Dragos sees operational technology attackers exploiting VPNs

VPNs can help communications stay secure—but they also present an attack vector in the wrong hands, according to a 2025 year in review from Dragos. The operational-technology cybersecurity company highlighted recent attack paths from a range of ransomware actors, hacktivists, and coordinated groups interested in accessing and disrupting critical operations.

Dragos revealed that attackers are getting into OT environments via access gateways like virtual private networks (VPNs), with almost 3 out of 4 use cases (73%) involving the active exploitation or credential reuse of VPNs, “jump hosts,” and other remote-access points.

“Adversaries have realized these are highly connected environments, and they’re targeting them directly, and those targeting them directly is a much lower barrier of entry than going through all of the enterprise security stack to get to it,” CEO Robert M. Lee told reporters on Feb. 10, adding that Dragos tracked 3,318 ransomware attacks on industrial organizations in the last year. (Dragos tracked just under 1,700 industrial-org ransomware attacks in 2024.)

The company has also noted that adversaries have progressed from lurking in systems to actively creating playbooks for disruption.

Lee, who previously served as a cyber warfare operations officer for the US Air Force, shared examples of adversarial groups that have gone from gaining access to mapping out and exploiting control loops, which are operations using sensors and controllers that impact physical features like circuit breakers and temperature ranges.

A pair of demonstrated attack paths featured a first stop at the VPN:

• During a call with reporters, Lee noted a group (labeled “Azurite”) that uses compromised VPNs to go straight to the engineering workstations controlling logic and ultimately, physical processes.
• Another group looks for vulnerability advisories in edge devices like VPNs—one that a contractor might use for access. They act as brokers, finding vulnerable access points and handing off the access to another threat team looking for configuration files and SCADA software.

It’s not just ransomware attackers and hacktivists taking advantage of these vulnerabilities. Lee’s military background, he said, gives him the feeling that state, government, and military teams “are getting told they might actually impact change. They might actually have to do offensive operations, not just access.”

OTMG. Around the world, attackers are finding ways into critical systems via VPNs. For example, coordinated attacks in December “targeted numerous wind and solar farms, a private company in the manufacturing sector, and a combined heat and power (CHP) plant supplying heat to nearly half a million customers in Poland,” according to a report from Poland’s computer emergency response team (CERT).

“In every case, the VPN interface was exposed to the internet and allowed authentication to accounts defined in the configuration without multi‑factor authentication,” the report said.

In its 2026 cybersecurity forecast, Google said “poor hygiene like insecure remote access will continue to allow common Windows malware to breach OT networks.” The company stressed the importance of immutable, offline backups of both industrial configurations and critical enterprise data (like ERP logs), along with network monitoring of critical IT/OT paths.

Lee advised companies to deploy monitoring technologies and MFA, at the very least, and hardware-based keys if possible, given attackers’ abilities to defeat multi-factor authentication.

“It’s very hard to roll that out in operations, so we recognize that it’s difficult,” Lee said. “The idea that you could be secure with just passwords and things is extraordinarily antiquated guidance at this point.”