Imagine a silent, invisible enemy infiltrating the very systems that power our daily lives—electricity grids, water supplies, and transportation networks. This isn’t a plot from a dystopian novel; it’s happening right now. According to Dragos’ latest annual threat report, released on Tuesday, China’s cyber operatives are deeply embedded within U.S. energy networks, not to steal secrets, but with a far more chilling purpose: to bring them down. But here’s where it gets even more alarming—they’re not alone.
Last year, three new threat groups emerged, targeting critical infrastructure worldwide, while a notorious Beijing-backed group, Volt Typhoon, continued its relentless campaign against U.S. electric, oil, and gas companies. Dragos, a leader in operational technology (OT) security, revealed that these state-sponsored actors are not just probing for weaknesses—they’re actively preparing for destructive cyberattacks. Their goal? To disrupt, disable, and destroy the systems that keep modern society functioning.
And this is the part most people miss: These attackers aren’t after intellectual property or financial gain. As Dragos CEO Robert M. Lee explained, their focus is purely on causing chaos. For instance, the group Voltzite—closely linked to Volt Typhoon—has been embedding malware within strategic U.S. utilities, not to steal data, but to gain control over the systems themselves. ‘They were getting inside the control loop,’ Lee said, emphasizing their ability to manipulate industrial processes. This isn’t espionage; it’s sabotage.
In one campaign, Voltzite compromised Sierra Wireless AirLink devices, using them as a gateway to infiltrate U.S. pipeline operations. They exfiltrated operational data, accessed engineering workstations, and even stole configuration files that could allow them to force-stop operations. In another instance, they used the JDY botnet to scan for vulnerabilities across energy, oil, gas, and defense sectors—likely laying the groundwork for future attacks.
But China isn’t the only player in this dangerous game. Here’s where it gets controversial: While Dragos doesn’t attribute attacks to specific nations, it’s clear that Russia and Iran are also major threats. For example, the group Pyroxene, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), has been targeting defense and critical infrastructure sectors in the Middle East, North America, and Western Europe. Meanwhile, Russia’s GRU-linked group, Electrum, was blamed for the December 2025 cyberattacks on Poland’s power grid—a chilling reminder of their capabilities.
What’s even more unsettling is the emergence of new groups like Sylvanite, which acts as an ‘initial access broker’ for Voltzite, weaponizing vulnerabilities in products from companies like F5, Ivanti, and SAP. These vulnerabilities are exploited within 48 hours of disclosure, giving defenders little time to react. Another group, Azurite, overlaps with China’s Flax Typhoon and focuses on long-term access to OT engineering workstations, exfiltrating critical operational files.
So, here’s the question that keeps experts up at night: Are we prepared for a future where our most essential systems could be taken offline with the click of a button? As these threat groups grow more sophisticated, the stakes have never been higher. What do you think? Are we doing enough to protect our critical infrastructure, or are we sleepwalking into a crisis? Let’s discuss in the comments—because this isn’t just a tech issue; it’s a matter of national security.
