Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime,
Governance & Risk Management
Ransomware, Visibility Challenges, and Nation-State Activity
A recent report by cybersecurity firm Dragos highlights an alarming trend: ransomware attacks targeting operational technology (OT) systems have surged, yet these incidents are frequently misclassified as IT security breaches. This discrepancy raises concerns, as the ramifications of cyberattacks extend beyond mere data loss, impacting critical industrial operations.
The annual review reveals a significant evolution in the tactics employed by nation-state hacker groups, who are shifting their focus from mere access to intricate reconnaissance operations aimed at infiltrating OT infrastructure. This change poses substantial risks, as attackers can position themselves for future attacks that may lead to real-world disruptions.
According to Rob Lee, Dragos’ founder and CEO, the misidentification of ransomware incidents is pervasive. “Many ransomware cases on OT systems are being misreported as IT incidents,” Lee stated during a recent press conference to unveil the report. He attributed this issue to the limited understanding of OT systems by many IT cybersecurity teams, coupled with a lack of available data needed for effective root cause analysis of these breaches.
Data collected by Dragos shows that 119 ransomware groups targeted industrial organizations in 2025, marking a 49% increase from the previous year. The report cites 3,318 recorded attacks, although Lee noted that the actual figures may be higher due to unreported incidents.
The challenge of visibility in OT environments remains a critical concern. The Stuxnet operation, which occurred a decade ago, demonstrated how advanced malware could disrupt industrial systems. “Most asset owners today still lack the ability to detect similar threats,” Lee emphasized, noting that the lack of comprehensive logging on OT networks complicates forensic efforts in the event of an incident.
As OT owners and operators become more aware of the visibility challenges they face, experts like Mark Cristiano from Rockwell Automation are observing a shift in dialogue regarding cybersecurity at the executive level. Leaders are beginning to ask informed questions about the complexities of safeguarding OT environments, driven in part by news regarding nation-state threats and regulatory changes.
Despite increasing regulatory scrutiny aimed at enhancing cybersecurity practices, the actual impact on operational security remains ambiguous. Upcoming regulations requiring OT network monitoring for critical electricity infrastructure are expected to be phased in gradually over the next three to five years, a timeline that raises questions about immediate security improvements.
Mischaracterization of cyber incidents remains a significant issue. Ransomware attacks affecting manufacturing processes are often defined as IT breaches, undermining the true impact on OT systems. Inconsistencies in reporting highlight the challenge of accurately assessing the full extent of damage and risk associated with these incidents.
As observed in the report, adversarial tactics include credential abuse, where attackers exploit vulnerabilities in logging systems or utilize stolen credentials to gain access to OT networks. The group known as TAT25-84 exemplifies these strategies, using social engineering techniques to infiltrate systems without raising immediate alarms. The implications for business owners are clear: without comprehensive monitoring and a deeper understanding of the interplay between IT and OT environments, the risk of severe operational disruption continues to grow.