Cybersecurity risks to industrial systems have escalated, with state actors and criminal organizations exploiting vulnerabilities in information technology (IT) to target operational technology (OT). According to the latest Operational Technology Threat Report from Trellix, covering incidents from April to September 2025, a concerning trend has emerged that intertwines espionage, extortion, and cyber operations tied to geopolitical conflicts.
Manufacturing industries were particularly affected, accounting for 41.5% of detections, while transportation and shipping made up 27.6%. Utilities, energy sectors, and aerospace and defense comprised the remainder of the activity. The prevalence of attacks in these sectors is not surprising, given their reliance on integrated industrial systems and the significant consequences of operational disruptions.
Most detections originated from IT infrastructures within OT-focused organizations, with mail systems, perimeter gateways, and endpoints serving as primary entry points. Attackers strategically avoided direct assaults on hardened controllers, opting instead to target exposed business systems that connect to higher-level environments.
The report highlights the Sandworm group, which was responsible for nearly one-third of OT-related intrusions in recent years. During the reporting period, their activities were concentrated on energy and telecommunications networks in Ukraine. Utilizing the Industroyer2 malware, Sandworm manipulated substation operations and deployed wipers to impede recovery efforts, indicating a clear intent to synchronize destructive actions with ongoing physical conflicts.
Another notable threat is posed by TEMP.Veles, also known as XENOTIME, which is recognized as the most advanced threat to safety instrumented systems. Their past engagements with the TRITON malware, which aimed to alter safety logic, underline their capabilities. Recent activities suggest ongoing reconnaissance within energy and chemical sectors, with a focus on engineering workstations and safety networks, indicating a strategy to maintain access for future strategic operations.
In addition, Iranian groups APT33 and APT34 have expanded their operations from espionage to destructive activities targeting aviation, petrochemical, and government networks. Their campaigns involve credential theft, exploitation of web-facing infrastructures, and wiper deployment, demonstrating a shift towards coercive tactics that blend theft with disruption.
The Qilin group has conducted 63 confirmed attacks against industrial entities since mid-2024, focusing on energy distribution and water utilities. Their use of Windows and Linux payloads has allowed them to operate effectively within mixed environments. Notably, several incidents involved the encryption of shared engineering resources, resulting in operational delays despite controllers remaining unaffected.
These trends illustrate a convergence of financial motives and awareness of operational technology. Ransomware operators are increasingly adapting their methods to target systems positioned between IT and OT, recognizing that operational disruption enhances their leverage. Attackers favored techniques exploiting weak segmentation, with PowerShell activity constituting the most significant share of detections, followed closely by Cobalt Strike.
The findings underscored that adversaries often do not require industrial control system (ICS) specific exploits at the onset of an attack. Instead, they leverage stolen accounts and remote access tools to infiltrate engineering assets. Once within the appropriate network segment, they then exploit industrial protocols like Modbus, DNP3, and IEC 61850, enabling malicious commands to blend seamlessly with legitimate traffic. This tactic presents visibility challenges for defenders who lack continuous inspection of process-level communications.
Skilled attackers deploy specialized tools such as Industroyer for power distribution or TRITON for safety controllers, emphasizing the vulnerability at the boundary between enterprise and industrial systems. The report also highlighted ongoing exploits of Cisco ASA and FTD devices, including modifications of device firmware. Recent flaws in SAP NetWeaver and other manufacturing operations software have created direct vulnerabilities into factory workflows.
Notably, recent disclosures affecting Rockwell ControlLogix and GuardLogix platforms have allowed for remote code execution or forced the controllers into a failed state, presenting immediate safety and availability risks. The report indicates that it typically takes more than 180 days to deploy patches within OT networks, due to the requirement for scheduled downtime. Consequently, vulnerable services often remain unpatched long after fixes have been made available.
In response to these growing threats, John Fokker, Vice President of Threat Intelligence Strategy at Trellix, emphasized the importance of regular training. “Regular training sessions that coach employees about emerging threats, phishing attempts, and safe handling of sensitive information can significantly reduce risks. Furthermore, involving employees in security best practices and readiness testing fosters a culture of resilience within the entire organization,” he stated.
These insights from Trellix’s report underscore the urgent need for organizations to enhance their cybersecurity measures, particularly in sectors critical to infrastructure and national security. As the landscape of threats evolves, proactive and adaptive strategies will be essential to safeguard against increasingly sophisticated cyber adversaries.