The 2025 Dragos OT/ICS Cybersecurity Year in Review report has unveiled alarming developments in the realm of industrial cybersecurity, highlighting the emergence of two novel malware strains, Fuxnet and FrostyGoop, that specifically target operational technology (OT) and industrial control systems (ICS).
These malware variants, alongside a surge in ransomware attacks and the activity of new threat groups, underscore the growing vulnerabilities within critical infrastructure sectors worldwide.
Emergence of Fuxnet and FrostyGoop
In 2024, two ICS-specific malware variants, Fuxnet and FrostyGoop, were deployed in the ongoing Russia-Ukraine conflict, marking a significant escalation in the use of cyber tools to disrupt critical infrastructure.
Fuxnet, attributed to the pro-Ukrainian hacktivist group BlackJack, targeted Russia’s municipal gas, water, and sewage networks.
It disabled thousands of sensors and destroyed gateway devices, crippling communication systems essential for operational monitoring.
FrostyGoop, on the other hand, demonstrated a more destructive approach.
It exploited Modbus TCP/502 communications to manipulate industrial process commands, evade antivirus detection, and cause physical damage.
In January 2024, this malware disrupted district heating systems in Ukraine, leaving over 600 apartment buildings without heat during sub-zero temperatures.
FrostyGoop’s ability to interact with ICS devices globally makes it a potent threat across all industrial sectors.
Rising Threats: Ransomware and New Adversaries
The Dragos report also revealed an 87% year-over-year increase in ransomware attacks targeting OT/ICS environments.
In 2024 alone, 1,693 ransomware incidents were recorded, with 25% causing complete shutdowns and 75% disrupting operations to varying degrees.
A lack of basic cybersecurity measures such as network segmentation and secure remote access pathways exacerbated recovery challenges for affected organizations.
Additionally, two new threat groups Bauxite and Graphite have emerged as significant risks to OT/ICS systems.
Bauxite has been linked to multiple campaigns targeting critical infrastructure across the United States, Europe, Australia, and the Middle East.
Its activities align with those of CyberAv3ngers, a group associated with Iran’s Revolutionary Guard Corps.
Meanwhile, Graphite has engaged in spear-phishing campaigns exploiting vulnerabilities like CVE-2023-23397 (Microsoft Outlook) and CVE-2023-38831 (WinRAR), targeting energy and logistics sectors.
The discovery of these malware variants and the rise of new adversaries signal a shift in the threat landscape for industrial systems.
While ICS-specific malware remains rare due to attackers’ preference for exploiting native system functionalities or generic tools like botnets, these developments highlight an increasing adversarial focus on ICS environments as strategic targets.
Dragos emphasizes the importance of proactive defense measures such as network segmentation, secure remote access protocols, and robust vulnerability management to mitigate these threats.
Collaborative information sharing and vigilant monitoring are also crucial to counteract the escalating risks posed by advanced cyber operations targeting critical infrastructure.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
