities. Addressing this threat diversity requires controls designed for OT constraints, such as solutions that can block known and unknown threats without requiring constant signature updates, protect legacy systems without agents, and operate inline without disrupting production.
OT Security Threat Landscape: 2025 Impact
*Zero-day data based on n=71 organizations that experienced attacks
Figure 1.3: Prevalence of Major OT Threat Types in 2025
Ransomware Persistence
Ransomware remains an active and evolving threat across OT environments. While individual groups rise and fall, as illustrated by LockBit's trajectory in recent years, the ransomware ecosystem continues to adapt, with new variants and tactics emerging as older operations face law enforcement pressure. The rise and fall of LockBit, built on a ransomware-as-a-service model with a large affiliate base, illustrates the cyclical nature of these campaigns.
Ransomware Groups
Each ransomware group typically has a limited window of peak activity before law enforcement pressure, operational exposure, or affiliate migration to newer platforms diminishes its impact. Accordingly, as our research team tracked the activity of various ransomware variants throughout 2025, we observed clear patterns of rise and decline. Among those, Qilin, Akira, and Clop led.
Specifically, our review of Qilin's attack strategies revealed that, beyond exploiting vulnerabilities in perimeter devices, the group has begun abusing trusted Windows driver mechanisms to evade security controls. In OT environments, where legacy systems are widespread and zero-disruption requirements are crucial, these vulnerable drivers require sustained attention.
Figure 1.4: The Ransomware Threat Landscape in 2025
Highlighted Cases
Though this report does not profile every active threat actor in 2025, there are several notable cases we believe warrant highlighting.
Scattered Lapsus$ Hunter (Cyber Criminal)
Scattered Lapsus$ Hunter, which surfaced publicly on Telegram in August 2025, is a composite group comprising Scattered Spider, LAPSUS$, and ShinyHunters. The group focuses on supply chain attacks, social engineering, and credential theft, primarily targeting English-speaking regions. After gaining initial access, it relies on legitimate remote management tools to maintain persistence and evade detection, and may escalate to ransomware. In 2025, the group targeted supply chain platforms such as Salesforce, causing widespread credential exposure that extended beyond the original services. Its heavy use of stolen legitimate credentials highlights the limitations of perimeter-only defenses, as compromised SSO or VPN access enables rapid lateral movement, data theft, and ransomware deployment in modern OT environments.
Significance: This is one of the few intrusion paths that deliberately target supply chain systems. CRM platforms such as Salesforce store vast amounts of critical operational and business-sensitive information. This forces us to reassess our assumptions about attacker intent. It was originally assumed that these environments were the intended targets of cyberattacks. However, these isolated cases compel us to consider that attackers may be using OT environments as stepping stones to reach supplier networks. This possibility further underscores the importance of supply chain cybersecurity. Defenses need to be built with the assumption that perimeters will be compromised, so that a contingency plan can be made to protect critical assets even when credentials or access have been stolen by attackers.
Qilin (Ransomware)
Qilin emerged as the most active ransomware group in 2025, claiming more than 1,000 victims across sectors including healthcare, food and beverage, manufacturing, automotive, and transportation. Active since at least 2022, the group poses a particularly serious challenge to OT security. Qilin commonly exploits vulnerabilities in perimeter devices and uses advanced antivirus evasion techniques to maintain persistence, making it especially difficult to defend against in OT environments where legacy systems are prevalent. Notably, unlike earlier ransomware campaigns that tended to avoid healthcare, Qilin directly targeted hospitals in 2025, leading to large-scale patient data breaches and, in some cases, temporary disruptions to medical services.
Significance: Qilin's primary intrusion vector exploits known vulnerabilities in widely deployed firewall devices to gain entry, followed by ransomware attacks delivered through a ransomware-as-a-service model. Compromising defenders is nothing new in the cybersecurity world. This case clearly reinforces the importance of layered security defenses. When perimeter devices become the point of compromise, endpoint and network-level protections become the critical line of defense against ransomware execution and lateral movement.
Z-Pentest Alliance (Geopolitically Motivated)
Z-Pentest Alliance, a pro-Russian hacking group formed in 2024, has targeted OT environments in critical infrastructure by exploiting vulnerabilities in internet-facing systems and abusing control interfaces to execute physical disruption. In 2025, the group breached OT systems in the oil and gas industry in Texas and Taiwan, resulting in the leak of operational data and screenshots. By publicly showcasing its attacks on social media, the group amplifies the risk of copycats, increasing the likelihood that poorly understood intrusions escalate into operational disruptions, safety hazards, and public service risks.
Significance: This case spotlights a critical reality—much of the infrastructure that sustains national operations is built on OT technologies. When essential public services lack sufficient cybersecurity capabilities, they are at a disadvantage when facing well-resourced threat actors. Therefore, cybersecurity for critical infrastructure must be viewed and addressed at the national security level.
