They’re reading the manual

Explore our weekly delivery of inspiration, insights, and exclusive interviews from the global BHMEA community of cybersecurity leaders.

Keep up with our weekly newsletters on LinkedIn — subscribe here. 

This week we’re focused on…

The Imitation Game. OK, that’s not exactly true – but it’s a good place to start. If you’ve seen this movie, you’ll know that Alan Turing didn’t succeed by smashing up the Enigma machine – he succeeded because he understood it. 

And that’s an important distinction in the threat landscape right now. 

Two separate reports (one on ransomware speed, the other on OT threat activity) point to the same shift: attackers aren’t improvising anymore. They’re studying.

They’re reading the manual.

Speed is a discipline

Let’s start with tempo. 

A new report from Barracuda documented a ransomware case involving Akira that went from initial compromise to full encryption in just three hours.

Three hours. That’s less time than it takes to watch Titanic.

Elsewhere, in the OT world, Dragos reports that the median time from vulnerability disclosure to public exploit in 2025 was 24 days. 

That figure shows how quickly threat actors move from opportunity to operationalisation.

Speed is now less opportunistic, and more industrial. 

Depth is a discipline too

Now let’s zoom out from IT to OT.

Dragos describes adversaries “actively mapping control loops” – identifying engineering workstations, exfiltrating configuration files and alarm data, and learning how physical processes operate well enough to disrupt them.

That phrase – mapping control loops – highlights the way threat actors are focusing on preparation.

Dragos identified three new OT threat groups in 2025: AZURITE, PYROXENE and SYLVANITE, bringing the total it tracks to 26 OT-specific groups, 11 of which were active last year.

The report also describes an increasingly structured operating model: one team develops initial access and hands off to another with ICS-specific capability, compressing readiness from weeks to days in some cases.

That sounds a lot like division of labour and specialisation, doesn’t it? 

And it’s already touching live infrastructure. Dragos reports that ELECTRUM expanded into Poland in late December 2025, targeting distributed energy resources (DERs) – the first major coordinated cyberattack against DERs globally.

Meanwhile, visibility lags

The contrast we need to worry about sits on the defence side. 

Dragos estimates fewer than 10% of OT networks worldwide have network visibility and monitoring in place.

Thirty percent of its 2025 incident response cases began with someone saying “something seems wrong,” often without the telemetry required to confirm cyber involvement.

At the same time, Nozomi reports that adversary-in-the-middle activity accounted for 26.5% of alerts in the second half of 2025 – credential interception at scale.

Attackers are investing in understanding systems. And unfortunately, many organisations are still investing in hoping nothing breaks.

Discipline is key 

It’s the shared theme here. 

• Ransomware operators compress time to maximise leverage.
• OT-focused groups invest time to maximise impact.

Both behaviours reflect maturity. For CISOs and cybersecurity practitioners in general, this means it’s time to pivot – you have to treat engineering workstations and control systems as strategic assets, not niche infrastructure. You’ve got to reduce patch latency wherever possible; 24 days is too short of a runway now. And you must invest in OT visibility before you need it.

Cyber conflict has entered its systems era. The actors that succeed – on either side – are the ones who understand the machine.