Imagine a silent, invisible army burrowing deep into the veins of America's critical infrastructure, not to steal secrets, but to plant the seeds of chaos. This is the chilling reality revealed by Dragos' latest cybersecurity report, which exposes a relentless campaign by state-sponsored hackers to cripple the systems that keep our lights on, our water flowing, and our economy humming. But here's where it gets even more alarming: these aren't just random attacks—they're meticulously planned, long-term operations designed to cause maximum disruption when the time is right.
According to Dragos, a leading authority in operational technology (OT) security, three new threat groups emerged last year, joining the ranks of well-known adversaries like Volt Typhoon, a Beijing-backed crew notorious for infiltrating U.S. electric, oil, and gas companies. These groups aren’t just probing for weaknesses—they’re embedding themselves within critical systems, often for years, waiting for the perfect moment to strike. And this is the part most people miss: their goal isn’t espionage; it’s destruction. As Dragos CEO Robert M. Lee bluntly puts it, “They were embedded in that infrastructure for the purpose of taking it down.”
Volt Typhoon, operating under the alias Voltzite, has been particularly brazen. In 2025, they continued to infiltrate strategic American utilities, not just gaining access but embedding themselves into the very control systems that manage industrial processes. “They weren’t just getting in and getting access—they were getting inside the control loop,” Lee explained. This level of intrusion means they could potentially manipulate systems, causing blackouts, pipeline failures, or even catastrophic accidents.
One chilling example? Voltzite compromised Sierra Wireless AirLink devices, using them as a backdoor into U.S. pipeline operations. They exfiltrated operational data, accessed engineering workstations, and stole configuration files—information that could be used to force-stop operations. In another campaign, they leveraged the JDY botnet to scan for vulnerabilities across energy, oil, gas, and defense sectors, likely pre-staging for future attacks.
But China isn’t the only player in this dangerous game. A new group, Sylvanite, acts as Voltzite’s accomplice, weaponizing vulnerabilities in products from companies like F5, Ivanti, and SAP to provide access to critical infrastructure across North America, Europe, Asia, and the Middle East. Another group, Azurite, overlaps with China’s Flax Typhoon and focuses on long-term access to OT engineering workstations, stealing operational files that could be used to develop future attacks. And let’s not forget Pyroxene, linked to Iran’s Islamic Revolutionary Guard Corps, which has been targeting defense and industrial sectors with supply chain attacks.
And here’s the controversial part: While China and Iran grab headlines, Russia remains a silent but deadly threat. Dragos tracks groups like Electrum, linked to Russia’s GRU-run Sandworm unit, which has been probing U.S. water, energy, and manufacturing sectors. Their reconnaissance campaigns may not have led to immediate exploitation, but they signal a dangerous evolution in tactics.
So, what does this mean for the average person? It’s simple: these aren’t just attacks on corporations—they’re attacks on our way of life. A successful strike could leave cities in darkness, disrupt water supplies, or even endanger lives. But here’s the question we need to ask ourselves: Are we doing enough to protect these systems? Or are we sleepwalking into a crisis? Let’s discuss—what do you think? Are we prepared for the cyberwar being waged beneath our feet?
