A deeply concerning annual threat report has unveiled a calculated and alarming strategic pivot by state-sponsored cyber actors, indicating that Chinese-linked hacking groups are systematically embedding themselves within United States critical infrastructure not for espionage, but to prepare for future, physically destructive attacks. This pre-positioning of digital assets within the operational technology (OT) networks of American energy and utility providers represents a significant escalation, shifting the goal from stealing information to gaining the capability to disrupt essential services like electricity and water on a massive scale. The analysis, based on activities observed throughout 2025, underscores a growing global trend of targeting the industrial control systems that form the backbone of modern society, with an increase in specialized threat groups dedicated to this dangerous new frontier of cyber warfare.
China’s Calculated Offensive
A methodical and persistent campaign originating from Beijing is actively compromising the foundational systems of American utilities. This effort is distinguished by its long-term strategic vision, focusing on gaining and maintaining access to the most sensitive parts of operational networks. The objective is not immediate disruption but the establishment of a latent capability that can be activated at a time of geopolitical tension or conflict, turning control over critical infrastructure into a powerful coercive weapon. This represents a significant evolution in state-sponsored cyber activity, moving beyond reconnaissance to direct preparation for sabotage.
The Primary Threat Actor Voltzite
At the center of this campaign is a highly sophisticated group tracked as Voltzite, which exhibits a strong correlation with the notorious state-sponsored actor Volt Typhoon. The group’s activities throughout 2025 demonstrated an unwavering focus on infiltrating and understanding American utility networks with a clear and unambiguous purpose: to enable future disruption. Unlike traditional cyberespionage groups that target intellectual property or government secrets, Voltzite’s operators have been meticulously mapping and penetrating the core control loop systems—the digital brains that directly manage the physical industrial processes of power generation, water distribution, and fuel transport. Their long-term persistence within these networks indicates a patient, well-funded, and state-directed mission to establish a strategic advantage by holding U.S. infrastructure at risk. The group’s methodical approach suggests they are not opportunistic but are executing a deliberate, multi-stage plan to achieve their objectives.
Voltzite’s methods reveal a deep understanding of industrial control environments, allowing them to bypass conventional IT security and move laterally into sensitive OT domains. One of their notable campaigns involved the compromise of Sierra Wireless AirLink cellular gateways and routers, devices often used for remote access to industrial equipment. By exploiting these edge devices, the group created a stealthy entry point to pivot directly into the OT networks of U.S. pipeline operators. Once inside, they did not just explore; they exfiltrated highly specific operational and sensor data. The level of access they achieved was substantial, positioning them to potentially manipulate control systems that manage the physical flow of resources. Furthermore, their access to engineering workstations allowed them to steal critical configuration files and detailed alarm data, including procedural documents outlining how to execute a forced shutdown of operations. This is the equivalent of a saboteur stealing the blueprints and emergency shutdown keys to a power plant.
Evidence of Destructive Intent
The most compelling evidence of Voltzite’s malicious purpose is found in the specific nature of the data it targets and exfiltrates. Cybersecurity analysts have concluded that the stolen information holds no value for espionage or commercial gain. The group has consistently ignored financial records, proprietary designs, and other forms of intellectual property. Instead, their entire focus has been on acquiring operational schematics, alarm response protocols, and industrial control system configurations. This type of information is only useful for one thing: planning and executing an attack designed to disrupt or physically destroy the targeted infrastructure. The data allows attackers to understand how a system operates, how it responds to failures, and, most critically, how to trigger a catastrophic event while potentially masking their actions. The group’s deliberate choice to gather this specific intelligence serves as a clear indicator of their endgame, which is to cause tangible, real-world consequences.
In a separate but related campaign, Voltzite was observed using the JDY botnet for broad reconnaissance against internet-facing assets belonging to organizations in the U.S. energy, oil, gas, and defense sectors. This operation involved systematically scanning public IP address ranges and VPN appliances to identify potential vulnerabilities and entry points for future intrusions. While direct exploitation was not observed during this phase, the activity is assessed with moderate confidence as a pre-staging effort. By meticulously mapping the external attack surface of their targets, the group was building a comprehensive database of exploitable weaknesses. This reconnaissance provides them with multiple avenues for initial access, ensuring the longevity and resilience of their broader campaign. Such preparatory work is a hallmark of a patient and sophisticated adversary that is methodically laying the groundwork for a future, coordinated assault on critical national infrastructure.
Expanding Global Threats
While the pre-positioning by Chinese actors represents a primary concern, the threat landscape targeting operational technology is becoming increasingly crowded and complex. State-sponsored groups from other nations are also honing their capabilities and expanding their operational reach, demonstrating that the tactic of holding critical infrastructure at risk is becoming a more common component of international statecraft. These emerging threats employ diverse tactics, from sophisticated supply-chain attacks to targeted social engineering, and are no longer confined to their traditional geographic regions of influence.
Iran’s Growing Ambitions
The analysis has also identified a new and increasingly aggressive threat group linked to Iran, tracked as Pyroxene. This group’s activities show significant overlap with Imperial Kitten (also known as APT35), which is widely understood to be the cyber arm of Iran’s Islamic Revolutionary Guard Corps (IRGC). Pyroxene specializes in leveraging complex supply-chain attacks and works in concert with another group, Parisite, which serves as its initial access provider. This collaborative structure allows them to conduct multi-stage intrusions with greater efficiency and stealth. Their tactics often involve highly targeted, recruitment-themed social engineering campaigns, where they create fake social media profiles to build rapport with individuals at target organizations. Over time, they manipulate these individuals into installing backdoors or other forms of malware, providing Pyroxene with a persistent foothold inside the network.
The operational scope of Pyroxene has notably expanded beyond its typical focus on the Middle East, with recent campaigns detected against targets in both North America and Western Europe. This geographic expansion signals a clear intent to project power and influence on a more global scale. A stark example of their destructive capability was demonstrated in June 2025, when the group deployed data-wiping malware against multiple organizations in Israel amidst a period of heightened military conflict in the region. This action showed not only their technical ability to cause irreversible damage but also their willingness to deploy such payloads as a political and military tool. The expansion of these destructive tactics into Western nations presents a significant and growing threat to industrial sectors that may not have previously considered themselves targets of Iranian cyber operations.
Russia’s Persistent Threat
Russia remains a formidable and persistent threat to Western critical infrastructure, continuing to leverage its advanced cyber capabilities, particularly against nations that provide support to Ukraine. The annual report detailed recent activities from a group known as Electrum, which aligns with Russia’s infamous GRU-run Sandworm offensive cyber unit. This group was attributed as the perpetrator behind the disruptive cyberattacks that targeted Poland’s power grid in December 2025, an act that showcased its ability to impact essential services in a NATO country. Electrum’s operations are often facilitated by an initial access provider tracked as Kamacite. This tiered approach, similar to that used by Chinese actors, allows for specialization and increased operational security, making their campaigns more difficult to detect and attribute with certainty.
Between March and July of 2025, Kamacite executed a wide-ranging reconnaissance campaign specifically targeting vulnerable, internet-exposed industrial devices within the United States. This scanning activity was not random; it precisely focused on systems within the water, energy, and manufacturing sectors. Although analysts found no direct evidence of successful exploitation resulting from this particular campaign, its scope and precision were alarming. The meticulous nature of the scanning revealed a significant evolution in Kamacite’s operational posture, indicating a maturing capability and a sustained, strategic interest in identifying weaknesses within American infrastructure. This persistent probing serves as a constant reminder that Russian actors continue to map and prepare the digital battlefield, maintaining their readiness to disrupt U.S. critical services should geopolitical circumstances dictate such a move.
