China remains embedded in US energy networks ‘for the purpose of taking it down’

Steven

China remains embedded in US energy networks ‘for the purpose of taking it down’

Summary

Dragos’ 2025 OT (operational technology) year-in-review shows Beijing-linked actors continued to embed themselves into US energy, oil and gas systems with destructive intent. A group Dragos calls Voltzite (highly correlated with Volt Typhoon) maintained long-term persistence inside control systems, accessing engineering workstations, alarm and configuration data, and even device gateways such as Sierra Wireless AirLink. Dragos also documented three new OT-focused groups (Sylvanite, Azurite and Pyroxene) acting as initial-access brokers, long-term collectors of operational files, and supply-chain/social-engineering threat actors respectively. Russia-linked actors remain active too, with reconnaissance and initial-access activity noted against water and energy sectors.

Key Points

  • Dragos reports Voltzite/Volt Typhoon continued deep intrusions in 2025, embedding malware inside utility control loops to enable future disruption.
  • Voltzite used compromised cellular gateways (Sierra Wireless AirLink) and botnets (JDY) to reach pipeline and OT networks, exfiltrating sensor and configuration data.
  • Three new OT-focused groups emerged: Sylvanite (initial access broker exploiting F5, Ivanti, SAP edge devices), Azurite (long-term access to engineering workstations) and Pyroxene (supply-chain and social-engineering attacks, linked to destructive wipers).
  • Dragos observed pre-staging behaviours — scanning VPNs and IP ranges — indicating planning for future intrusions and exfiltration of operational data.
  • Russian-linked activity (Electrum/Kamacite) continues to target water and energy sectors, demonstrating that multiple nation-state actors are focusing on critical infrastructure.

Content summary

Dragos’ annual report explains that Voltzite didn’t just steal intellectual property — its moves were aimed at sabotage. Intruders accessed control systems, stole alarm and configuration files, and gained the means to force-stop operations. Sylvanite appears to supply Voltzite with initial access by weaponising recently disclosed edge-device vulnerabilities. Azurite focuses on engineering workstation compromise and data theft to develop downstream capabilities. Pyroxene uses social engineering and supply-chain attacks, and deployed destructive malware in the Middle East in mid-2025. Dragos also described reconnaissance by Kamacite targeting industrial devices in US utilities, even if exploitation was not confirmed during that window.

Context and relevance

This matters because energy and utility OT networks run physical infrastructure — not just data. Long-term persistence inside control loops gives attackers the capacity to cause blackouts, pipeline outages or worse. The report shows a maturing, multi-tiered adversary model: initial-access brokers, long-term maintainers of control, and destructive operators. For defenders, the findings signal the need for rapid patching of edge devices, stronger segmentation between IT and OT, improved monitoring of engineering workstations, and careful supply-chain and contractor security controls.

Why should I read this?

Short answer: because someone is quietly living in systems that keep the lights on — and they look like they’re preparing to break things. If you care about critical infrastructure, industrial safety, or national resilience, this is one of those ‘pay attention now’ briefs. Dragos has done the digging so you don’t have to.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/02/17/volt_typhoon_dragos/