Threat ActorsICS/OTCTI

Actor Tracking for ICS Groups: How to Follow VOLTZITE, ELECTRUM, and Peers Without Losing the Signal

Jason Faulhefer July 14, 2026 8 min read

Share this post

ICS focused groups do not behave like ransomware crews. Tracking them requires a different cadence, different collection sources, and a different bar for attribution.

The public naming of ICS focused adversaries such as VOLTZITE, ELECTRUM, XENOTIME, and CHERNOVITE has made it easier to talk about the threat. It has also created a temptation to treat these groups like ransomware crews, with weekly IOC drops and breach counts. That framing does not fit.

Why ICS actors need a different tracking model

ICS focused groups often operate with long dwell, minimal payloads, and heavy reliance on living off the land in operator environments. A quiet quarter for one of these groups is not evidence of absence. It is more likely evidence of successful patience.

A tracking model built for smash and grab crime will under alert on these actors and over alert on scanning noise.

What to actually track

For each ICS actor of interest, maintain a small, disciplined profile:

  1. Known targeted sectors and geographies.
  2. Protocols and vendor stacks they have interacted with in public reporting.
  3. Access techniques they favor (VPN abuse, exposed HMIs, contractor laptops).
  4. Post access behavior in OT (protocol reconnaissance, engineering software abuse, staged writes).
  5. Confidence level on each claim, with the source.

That last field is the one most teams skip and most regret later.

Cadence over volume

A useful ICS actor profile changes slowly. Review each tracked group on a fixed cadence (monthly is usually enough) and update only when the underlying evidence changes. Resist the pull to add every vendor blog paragraph as a new bullet.

How ThreatSpire structures it

The actor tracker in ThreatSpire is designed around this cadence. Each profile carries confidence, evidence links, and a change history so that an analyst reading it six months later can see not just what is believed, but why and how strongly. That is the difference between an actor library and a rumor board.

Attribution restraint

Finally, be honest about attribution. Most ICS incidents will not produce enough evidence for a specific named group with high confidence. Being able to write "activity consistent with actors historically observed targeting ICS in this sector, low to moderate confidence" is a mature outcome, not a failure.

Share this post

See it in action

Want intelligence that drives decisions, not noise?