Critical Infrastructure Under Fire: APT Campaigns Escalate - Dark Reading

Vulnerabilities & ThreatsCritical Infrastructure Under Fire: APT Campaigns EscalateCritical national infrastructure is increasingly targeted with vulnerability exploitation, ransomware, and OT attacks to disrupt essential services.April 28, 20254 Min ReadSOURCE: STEVEN LIAO FROM PIXABAYSponsored by DarktraceThe Darktrace Threat Research team has observed a significant uptick in sophisticated threats targeting critical national infrastructure (CNI) globally over the past year.This observed increase in threats, shared in Darktrace's "Annual Threat Report 2024," aligns with heightened warnings from national intelligence agencies. It also mirrors numerous high-profile public disclosures of malicious activity within critical industries including energy, utilities, transportation, and healthcare.Evidence suggests that advanced persistent threats (APTs) are infiltrating CNI organizations, possibly to interrupt services, make financial gains, steal data, or promote general instability. The targeting of CNI and subsequent attacker operations after achieving initial access suggest that threat actors may be attempting to build strategic pathways for geopolitical leverage in the event of conflict.Darktrace analysts saw this play out in 2024. For example, an Asia-Pacific government agency was likely targeted by threat actor Mustang Panda in an attempted data exfiltration attack. Additionally, a likely North Korean APT launched a mini campaign with a number of victims, including targeting a European manufacturing company.Related:Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN ChaosCNIs were targeted with diverse approaches, but certain patterns emerged, including vulnerability exploitation, ransomware attacks, and threats to operational technology (OT).Internet-Facing Devices TargetedDarktrace analysts found that many instances of CNI compromise stemmed from exploitation of zero-day and n-day vulnerabilities in edge and perimeter networks. In the first half of 2024, threats against Internet-facing devices accounted for 40% of all identified campaign activity observed by the Darktrace Threat Research team.The most significant campaigns involved:• Ivanti Connect Secure (CS) and Ivanti Policy Secure (PS) appliances — CVE-2023-46805 and CVE-2024-21887• Palo Alto Network (PAN-OS) firewall devices — CVE 2024-3400• Fortinet FortiManager — CVE 2024-47575• Palo Alto Network firewall devices — CVE 2024-0012 and CVE 2024-9474 (Operation Lunar Peek)Threat actors can exploit newly discovered vulnerabilities in popular services and applications within hours of public exposure and often continue to find success in exploiting them over the next few years. This highlights the importance of addressing vulnerabilities, especially in Internet-facing systems, in a timely manner.Ideally, threat and vulnerability management should extend beyond generic scanning and patch lists, instead offering more tailored insights based on the understanding of the organization's unique environment and security posture.Related:Cisco Drops 48 New Firewall Vulnerabilities, 2 CriticalRansomware: Exfiltration Is Overtaking EncryptionRansomware continues to pose a prevalent threat, especially in CNI industries and specifically in healthcare. The adoption of the Ransomware-as-a-Service (RaaS) model is lowering the barrier for entry, meaning less experienced threat actors have access to tools to carry out disruptive attacks.Darktrace's Threat Research team tracked several ransomware threats over the past year, including novel strains like Lynx and known ones like Akira, Fog, and Black Basta.The team observed several ransomware patterns. For example, ransomware attacks frequently used phishing emails as an attack vector and relied on legitimate tools like AnyDesk, Splashtop, and Atera to mask malicious command-and-control (C2) communication. Interestingly, attackers have demonstrated a preference for data exfiltration for extortion, rather than encryption.AI-powered cybersecurity tools can help security teams protect against ransomware threats by detecting C2-related activity, unusual connections, and large data uploads to external endpoints.OT and Internet of Things (IoT) Devices Under ThreatRelated:Cisco SD-WAN Zero-Day Under Exploitation for 3 YearsIn May 2024, multiple security organizations and government agencies, including the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC), warned about increased threats to Western critical national infrastructure from state-aligned groups. Not long after, two Darktrace customers based in North America experienced incidents involving unexpected activity from nationally critical OT infrastructure devices.OT systems are designed to ensure the smooth and continuous operation of critical infrastructure but rely on older technologies and software that may lack modern security features and patching mechanisms. Experts in the OT cybersecurity space predict a rise in attacks targeting edge and IoT devices, which often have weaker security, so can provide attackers with access to OT networks.As OT increasingly integrates with IT systems, it is more important than ever to coordinate between IT and OT teams and security postures to defend the entire ecosystem.Secure Against CNI Threats with AI-Powered Cybersecurity ToolsCNI has been increasingly targeted, and the increased risk of advanced cyber threat actors may continue through 2025. As such, security teams need robust tools to protect against incoming attacks like vulnerability exploitation, ransomware, and IoT targeting to secure essential functioning.Notably, this threat trend is still developing. The rise of AI-based capabilities for both offensive and defensive cybersecurity purposes is a growing concern to CNI.One way to bolster security is to use multilayered AI trained on your specific organization's environment to detect unusual user and device behavior and respond autonomously to neutralize activity that indicates a cyberattack is underway.By Nathaniel Jones, Vice President of Threat Research, Security & AI Strategy, FCISO, DarktraceAbout the AuthorNathaniel Jones leads initiatives in strategic accounts, customer engagement, and industry collaboration to enhance AI-driven cybersecurity solutions. Drawing on his extensive background in government and private sector cybersecurity, Nathaniel brings a global perspective to threat analysis and defense strategies. His expertise spans threat hunting, cyber intelligence, and incident response. At Darktrace, Nathaniel applies his diverse experience to improve real-time threat detection and response capabilities. He holds a master's degree focusing on international management and security policy, and is a Certified Information Security Manager (CISM) and Certified Ethical Hacker (CEH).Read more about:Sponsor Resource CenterMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space