A review of cyber activity in 2024 showed adversaries steadily lowering the barrier to entry for targeting OT/ICS environments. Threat actors, who previously overlooked or ignored Operational Technology (OT) and Industrial Control System (ICS) attack campaigns, now actively pursue it as a viable attack vector to gain attention and cause disruption. For instance, in April 2024, Blackjack released the Fuxnet malware. Although rudimentary compared to more advanced ICS-capable tools like PIPEDREAM, Fuxnet highlighted a growing awareness among adversaries of the disruptive potential inherent in OT networks.
Similarly, the hacktivist CyberArmyofRussia_Reborn (CARR) ran campaigns throughout 2024 that targeted internet-exposed OT devices. CARR used basic methods—such as remotely altering human-machine interface (HMI) settings—to cause real-world disruptions. These efforts did not reflect a deeper technical understanding of OT systems, but instead demonstrated a broader recognition of OT’s effectiveness in advancing adversarial objectives.
Ransomware operators increasingly targeted manufacturing environments, exploiting downtime as leverage to pressure victims into paying ransoms. When combined with the increasing trend of hacktivists orchestrating OT attacks as a fast, attention-grabbing tactic to amplify their messages, show OT/ICS systems are under siege from a wide variety of threat actors. These incidents underscored a critical truth: adversaries do not always need sophisticated tools to achieve impactful outcomes. As more threat actors adopt these simple yet effective techniques, the overall risk continues to grow.
The Growing Convergence of Hacktivists, Ransomware Gangs, and Traditional OT Threat Actors
Between 2023 and early 2024, security analysts identified a rising trend in which hacktivist groups, or individuals claiming to be hacktivists, actively targeted industrial organizations and critical infrastructure worldwide. These groups successfully reached Stage 2 of the ICS Cyber Kill Chain in several incidents. Stage 2 of the Kill Chain involves threat actors preparing and executing the attack on the target ICS environment. In this stage, attackers utilize the knowledge gained during the previous stage (Reconnaissance/Intrusion Preparation or Stage 1) to specifically develop and test a capability that can meaningfully attack the ICS. This includes planning the attack path, choosing and defining tools and exploits, and ensuring the attack capabilities are suitable for the unique challenges of the target’s ICS environment.
Ransomware Evolves…Again
In 2024, security analysts observed a concerning evolution in this threat arena as hacktivists, or those self-proclaimed hacktivist groups, began incorporating ransomware into their operations across a range of targets. Three notable groups emerged at the center of this trend, Handala, Kill Security, and CyberVolk, actively used ransomware in their 2024 campaigns. Among them, CyberVolk stood out as the most distinctive. In June 2024, CyberVolk launched a ransomware-as-a-service (RaaS) platform and followed up in July by announcing the development of their proprietary “CyberVolk” ransomware. The group, which identifies itself as part of the hacktivist alliance known as the Holy League, includes members such as the persona CyberArmyofRussia_Reborn (CARR). CyberVolk primarily targets NATO-aligned countries using denial-of-service (DoS) attacks and ransomware, and their public messaging and activity strongly suggest alignment with Russian state interests.
Moving Forward into 2025
This convergence of economic, political, and ideological motives poses a credible risk of reshaping the ransomware threat landscape in 2025 and beyond, especially for sectors deemed critical to public safety and economic stability, often sectors reliant on OT/ICS systems. Hacktivist and self-identified hacktivist groups increasingly view these sectors as strategic targets. As a result, OT/ICS asset owners need to strengthen their geopolitical awareness, particularly if they operate in high-tension regions or provide essential public services and infrastructure.
Defenders Make Small Inconsistent Gains
Defenders have advanced in recognizing the need to secure OT environments, yet this progress remains inconsistent across sectors and regions. Regulated industries, such as North America’s electric power sector, typically demonstrate higher levels of cybersecurity maturity than less regulated areas like water utilities and manufacturing. While several awareness programs have brought some success, the reality is defenders still lag behind adversaries in terms of OT network visibility.
Many organizations illustrate this uneven progress by implementing secure remote access while failing to establish internal network monitoring systems capable of detecting third-party and legacy connections. These gaps leave networks vulnerable. One issue that keeps cropping up in security audits is the general lack of visibility organizations have when monitoring OT/ICS environments.
Lack of Operational Visibility
This lack of visibility not only blinds organizations to internal attack vectors but also prevents them from understanding their external attack surface. As a result, opportunistic adversaries increasingly exploit exposed OT devices using tools like Shodan and Censys. In 2024, internet-exposed ICS devices ranked among the most commonly exploited vectors for OT-targeting attacks. Many organizations continue to operate under the dangerous assumption that they are unlikely targets—an attitude especially prevalent in resource-constrained environments or where cybersecurity competes with other priorities.
The events of 2024 made clear that OT is no longer a fringe target. A growing number of adversaries have been empowered by increased understanding of OT systems and the effectiveness of even basic attack techniques. This has significantly raised the stakes in defending critical infrastructure. While skilled threat actors remain embedded within sensitive environments, hacktivists continue to exploit poorly defended infrastructure. Both groups thrive in a landscape where much of the community either lacks awareness of OT-specific threats or chooses to ignore them despite understanding the risks.
In this climate, the fundamentals remain essential. Defenders who proactively detect and expose hidden threats now play an increasingly critical role in securing operational environments.
