A New Threat Group Focused on Vendor Access
The Dragos 2026 Year in Review report identified three new OT-focused threat groups. Of these, PYROXENE stands out for a specific reason: they don't attack operators directly. They attack the vendors, integrators, and service providers who already have trusted access to OT environments.
This is supply chain compromise applied to industrial control systems. The attacker doesn't need to find a vulnerability in your PLC firmware or phish your plant engineer. They compromise someone you already trust, then walk through the front door.
The PYROXENE Attack Methodology
PYROXENE campaigns follow a consistent four-stage pattern:
- Identify the vendor relationship. PYROXENE maps the supply chain of target organizations — system integrators, SCADA vendors, maintenance contractors, remote support providers.
- Compromise vendor credentials. Through spearphishing and social engineering targeted at the vendor's operational staff (not just IT), PYROXENE gains access to vendor accounts and VPN credentials.
- Use legitimate vendor access to reach OT. Because the vendor already has authorized access — often with broad permissions and minimal logging — PYROXENE moves laterally into OT networks using the vendor's own remote access infrastructure.
- Deploy wiper malware. Unlike ransomware groups that encrypt for profit, PYROXENE deploys wiper payloads designed to destroy OT configurations, corrupt firmware, and wipe engineering workstations. The goal is disruption and destruction, not ransom.
The key distinction: PYROXENE targets operational personnel at vendor organizations, not just IT staff. They understand that an automation engineer at a system integrator has far more direct access to customer OT assets than any IT administrator.
Why Supply Chain Attacks Are the Hardest to Defend
Supply chain attacks exploit a fundamental problem: the attacker arrives through a trusted channel.
Your firewall rules allow the vendor's VPN connection. Your access policies authorize the integrator's account. Your operations team expects the maintenance window. Everything looks normal because, from a technical perspective, it is a legitimate session — just controlled by the wrong person.
This is not hypothetical. The pattern has played out repeatedly:
- SolarWinds Orion (2020): Compromised software update distributed to 18,000 organizations, including industrial operators and critical infrastructure providers. Attackers had months of undetected access.
- Kaseya VSA (2021): REvil ransomware pushed through a managed service provider's remote management tool. Over 1,500 downstream organizations affected, including manufacturing firms.
- 3CX (2023): A supply chain attack on a supply chain attack — the 3CX compromise originated from a prior compromise of Trading Technologies software. Attackers chained vendor relationships.
- MOVEit Transfer (2023): Cl0p exploited a zero-day in a widely used file transfer tool. Organizations that had no direct relationship with the vulnerability were compromised through their vendors' use of the software.
Each of these reached industrial environments not through OT-specific vulnerabilities, but through IT supply chain vectors that operators assumed were outside their threat model.
Supply Chain Attack Vectors and Defensive Controls
| Attack Vector | How It Works | Defensive Control |
|---|---|---|
| Compromised vendor VPN | Attacker uses stolen vendor credentials to connect via existing VPN tunnel | Just-in-time access brokering with session recording; disable persistent VPN tunnels |
| Trojanized software update | Malicious code injected into legitimate vendor software package | Integrity verification of all updates; staged deployment with OT-specific validation |
| Compromised remote support tool | Attacker hijacks vendor's remote desktop or maintenance session | Proxy all vendor sessions through a controlled gateway; enforce MFA per session |
| Social engineering of vendor staff | Attacker impersonates customer to vendor, or vendor to customer | Out-of-band verification for all access requests; pre-registered vendor contacts only |
| Firmware supply chain | Malicious firmware delivered through compromised vendor distribution | Cryptographic firmware signing verification; maintain known-good firmware baselines |
| Integrator credential reuse | Vendor uses same credentials across multiple customer environments | Unique credentials per customer site; customer-managed credential rotation |
Concrete Defenses for Operators
1. Vendor Access Brokering
Stop giving vendors persistent VPN access. Instead:
- Just-in-time provisioning: Vendor access is activated only when requested and approved, for a defined time window.
- Scoped permissions: Each vendor session is limited to the specific assets they need to touch — not the entire OT network.
- Recorded sessions: Every vendor interaction is logged with full session recording, including commands executed and files transferred.
- MFA per session: Even if vendor credentials are compromised, a second factor tied to the specific session blocks unauthorized use.
This is what Access Gate provides as a core function — brokered, recorded, scoped vendor access without requiring changes to the underlying OT network.
2. Segmentation That Limits Blast Radius
Even with brokered access, assume the vendor session could be compromised. Network segmentation ensures that a single compromised session cannot reach the entire OT environment:
- Isolate vendor-accessible zones from safety-critical systems
- Use Layer 3 segmentation to enforce policy boundaries between zones
- Monitor east-west traffic within vendor-accessible segments for anomalous behavior
3. OT Configuration Integrity Monitoring
PYROXENE's endgame is wiper malware targeting OT configurations and firmware. Defend the target:
- Maintain offline backups of all PLC programs, HMI configurations, and engineering project files
- Implement change detection on OT configurations — any modification outside an approved change window triggers an alert
- Verify firmware integrity against known-good baselines on a regular schedule
4. Vendor Risk Assessment
Not all vendor relationships carry equal risk. Prioritize based on:
- Access level: Does the vendor have direct access to Level 1/2 OT assets?
- Connection method: Persistent VPN vs. brokered session vs. on-site only?
- Credential management: Who controls the credentials? Are they shared across customers?
- Incident notification: Does the vendor have an obligation to notify you if they are compromised?
What PYROXENE Means for Your Security Program
PYROXENE is not an anomaly. Supply chain attacks on OT will increase because the economics favor the attacker: compromise one vendor, gain access to dozens of customers.
The defense is straightforward but requires deliberate architecture: broker every vendor session, segment every zone, monitor every configuration change, and stop assuming that trusted access means safe access. Your vendors are part of your attack surface. Treat them accordingly.
