Skip to content

OT Cybersecurity – Five OT threat groups you should be aware of

OT Cybersecurity

As industries push to achieve greater efficiency through increased digitalization, a parallel surge in OT threat groups is also on the rise. These groups continually develop innovative ways to inflict physical, financial, and reputational damage, making it challenging for the industry to match their pace. A growing concern for organizations, top leaders actively search for robust measures to raise their security posture. However, they often find themselves struggling with a fundamental question, “Where should we start?”

The cornerstone for dealing with any adversary capable of causing lasting harm should be to understand it fully. Sun Tzu famously states,

‘If you know your enemy and know yourself, you will not be imperiled in a hundred battles.’

In OT’s context, this expression effectively relays the importance of understanding their motivations, assessing their abilities, and gauging the extent to which they can cause damage.

Going over annual reviews of ICS and OT vulnerabilities gives us an in depth analysis of active OT threat groups that have been causing an upheaval within OT infrastructure across diverse industries. The approach in shortlisting them emanates from actively monitoring their evolution through R&D and identifying their ideal target infrastructure.

Given their industrial significance and the negative aftermath, we will be highlighting the five most critical and active OT threat groups to emphasize the importance and need for becoming cyber resilient.


With an unmatched ability for cross-industry ICS/OT disruption, Pipedream is capable of dismantling physical processes within various industries including oil and gas, energy, and manufacturing. It marks the pioneer of scalable attack frameworks, showing adaptability within evolving environments.

Pipedream primarily uses specialized ICS protocols to manipulate and incapacitate PLCs. It further engages in capturing PLC credenial, which facilitates password brute-forcing and gives rise to service denial attacks. This concerning path aligns with Stage 2 of the ICS Kill Chain, enabling Pipedream to independently install/modify and execute ICS components, thereby significantly heightening its potential danger.


A recent discovery among OT threat groups but equally pernicious, Bentonite has earned a reputation for being exceptionally opportunistic in its victim selection. Functioning as a downloader-type malware, it exploits vulnerable remote access assets by embedding itself within to gain initial access. The access is sustained over the long term by executing lateral movement across various hosts, gathering credentials, and establishing a steadfast connection through a secure shell (SSH) to carry out interactive operation.

In the recent past, it has had a profound impact on various sectors, including oil and gas, manufacturing, and even governmental organizations, due to its ability to execute multiple operations simultaneously. As a result, many victims have fallen prey to acts of enumeration, reconnaissance, and espionage.


With a sharp focus on energy firms and power generation facilities, Kostovite possesses the capability to exploit the inherent vulnerabilities of OT environments and SCADA assets. The adversary possesses a high level of operational discipline and infrastructural knowledge, extending its impact to stage 2 of the ICS kill chain. Kostovite ability to discreetly maneuver through IoT devices without raising alarms is what sets it apart from the rest.

Recent reports emphasize Kostovite’s ability to exploit zero-day vulnerabilities, further compromising perimeter-facing internet devices, thereby accentuating the need for thorough diligence.


Since 2014, this threat group has been creating havoc and causing operational disruptions. A thorn in the flesh of many industrial sectors, Kamacite primarily operates in European and US markets, claiming responsibility for five documented attack instances. The notable power disruption attacks of 2015 and 2016 are also associated with this group.

What makes this group particularly dangerous is its occasional adoption of a collaborative approach, where it empowers other OT threat groups to execute ICS specific attacks thereby magnifying the damage extent. Moreover, Kamacite also indulges in phishing, reconnaissance, and command and control (C2) activities through developing and deploying custom malware on compromised infrastructure.

Given the strength of this threat group, it is imperative to get your shields up to avoid falling victim to them.


Xenotime is a well-known threat group that focusses on the oil and gas sector, liquefied natural gas entities, and original equipment manufacturers (OEMs) that support oil and gas operations. This group stands out as the only one capable of disrupting industrial safety instrument systems (SIS), potentially leading to product contamination, environmental damage and, most importantly, loss of life.

This threat group has been observed to be active in both American and Middle Eastern markets, and it has claimed responsibility for the famous Trisis 2017 attack, often regarded as the world’s deadliest malware attack.

Considering the severe impact it poses, one cannot afford to leave their defenses to chance.

The way forward

Feeling overwhelmed by the sheer destructive scale of these adversaries? Let us assure you that the future isn’t as bleak as it may seem. While the threats of malicious hackers coming up with innovative ways will always loom large, significant progress has been made over time against them through robust detection and threat mitigation techniques.

For starters, you need to strength your OT environments by developing OT cybersecurity strategies tailored to your operational readiness. The process encompasses assessing your existing risks, identifying critical gaps in your ecosystem, and implementing readily deployable and easily integrable solutions to effectively confront the aforementioned adversaries. In this regard, our 5-step checklist serves as a comprehensive starting point for organizations looking to embark on their cyber journey.

If these remedial tasks seem too challenging and something that falls outside your area of expertise, you can always leverage our experience. We have a proven track record of helping businesses similar to yours in addressing their safety concerns, enabling them to concentrate on their core business operations.

Back To Top