Rising Risk of State-Linked Attacks on Power Grids and Operational Technology
Reporting highlighted growing concern that state-affiliated and state-linked actors are positioning for disruptive attacks against operational technology (OT) and critical infrastructure, with activity that may be difficult for operators to detect. A Codific analysis described five common pathways seen in disruptive grid-focused intrusions—often beginning with human error or exposed perimeter services, then escalating through credential theft, remote access exploitation (e.g., VPNs/gateways), ransomware, and misuse of legitimate industrial commands that can delay operations and complicate detection and recovery; it also warned that attacks on virtualized environments can hinder restoration efforts and that cascading impacts could be severe (e.g., Lloyd’s “Business Blackout” scenario estimating losses up to $1T). Recommended mitigations emphasized proven controls such as phishing-resistant MFA and IT/OT segmentation, rather than novel defenses.
Separate commentary and media content also pointed to OT becoming a frontline in geopolitical escalation, including claims of a coordinated campaign tied to Iran-linked hacktivist activity targeting OT devices such as Unitronics PLCs used in water and industrial facilities, alongside psychological operations and SMS spoofing. Other items in the set were leadership/career/podcast-style content without specific incident or vulnerability detail and do not materially add to the OT/power-grid threat reporting.
Related Entities
Organizations
Sources
Related Stories
Rising OT Threat From Credential Abuse and 'Living-off-the-Plant' Techniques
Security reporting and expert commentary warn that **operational technology (OT)** environments remain highly exposed due to fragile access controls and that attacker capability is trending toward more dangerous, process-aware operations. Lessons drawn from the 2015 **Ukraine power grid** disruption emphasize that remote connectivity, vendor access, and broad VPN permissions can become the “soft underbelly” of critical infrastructure, with recurring real-world examples of disruption tied to **misused remote access and stolen credentials** (including the **Colonial Pipeline** shutdown following a compromised password). The core takeaway is that OT systems are no longer “too specialized” to be targeted, and that common enterprise intrusion paths—credential compromise and remote access abuse—continue to translate into operational impact when they bridge into industrial environments. Separately, OT-focused threat analysis highlights early signs that attackers are gaining the “process comprehension” historically missing from many intrusions into industrial systems. A forthcoming RSA Conference 2026 presentation is expected to demonstrate **“living-off-the-plant”** techniques—analogous to living-off-the-land in IT—where adversaries leverage native industrial tooling and legitimate functions inside plants to blend in and potentially manipulate physical processes. The reporting argues that “security by obscurity” (attackers’ unfamiliarity with bespoke/legacy OT) has limited the severity of many incidents so far, but that this advantage is eroding as adversaries become more comfortable operating within industrial environments, increasing the risk of more consequential OT attacks.
1 months ago
Destructive Cyberattack on Poland’s Energy Sector via Vulnerable Edge Devices
Poland’s Computer Emergency Response Team reported that a **destructive cyber incident** in December 2025 compromised **OT/ICS environments** across the country’s energy sector, including **renewable energy plants** (wind and photovoltaic), a **combined heat and power** facility, and at least one **manufacturing** organization. The intrusion reportedly began through **vulnerable internet-facing edge devices**, after which the actor deployed **wiper malware** that damaged **remote terminal units (RTUs)**, destroyed data on **human-machine interfaces (HMIs)**, and **corrupted firmware** on OT devices—resulting in a loss of operator “view and control” even where renewable generation continued producing power but could not be monitored or controlled as designed. Reporting indicated the activity overlapped with infrastructure associated with a **Russian government-linked** hacking group. CISA issued an alert to U.S. critical infrastructure organizations to amplify the Polish findings and emphasize mitigations for **energy-sector OT/ICS** defenders, highlighting the ongoing risk from **end-of-support edge devices** and the need to harden remote access paths, credential hygiene (including **default credentials**), and incident response planning for scenarios where OT devices may become inoperable or permanently damaged due to firmware corruption. Separate industry commentary and a Dark Reading article provided broader context on the evolution of OT threats (e.g., lessons from Ukraine’s 2015 grid attack and emerging “living-off-the-plant” techniques), but did not add incident-specific details about the Poland event beyond reinforcing the general trend of increasing attacker capability and interest in industrial environments.
3 weeks ago
Dragos Annual Review Warns of Mischaracterized OT Ransomware and Nation-State Prepositioning
Dragos’ annual review of cyberattacks targeting **operational technology (OT)** warns of a “silent epidemic” of **ransomware impacting commercial OT environments** that is frequently **mischaracterized as an IT-only incident**, obscuring operational impact and hindering effective response. Dragos CEO **Rob Lee** attributed this to gaps in OT understanding within IT security teams and to insufficient collection of OT network telemetry needed to perform reliable root-cause analysis and accurately scope incidents. The report also highlights concerning evolution in **nation-state OT threat activity**, describing a shift from basic initial-access efforts toward **OT-focused reconnaissance** and **pre-positioning** intended to enable future disruptive or real-world effects. Overall, Dragos frames the combination of limited OT visibility, misclassification of incidents, and increasingly purposeful nation-state operations as key risk drivers for organizations running industrial and other OT systems.
3 weeks ago