| Title | China Remains Embedded in US Energy Networks 'for the Purpose of Taking It Down' | |
| Date | Wednesday February 25, @11:55AM | |
| Author | hubie | |
| Topic | ||
| from the dept. | ||
Plus 3 new goon squads targeted critical infrastructure last year:
Three new threat groups began targeting critical infrastructure last year, while a well-known Beijing-backed crew - Volt Typhoon - continued to compromise cellular gateways and routers, and then break into US electric, oil, and gas companies in 2025, according to Dragos' annual threat report published on Tuesday.
Dragos specializes in operational technology (OT) security, and as such, its customers include energy, water, manufacturing, transportation, and other critical industries. Unsurprisingly, these are key sectors for Chinese, Russian, and other government-linked cyber operatives to hack for espionage and warfare purposes.
In its yearly cybersecurity report, Dragos said state-sponsored crews haven't let up on their attempts to compromise America's critical infrastructure, with three new OT-focused threat groups joining the fray. This brings the total number worldwide to 26, and of these, 11 were active in 2025.
Additionally, an existing group that Dragos tracks as Voltzite and is "highly correlated" with Volt Typhoon, according to Dragos CEO Robert M. Lee, kept up its intrusion activities last year. This is the Beijing goon squad that the US government has accused of burrowing into critical American networks for years and readying destructive cyberattacks against those targets.
In 2025, Voltzite continued embedding its malware inside strategic American utilities "to maintain long-term persistence," Lee said.
"They [Voltzite] weren't just getting in and getting access - they were getting inside the control loop" system that manages utilities' industrial processes, Lee said in a briefing with reporters, adding that the PRC-backed crew's primary focus is causing future disruption.
"Nothing that they were taking was useful for intellectual property," Lee said. "Everything they were doing and learning was only useful for disrupting or causing destruction at those sites. Voltzite was embedded in that infrastructure for the purpose of taking it down."
[...] One of the three new groups that Dragos began tracking last year - Sylvanite - serves as Voltzite's initial access broker, responsible for weaponizing vulnerabilities and then handing off this access to Voltzite for deeper OT intrusions.
[...] "They're finding edge-device vulnerabilities - the things that a contractor or remote worker would use to get into operations networks," Lee said. "And within 48 hours of disclosure, they're reverse engineering [vulnerabilities] and hitting those devices."
A second group that emerged during 2025, Azurite, overlaps with China's Flax Typhoon and focuses on gaining long-term access to OT engineering workstations and exfiltrating operational files including network diagrams, alarm data, and process information for downstream capability development.
This group targets manufacturing, defense, automotive, electric power, oil and gas, and government organizations across the US, Europe, and the Asia-Pacific region.
Finally, the third new group, Pyroxene, overlaps with activity attributed to Imperial Kitten (aka APT35) - the cyber arm of the Islamic Revolutionary Guard Corps (IRGC).
Dragos spotted Pyroxene conducting "supply chain-leveraged attacks targeting defense, critical infrastructure, and industrial sectors, with operations expanding from the Middle East into North America and Western Europe," according to the report.
[...] Of course, China and Iran aren't the only nations targeting critical infrastructure in America and around the globe. Russia also poses a threat to Western water and utilities - along with any nations helping Ukraine in its ongoing war against the Kremlin's occupation.
Dragos does not attribute cyberattacks to any nations. However, earlier this year, it blamed the December 2025 cyberattacks against Poland's power grid on a group it tracks as Electrum. This group overlaps with Russia's GRU-run Sandworm offensive cyber unit - the crew behind the 2022 attack on a Ukrainian power facility and earlier wiper attacks that coincided with Russia's ground invasion of Ukraine in 2022.
In its new report, Dragos said that Kamacite serves as the initial access provider for Electrum, and it detailed a reconnaissance campaign that Kamacite carried out against vulnerable internet-exposed industrial devices in US water, energy, and manufacturing sectors between March and July 2025.
"While Dragos found no evidence of successful exploitation during this period, the scope and precision of the scanning reveal a meaningful evolution in Kamacite's operational posture," the report said.
| Links |
printed from SoylentNews, China Remains Embedded in US Energy Networks 'for the Purpose of Taking It Down' on 2026-04-11 05:17:29