Destructive malware dominates threat landscape, Nozomi Networks reveals

Roya Gordon, Nozomi Networks OT/IoT Security Research Evangelist

A recent study found that several disruptive attacks on critical infrastructure continued in to the second half of 2022 targeting the rail, hospitals, manufacturing and energy sectors. The latest OT/IoT security report from Nozomi Networks Labs finds that wiper malware, IoT botnet activity, and the Russia/Ukraine war significantly influenced the 2022 threat landscape.

What were the findings of the OT/IoT security report?

Continuing the trend that was observed in the first half of 2022, Nozomi Networks Labs researchers saw cybercriminals; hacktivists shift tactics from data theft and Distributed Denial of Service (DDoS) attacks to progressively utilizing more destructive malware in an attempt to destabilize critical infrastructure to further their political stance in the Russia/Ukraine war.

“Over the past six months, cyberattacks around the world have increased significantly, causing major disruption and damage to a number of industries ranging from transportation to healthcare,” said Roya Gordon, Nozomi Networks OT/IoT Security Research Evangelist.

“Railways, in particular, have been subject to various attacks, leading to the creation and implementation of measures designed to protect rail operators and their assets. As cyber threats evolve and intensify, it is important for organizations to understand how threat actors are targeting OT/IoT and the actions required to defend critical assets from threat actors.”

Nozomi Networks Labs analysis of customers’ intrusion alerts over the last six months found weak/cleartext passwords and weak encryption were the top access threats to critical infrastructure environments. This was followed by brute force and DDoS attempts. Trojans were the most common malware detected targeting enterprise IT networks, Remote Access Tools (RATs) topped the malware targeting OT, and DDoS malware targeted IoT devices.

Malicious IoT botnet activity generally remained high and continued to increase in the second half of 2022. Nozomi Networks Labs in the study found and discovered growing security concerns as botnets continue to use default credentials in attempts to access IoT Devices.

What were the findings of Nozomi Networks honeypots?

  • Attacks spiked in July, October and December with more than 5,000 unique attacks in each of those months.
  • The top attacker IP addresses were associated with China, the United States, South Korea and Taiwan.
  • “root” and “admin” credentials are still most often used as a way for threat actors to gain initial access and escalate privileges once in the network.

Regarding vulnerability, manufacturing and energy remained the most vulnerable industries followed by water/wastewater, healthcare and transportation. In the last six months of 2022:

  • CISA released 218 Common Vulnerabilities and Exposures (CVEs) – down 61% from the first half of the year.
  • 70 vendors were impacted – up 16% from the previous reporting period; and
  • Affected products were also up 6% from the first half of 2022.

Nozomi Networks’ “OT/IoT Security Report: A Deep Look into the ICS Threat Landscape” provides security professionals with latest insights needed to re-evaluate risk models and security initiatives, along with actionable recommendations for securing critical infrastructure.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.