Author: Celine Rosak, Director of Corporate and Brand Marketing, Xage Security
Each month, our Cyber Risk Roundup blog series highlights the most pressing cybersecurity topics and threats. This December, we’re taking a broader look back at the year’s most significant threats to critical infrastructure.
This year, critical infrastructure faced an unprecedented surge in cyberattacks, exposing vulnerabilities across industries vital to our economy, security, and daily lives. From nation-state actors targeting telecommunications networks and energy grids to ransomware disrupting healthcare and financial services, the threats grew in both scale and sophistication.
In response, governments, agencies, and organizations began to strengthen their defenses, with new regulations, collaborative guidance, and calls for a shift toward proactive cybersecurity measures. Yet, as the attacks of 2024 demonstrate, there is still much work to be done.
Join us as we look back on the most significant cyber threats to critical infrastructure this year—exploring emerging trends, major incidents, and the steps needed to safeguard these essential systems in an increasingly hostile cyber landscape.
Looking for the biggest attacks and trends by industry? Browse by Critical Infrastructure sector:
Nation-State Threats Dominate Critical Infrastructure Attacks
No discussion of this year’s critical infrastructure attacks can begin without addressing the headline-grabbing campaign by the Chinese state-sponsored hacking group Volt Typhoon. The group targeted the IT infrastructure supporting critical systems in the U.S., including energy grids, transportation networks, and more. While their campaign came to light this year, researchers believe Volt Typhoon had been entrenched in these networks long before. The group’s hallmark use of “living off the land” (LOTL) techniques made detection and mitigation particularly challenging.
In response to the Volt Typhoon campaign, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert detailing widespread compromises across critical infrastructure. While the alert included recommended defenses, the campaign’s impact lingered for months. In August, researchers linked Volt Typhoon to the exploitation of zero-day vulnerabilities in U.S. internet provider Versa. The incident sparked controversy when Versa shifted blame onto customers, citing inadequate cyber hardening and the exposure of management ports as key vulnerabilities.
Volt Typhoon remains an active threat, continuing to infiltrate and maintain access to critical infrastructure, including energy and transportation systems.
Attacks on critical infrastructure were rampant in 2024, with entry points ranging from IT systems to industrial control systems (ICS). In April, three zero-day vulnerabilities in Cisco security products—collectively known as ArcaneDoor—were disclosed. These vulnerabilities were actively exploited to install backdoors in government agencies worldwide, an effort attributed to Chinese nation-state actors. By July, a new malware variant, FrostyGoop, was discovered targeting ICS environments by exploiting the Modbus protocol, further underscoring the evolving threats to operational technology.
These attacks provide just a glimpse of the mounting risks to critical infrastructure. Below, we’ll delve into more specific attacks by industry to paint a fuller picture of this year’s cybersecurity landscape.
Government Response to Strengthen Critical Infrastructure Security
Attacks on critical infrastructure continued to highlight the poor state of security in these industries throughout 2024, with a notable uptick in both the volume and severity of incidents. In response, the year saw a surge of government rulings and guidance aimed at addressing these vulnerabilities.
In April, CISA introduced new rules for incident reporting in critical infrastructure sectors, opening them for public comment. Secretary of Homeland Security Alejandro Mayorkas emphasized the importance of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), stating in an interview with The Record: “CIRCIA enhances our ability to spot trends, assist victims of cyber incidents, and rapidly share information with other potential targets, driving risk reduction across all critical infrastructure sectors.” However, some cybersecurity experts expressed concerns that the proposed rules could prove overly complex and burdensome.
The conversation intensified in May following high-profile state-sponsored attacks, such as the Volt Typhoon campaign. In response, the White House issued a national security memo on critical infrastructure cybersecurity, focusing on enhancing the security and resilience of U.S. systems.
By June, CISA expanded its efforts by collaborating with international organizations to release guidance on securing modern network access. Key recommendations included adopting zero trust architectures, moving away from VPNs due to inherent vulnerabilities, and strengthening remote access security. These measures gained urgency as VPN access came under scrutiny following multiple high-profile attacks throughout the year.
Crippling VPN Vulnerabilities Devastate Private Enterprises and Government Agencies
Despite long-standing recognition of VPNs as an insecure option for remote access, they continue to be widely used across countless environments. This year highlighted just how vulnerable these technologies remain, with Ivanti VPN drawing significant attention for multiple critical vulnerabilities. Early in the year, Ivanti VPN was under fire for flaws that were actively exploited in the wild. These vulnerabilities were particularly severe, allowing threat actors to gain root-level persistence even after a device was factory reset.
The repercussions escalated in March when CISA itself was hacked using the same mechanism it had warned others about. By April, another major player, MITRE, fell victim to breaches facilitated by Ivanti VPN vulnerabilities.
In September, additional Ivanti Cloud vulnerabilities were added to the Known Exploited Vulnerabilities catalog. While unrelated to earlier Ivanti VPN flaws, these new CVEs further heightened concerns about the persistent insecurity of remote access technologies.
But Ivanti wasn’t the only culprit drawing scrutiny in 2024. In November, a zero day vulnerability in Fortinet’s Windows VPN client was exploited using the DeepData malware framework, attributed to the China-linked threat actor BrazenBamboo. This malware extracted sensitive information, such as usernames and passwords, directly from application memory. Despite being reported in July, this vulnerability remained unpatched, posing a significant threat to affected systems.
Meanwhile, in May, researchers uncovered a vulnerability dubbed TunnelVision—a decades-old flaw in the DHCP protocol. This issue allows attackers to reroute traffic and disable encryption for nearly any VPN.
The conclusion is clear: VPNs are no longer a viable option for secure remote access. This realization has prompted many enterprises to actively pursue VPN replacements.
Governments are also stepping up. Norway joined a growing list of countries, including the US and UK, recommending that businesses abandon SSL-based VPNs in favor of the more secure IPSec protocols, reinforcing the global call for more robust remote access solutions.
Firewalls: From Gatekeepers to Gateways for Malicious Actors
VPNs weren’t the only technologies to make headlines for severe security flaws this year. Firewalls also found themselves at the center of significant compromises and exploits in 2024.
In October, a zero-day vulnerability in Fortinet’s FortiManager platform—used to manage Fortinet devices such as FortiGate firewalls—was officially disclosed. This flaw allowed attackers to enable remote code execution (RCE) and gain full control over FortiManager and the devices it managed. While the exploit didn’t directly target VPNs, an attacker who compromised FortiManager could alter managed device configurations, potentially impacting VPN and firewall settings and causing cascading network vulnerabilities.
Palo Alto Networks wasn’t spared either, with a string of vulnerabilities surfacing throughout the year. In April, the company disclosed a critical PAN-OS vulnerability (CVE-2024-0024) that allowed attackers to bypass authentication and gain administrative control via the web interface. Actively exploited in the wild, the flaw prompted urgent patches and recommendations to restrict web interface access and enforce MFA. In October, researchers uncovered a chain of vulnerabilities in Palo Alto Networks’ Expedition tool, which, when combined, could let attackers access database contents and write files to the system, exposing cleartext passwords, device configurations, and API keys for PAN-OS firewalls. Then, in November, Palo Alto issued another advisory for a critical vulnerability in their next-generation firewalls that enabled attackers to bypass authentication and gain administrative access via the management interface, posing a serious risk to affected organizations.
Exploited Firewall Vulnerabilities Highlight Life-Threatening Risks to Critical Infrastructure
Vulnerabilities like these carry profound consequences, including the potential to endanger human lives. A stark example occurred in 2020, when Sichuan Silence Information Technology—a Chinese cybersecurity company closely tied to PRC intelligence agencies—exploited a zero-day vulnerability in Sophos firewalls. By leveraging this flaw, Sichuan Silence compromised over 80,000 firewalls globally, including 23,000 in the United States. Among the affected targets were 36 organizations in U.S. critical infrastructure sectors, most notably an energy company actively drilling at the time of the attack. The incident had the potential to cause catastrophic loss of life.
This month, the United States issued sanctions against the entities responsible for these attacks. While sanctions often feel like a game of whack-a-mole, this action highlights the relentless challenge posed by foreign interference in U.S. critical infrastructure and underscores the severe stakes involved.
Critical Infrastructure Under Fire: A Sector-by-Sector Review of Cyber Attacks
Water and Wastewater Systems
The vulnerabilities in U.S. water systems took center stage this year after a series of cyberattacks on local utilities, prompting regulatory responses and heightened awareness.
The year began with a string of water infrastructure hacks, including three cities in Texas that were targeted early in the year. These incidents were later attributed to Russian hacktivists by Mandiant. One attack led to a tank overflow, while another forced a city utility to disconnect and switch to manual operations to safeguard its systems. These events followed a state-sponsored attack on a municipal water system in Pennsylvania in late 2023.
In October, the largest water utility in the U.S. shut down its billing system in response to a cyber incident, underscoring the persistent threats facing this sector.
Interestingly, not all high-profile incidents in recent years have been genuine cyberattacks. For example, the widely reported 2021 breach of a water treatment facility in Oldsmar, Florida—initially believed to be a hacking attempt—has since been called into question. New evidence suggests the event may have been the result of an overzealous employee rather than an external attacker.
Given the increasing trend of attacks, government agencies issued warnings and guidance throughout the year. In April, following the Texas attacks, the White House urged organizations to strengthen their defenses against cyber threats. By May, the Environmental Protection Agency (EPA) released a warning highlighting the growing number of cyberattacks on America’s drinking water systems. The agency called on water utilities to adopt basic cyber hygiene practices to better prevent, detect, respond to, and recover from cyber incidents.
Communications
Ransomware remained a major threat in 2024, targeting companies like AT&T and Comcast through direct breaches and third-party vulnerabilities.
In July, AT&T suffered a breach exposing sensitive data of 109 million customers, highlighting industry-wide security gaps. Similarly, in February– but not disclosed until July—a ransomware attack took aim at Financial Business and Consumer Solutions (FBCS), a former Comcast contractor, compromising data of over 230,000 Comcast customers, including Social Security numbers and account details. This attack came shortly after Comcast disclosed a breach late last year that exposed the personal data of over 35 million people.
Late this year, the communications sector experienced a global surge in cyberattacks driven by nation-state actors from China.
In October, the Department of Homeland Security’s Cyber Safety Review Board (CSRB) launched an investigation into suspected Chinese cyber intrusions targeting U.S. communications networks. These breaches reportedly aimed to intercept sensitive communications involving prominent political figures. With the FBI and CISA also involved in the inquiry, the CSRB is expected to recommend enhanced security measures to protect telecom infrastructure. This incident underscores the growing sophistication of cyber threats to critical U.S. systems.
The Chinese state-sponsored hacking group Salt Typhoon infiltrated several major U.S. communications providers, including AT&T, Verizon, Lumen Technologies, and T-Mobile. These breaches were aimed at conducting espionage on high-value intelligence targets by accessing communication records, call logs, and unencrypted text messages of senior national security officials—posing severe national security risks.
These incidents are part of a larger trend of cyberattacks on the communications industry worldwide, with reports of similar breaches in Africa and Asia. In November, a CrowdStrike representative testified before the U.S. Senate Judiciary Subcommittee on Privacy, Technology, and the Law about another Chinese-backed group, Liminal Panda. Active since 2020, Liminal Panda has consistently targeted the communications industry, exploiting insecure legacy systems as entry points for their attacks—mirroring tactics seen across critical infrastructure breaches.
In response to Salt Typhoon, the White House and the Federal Communications Commission (FCC) have proposed new regulations requiring communications companies to implement minimum cybersecurity practices and risk management plans. While this U.S. initiative marks progress, it is less comprehensive than the UK’s stringent communications Code of Practice or Australia’s broader telco security obligations. Experts widely agree that this regulatory step is long overdue and emphasize the need for a more proactive and robust approach to secure communications infrastructure.
Healthcare
The healthcare industry, unfortunately a frequent target of cyberattacks, faced several high-profile incidents this year. In February, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a ransomware attack that compromised the personal data of over 100 million individuals. The attack caused widespread disruptions to healthcare services nationwide. Reports indicate that UnitedHealth Group paid a $22 million ransom to secure the stolen data.
In June, a cyberattack on Synnovis disrupted operations at King’s College Hospital, leading to the cancellation of thousands of appointments and surgeries. Reports suggested that the hospital even asked employees for blood donations due to the impact of the attack. A Russian cybercriminal group reportedly claimed responsibility, demanding a $50 million ransom for the stolen data.
By September, the threat landscape for healthcare grew more alarming with the emergence of a group called Vanilla Tempest, which began specifically targeting the sector. According to Microsoft Threat Intelligence, the group employed tactics such as abusing the Remote Monitoring and Management tool AnyDesk and leveraging the Remote Desktop Protocol (RDP) for lateral movement. Meanwhile, a new ransomware strain known as Trinity prompted the U.S. Department of Health and Human Services to issue an advisory in October, warning hospitals of the strain’s potential as a “significant threat.”
The healthcare sector bore a significant brunt of cybercrime activity in 2024, accounting for 14.2% of all attacks targeting critical infrastructure, according to data from the World Economic Forum. This aligns with findings from Sophos, which reported that two-thirds of surveyed healthcare organizations suffered ransomware attacks in the past year—highlighting the industry’s growing vulnerability to increasingly sophisticated cyber threats.
Energy
In August, an “ethical hacker” demonstrated the ability to take control of 4 million smart solar arrays across the EU, raising serious concerns about the security of Europe’s energy grid and its growing dependence on interconnected systems.
In the United States, cyberattacks on utilities have risen by nearly 70% in 2024 compared to the same period in 2023, driven by the rapid expansion and digitalization of the power grid. While digital transformation brings efficiency, it has also heightened the grid’s exposure to cyber threats, making utilities a growing target for attackers.
In September, Halliburton disclosed via an SEC filing that data was stolen during a cyberattack in August 2024. While the company is still investigating the scope and nature of the breach, the incident highlights the unique cybersecurity challenges faced by oil and gas companies and other critical infrastructure organizations.
Meanwhile, the industry is bracing for potential regulatory changes. The Transportation Security Administration (TSA) issued a Notice of Proposed Rulemaking, which seeks to mandate cyber risk management and reporting requirements for certain surface transportation owners and operators. Public comments on the proposed rules are due by February 2025, marking a step toward tighter oversight in the sector.
Transportation
The transportation sector—spanning land, air, and sea—faced a series of significant cyberattacks this year, exposing critical vulnerabilities across multiple systems.
In March, freight trucks were found susceptible to wormable cyber threats through their network-connected activity logging systems. These threats had the potential to spread rapidly across entire fleets, raising alarms about the broader security of logistics operations. That same month, the Biden administration issued an executive order aimed at enhancing maritime security, particularly in U.S. ports, which play a pivotal role in supporting the nation’s economy and supply chain resilience. Four months later, Japan’s largest port suffered a ransomware attack that disrupted operations and raised concerns about the impact on the local economy and supply chain, particularly affecting the automotive industry.
In September, Transport for London (TfL) experienced a cyberattack that potentially exposed the bank details, names, and contact information of up to 5,000 passengers. The breach led to the arrest of a 17-year-old suspect and prompted TfL to enhance its cybersecurity measures to better protect customer data. That same month, the Port of Seattle, which manages the Seattle-Tacoma International Airport, made headlines by refusing to pay a ransom demand of 100 bitcoin—approximately $6 million. The incident highlights the ongoing dilemma of whether to pay ransom demands, a decision with significant consequences for victims, including potential operational disruptions and emboldening future attacks.
In October, a cyberattack targeted the Wi-Fi systems of 20 UK train stations, including major hubs like Manchester Piccadilly and London Bridge. Passengers received alarming messages referencing terrorism risks, leading to the suspension of Wi-Fi services while authorities investigated the breach.
Although not the cause of a cyberattack, the greatest disruption to aviation this year was hands down due to a faulty software update from CrowdStrike in July. The update caused a global IT outage that severely impacted airline operations. Critical systems, including check-in platforms, flight scheduling, and passenger databases, crashed, forcing airlines like Delta, United, and British Airways to cancel or delay thousands of flights. Airports experienced significant slowdowns as staff resorted to manual processes, stranding passengers and creating widespread chaos. The incident underscored the aviation and transportation sector’s heavy reliance on interconnected IT systems, highlighting the urgent need for stronger safeguards and redundancy measures. Beyond aviation, the outage also heavily impacted the finance, retail, and healthcare sectors, demonstrating the ripple effects of IT failures across critical industries.
Space
The space industry faced an array of significant cyber threats in 2024, highlighting its growing vulnerability and sparking critical discussions on cybersecurity in space. In March, the Biden administration began laying the groundwork to address a new era of cyber threats targeting satellites. However, it’s not just satellites orbiting in the stratosphere that require protection—securing satellite ground stations has become equally critical to ensuring the resilience of space infrastructure.
These concerns were underscored by a series of high-profile incidents throughout the year. In January, pro-Ukrainian hacktivists breached Russia’s Centre for Space Hydrometeorology (Planeta), affiliated with Roscosmos, erasing 2 petabytes of vital data used for weather forecasting and military operations. Mid-year, the Iranian APT group Peach Sandstorm (APT33) deployed a sophisticated backdoor malware called Tickler against space industry targets, enabling remote access through compromised credentials and social engineering tactics. North Korean state-sponsored hackers, identified as Andariel (APT45), further escalated threats with cyber espionage campaigns targeting global defense and aerospace sectors to steal sensitive data and advance Pyongyang’s military and nuclear programs.
These incidents highlight the urgent need for robust cybersecurity measures across both orbital systems and terrestrial infrastructure as the space industry becomes an increasingly attractive target for nation-state adversaries.
Financial Services
In June, the LockBit ransomware group claimed to have stolen 33TB of data from the U.S. Federal Reserve. While skepticism surrounded the claims, attention grew as the ransom deadline approached. Investigations are ongoing as new details continue to emerge.
In November, Finastra, a key financial technology provider for major banks, disclosed a cyberattack resulting in the theft of 400GB of sensitive data. The breach, initiated through compromised credentials, highlighted third-party vulnerabilities and raised concerns about the security of critical financial infrastructure.
By Q3 2024, DDoS attacks on the financial sector surged 49% quarter-over-quarter, disrupting online banking, payment processing, and customer portals. These attacks underscored the need for stronger defenses as institutions faced rising operational risks and eroding consumer trust.
Information Technology
In June, Snowflake customers began experiencing breaches. Initial reports speculated that Snowflake itself was compromised, but later findings revealed the attacks stemmed from stolen passwords—some dating back to 2020—on accounts that lacked multi-factor authentication (MFA). Recognizing the critical role of credential security, Snowflake has since implemented measures to improve user protection. Customers can now enforce MFA for their users, and starting in November 2025, Snowflake will block single-factor authentication entirely. These steps align with the company’s commitment to CISA’s Secure by Design initiative, signaling a shift toward stronger, enterprise-wide defenses.
Securing Critical Infrastructure: The Path Forward
As we reflect on 2024, it is clear that cyber threats to critical infrastructure have grown in both frequency and impact. Nation-state actors, ransomware gangs, and emerging vulnerabilities continue to exploit outdated systems, insecure remote access technologies, and gaps in basic cyber hygiene across industries. From healthcare and transportation to energy and telecommunications, no sector has been immune to disruption.
While the challenges are significant, the solutions are within reach. Initiatives like CISA’s Secure by Design pledge offer a roadmap for organizations and technology vendors to prioritize security at every stage of development. Companies like Xage Security are already leading the charge by embedding zero-trust principles into their solutions, replacing insecure tools like VPNs, and ensuring secure-by-default systems for critical infrastructure and operational technology environments.
To build resilience, organizations must take a proactive stance: embrace zero-trust architectures, enforce multi-factor authentication (MFA), and replace legacy systems with modern, secure alternatives. Governments and industries alike must prioritize collaboration, share actionable threat intelligence, and invest in comprehensive cybersecurity strategies.
The year’s events underscore a crucial reality: cybersecurity must become a cornerstone of critical infrastructure protection, not an afterthought. By aligning with secure-by-design principles and taking decisive action now, organizations can mitigate risks, safeguard essential systems, and ensure a stronger, more secure foundation for the years ahead.