As we enter 2025, the operational technology (OT) cybersecurity landscape faces intensifying threats. The past year has revealed how advanced threat actors – nation-states, cybercriminal organizations, and hacktivist groups – have honed their focus on critical infrastructure, employing increasingly sophisticated tactics to exploit vulnerabilities and disrupt essential systems.

From espionage to ransomware and operational sabotage, these threat actors have demonstrated their ability to leverage advanced tools and techniques to breach OT environments. At RMC, we closely monitor these developments to provide actionable insights and risk-informed strategies that protect our clients’ most critical assets.

Top Threat Actors to Watch in 2025

Over the last year, several groups have emerged as major OT threat actors, each employing unique strategies to target industrial systems and critical infrastructure.

• Volt Typhoon: A China-linked advanced persistent threat (APT), Volt Typhoon is notable for its use of “living-off-the-land” techniques, which rely on native tools within compromised systems to avoid detection. Their operations have targeted U.S. critical infrastructure, prioritizing espionage and long-term persistence.
• Laurionite: This group has risen to prominence through campaigns targeting energy and manufacturing sectors. Laurionite’s ability to exploit vulnerabilities in widely used systems underscores the growing accessibility of advanced tools, allowing for more rapid reconnaissance and payload delivery.
• Sandworm: With ties to Russia’s military intelligence agency, Sandworm remains a key player in OT-focused cyberattacks. Known for disruptive operations against Ukraine’s power grid, Sandworm exemplifies the potential for OT-targeted campaigns to create large-scale societal and economic consequences.
• CYBERAV3NGERS: This Iranian-affiliated group has been linked to attacks on critical infrastructure, including water utilities and energy systems in the U.S. and Europe. Recently, CYBERAV3NGERS introduced IOCONTROL, a sophisticated malware targeting a wide range of devices, such as Internet of Things (IoT) and OT systems, including programmable logic controllers (PLCs) and human-machine interfaces (HMIs). IOCONTROL demonstrates advanced capabilities like persistence, encrypted communication, and port scanning. Additionally, CYBERAV3NGERS leverages generative AI (Gen AI) tools, such as ChatGPT, to enhance their tactics, solidifying their reputation as a growing global threat to industrial systems.
• Qilin Ransomware Group: Unlike traditional ransomware operations that encrypt data, Qilin has focused on customizing payloads designed to disrupt industrial processes, marking a significant shift toward operational sabotage.

These groups – and others like NoName057(16) and the Cyber Army of Russia – demonstrate how attackers are combining traditional tactics with emerging technologies to achieve their objectives.

Why OT Systems Are Attractive Targets

OT environments are uniquely vulnerable due to their critical role in supporting essential infrastructure and inherent challenges in securing them. Many rely on legacy technologies not designed to withstand modern cybersecurity threats, leaving them susceptible to exploitation. Moreover, the convergence of IT and OT systems has introduced new vulnerabilities, expanding the attack surface for adversaries.

Slow patching cycles and the use of proprietary, outdated systems compound the risks. Attackers are increasingly leveraging these weaknesses, employing tools like ransomware and leveraging gaps in segmentation to cause widespread disruptions. The stakes are high – successful attacks on OT environments can result in financial losses, reputational damage, and even threats to public safety.

Addressing the Threat Landscape

The evolving nature of OT threats demands a proactive, strategic approach. At RMC, we emphasize the importance of tailored defenses that address the specific vulnerabilities of OT systems. Our methodologies include:

• Conducting in-depth threat assessments to identify and prioritize risks.
• Implementing segmentation and layered security measures to enhance resilience.
• Developing comprehensive incident response and recovery plans to ensure operational continuity.

As attackers refine their strategies, organizations must stay ahead by adopting a risk-informed approach that considers both immediate threats and long-term trends. Building a culture of cybersecurity awareness across all levels of an organization is essential for mitigating risks and ensuring preparedness.

Insights and Expertise for 2025

As we look ahead to the new year, OT threats are expected to continue evolving as adversaries adopt new tools and refine their tactics. Emerging technologies, including Gen AI, are lowering the barriers to executing sophisticated attacks, enabling threat actors to focus not only on vulnerabilities but also on directly targeting the processes and operations that OT systems control.

These developments highlight the critical need for vigilance, adaptability, and forward-looking strategies to anticipate and mitigate risks. At RMC, our approach emphasizes collaboration with subject-matter experts to deliver the most comprehensive solutions possible. Here’s an additional perspective from our very own Jim Lutz, Technical Vice President and Cybersecurity Expert for OT/ICS: