Threat Reports Highlight Identity Abuse and OT Intrusions as Primary Initial Access Vectors
Palo Alto Networks’ Unit 42 reported that identity abuse has become the dominant initial access vector in incident response engagements, with identity-based techniques accounting for nearly two-thirds of initial intrusions and an identity-related element present in nearly 90% of cases across the attack lifecycle. The report highlights social engineering as the leading entry method (about one-third of cases), alongside compromised credentials, brute force, overly permissive identity policies, and insider threats; it also notes that growth in machine identities and AI agents is expanding the identity attack surface and complicating detection because malicious use of valid identities can blend into normal telemetry.
Dragos’ 2026 OT/ICS Year in Review described industrial threat actors increasingly moving beyond opportunistic access toward control-loop mapping—identifying engineering workstations and collecting configuration/alarm files to understand how processes behave and enable physical impact. Dragos tracked 26 OT-targeting threat groups and identified new groups (AZURITE, PYROXENE, SYLVANITE), emphasizing specialization and a division of labor where initial-access activity (including targeting internet-facing systems) feeds more OT-capable operators; it also warned that ransomware is driving operational disruption and multi-day outages that require OT-specific recovery and is often underestimated as “just IT.”
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Dragos publishes 2026 OT/ICS Year in Review
On February 17, 2026, Help Net Security reported Dragos' 2026 OT/ICS Year in Review, which warned that OT teams are losing their time advantage against industrial threat actors. The report emphasized ransomware-driven OT outages, visibility gaps, weak segmentation, and the need for better telemetry and monitoring of remote access pathways.
Unit 42 publishes findings on identity as dominant attack entry point
On February 17, 2026, CyberScoop reported Unit 42's new incident response findings that identity remains the dominant entry point for cyberattacks, with social engineering the top initial access method. The report also highlighted multi-surface attacks, faster data theft, and risks from machine identities, AI agents, SaaS integrations, and APIs.
Dragos reports 2025 shift toward control-loop mapping in OT attacks
In its 2026 OT/ICS Year in Review, Dragos said threat actors in 2025 increasingly performed 'control-loop mapping' to understand industrial processes well enough to cause physical effects. The report also described growing specialization among OT-focused groups and the role of initial-access brokers in handing off access to more capable operators.
Identity abuse drives most intrusions in Unit 42 incident dataset
For the year ending in September 2025, Palo Alto Networks' Unit 42 found that identity-based techniques accounted for nearly two-thirds of initial intrusions in incidents it handled. The report also said identity-related weaknesses played a role in nearly 90% of incidents across the broader attack lifecycle.
U.S. utility compromised via Ivanti EPMM flaws
In May 2025, an initial access group identified by Dragos as SYLVANITE compromised a U.S. utility through Ivanti EPMM using CVE-2025-4427 and CVE-2025-4428. The incident was cited as an example of rapid exploitation of internet-facing systems to gain OT-relevant access.
PathWiper emerges in destructive attacks on Ukrainian infrastructure
During 2025, Dragos observed ELECTRUM conducting destructive operations against Ukrainian infrastructure and noted the emergence of the PathWiper wiper malware. The activity reflected continued OT-focused disruptive operations with physical-world implications.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Incident Response Reports Highlight Identity and Low-Complexity Initial Access as Dominant Intrusion Drivers
Two 2026 incident-response reports describe threat actors increasingly favoring **fast, low-complexity initial access** over sophisticated exploitation, with **identity compromise** and common remote access paths repeatedly enabling broad downstream impact. Unit 42’s *Global Incident Response Report 2026* data (based on 750+ engagements) indicates attacker activity crossed multiple attack surfaces in **87%** of cases, requiring investigation across endpoints, identity systems, networks, and cloud services; it also attributes a material role to **identity weaknesses** in nearly **90%** of investigations and reports identity-based techniques as the initial access method in **65%** of cases (e.g., phishing, stolen credentials, brute force, insider activity). Phishing and vulnerability exploitation were cited as top initial access vectors (tied at **22%** each), reinforcing that common, repeatable techniques remain highly effective. Arctic Wolf reporting similarly concludes that attackers are prioritizing **accessible entry points**, with **phishing** frequently initiating business email compromise and with ransomware intrusions often beginning via abuse of **remote access services** such as `RDP`, `VPN`, and **remote monitoring and management (RMM)** tooling. Both sources emphasize that weak access controls—such as excessive permissions, non-phishing-resistant MFA, credential reuse/default passwords, IAM misconfigurations, unmanaged OAuth grants, and stale/shared accounts—allow a single foothold to expand laterally across SaaS, cloud, and on-prem environments, increasing blast radius and complicating detection and response.
Mar 21, 2026
Rising OT Threat From Credential Abuse and 'Living-off-the-Plant' Techniques
Security reporting and expert commentary warn that **operational technology (OT)** environments remain highly exposed due to fragile access controls and that attacker capability is trending toward more dangerous, process-aware operations. Lessons drawn from the 2015 **Ukraine power grid** disruption emphasize that remote connectivity, vendor access, and broad VPN permissions can become the “soft underbelly” of critical infrastructure, with recurring real-world examples of disruption tied to **misused remote access and stolen credentials** (including the **Colonial Pipeline** shutdown following a compromised password). The core takeaway is that OT systems are no longer “too specialized” to be targeted, and that common enterprise intrusion paths—credential compromise and remote access abuse—continue to translate into operational impact when they bridge into industrial environments. Separately, OT-focused threat analysis highlights early signs that attackers are gaining the “process comprehension” historically missing from many intrusions into industrial systems. A forthcoming RSA Conference 2026 presentation is expected to demonstrate **“living-off-the-plant”** techniques—analogous to living-off-the-land in IT—where adversaries leverage native industrial tooling and legitimate functions inside plants to blend in and potentially manipulate physical processes. The reporting argues that “security by obscurity” (attackers’ unfamiliarity with bespoke/legacy OT) has limited the severity of many incidents so far, but that this advantage is eroding as adversaries become more comfortable operating within industrial environments, increasing the risk of more consequential OT attacks.
Mar 21, 2026
Identity Abuse and Credential Misuse as the Primary Initial Access Vector
Recent threat intelligence reporting indicates **identity-based attacks** (credential theft, social engineering, and misuse of legitimate access) are now the dominant driver of initial compromise, increasingly outpacing exploitation of software vulnerabilities. A *Unit 42* report cited by SC Media attributes **65% of initial access** to identity techniques versus **22%** to vulnerabilities, and notes accelerating attacker tempo—down to **72 minutes** from initial access to data exfiltration in the fastest observed cases—alongside growing cross-surface intrusions where **87%** of incidents span multiple environments (endpoints, cloud, SaaS, and identity systems). The report also highlights the **browser** as a key battleground (involved in **48%** of attacks) and a sharp rise in **SaaS supply-chain** abuse (nearly **4x** since 2022), including the use of **OAuth tokens** and **API keys** for lateral movement. Separately, Google Threat Intelligence Group commentary on the **defense industrial base (DIB)** describes adversaries shifting beyond classic espionage toward operations intended to **disrupt production capacity** and **compromise supply chains**, with **identity** increasingly treated as the “new security boundary” across the broader defense ecosystem (from prime contractors to smaller dual-use suppliers). The DIB focus underscores that credential-driven access and downstream supply-chain compromise can have strategic impact beyond data theft, including staging access for future contingencies and enabling ransomware/extortion that indirectly degrades defense supply availability.
Mar 21, 2026