Threat actors are increasingly exploiting vulnerabilities to attack critical infrastructure systems.
Critical infrastructure organizations accounted for 70% of all attacks that IBM X-Force responded to last year, with more than one quarter of those attacks carried out using vulnerability exploitation.
“Over the past year, we observed a continued shift towards identity attacks across all sectors, including critical infrastructure,” Michelle Alvarez, manager of IBM X-Force Strategic Threat Analysis, told CSO. “While attackers increasingly log in with stolen credentials, vulnerability exploitation remains a preferred entry point for these sectors, given their reliance on legacy tech and slow patching cycles.”
Alvarez added: “Defenders are overwhelmed by the patching backlog, and attackers will continue to take full advantage until that changes.”
Under fire — and overexposing critical systems
Other cybersecurity vendors quizzed by CSO agreed that security vulnerabilities represent an increasing threat to the integrity of critical infrastructure systems such as power distribution, water treatment, transport, telecoms, and banking.
“Attackers have leaned more heavily on vulnerability exploitation to get in quickly and quietly,” said Dray Agha, senior manager of security operations at managed detection and response vendor Huntress. “Phishing and stolen credentials play a huge role, however, and we’re seeing more and more threat actors target identity first before they probe infrastructure.”
James Lei, chief operating officer at application security testing firm Sparrow, added: “We’re seeing a shift in how attackers approach critical infrastructure in that they’re not just going after the usual suspects like phishing or credential stuffing, but increasingly targeting vulnerabilities in exposed systems that were never meant to be public-facing.”
VPNs, firewalls, and legacy web servers are common entry points, especially when they haven’t been patched properly or are running out-of-date firmware. Insecure IoT devices and operational technology (OT) systems offer further targets for potential exploitation.
Ian McGowan, managing director at cybersecurity firm Barrier Networks, commented: “The majority of attacks on CNI [critical national infrastructure] are not zero-days or exotic hacks; they are straightforward exploits of the basics we struggle to manage operationally.”
Himaja Motheram, a security researcher at threat intelligence firm Censys, added: “While attackers do exploit traditional software flaws, the bigger concern in critical infrastructure is the widespread availability of insecure, internet-facing systems that provide direct access to essential services without proper access controls.”
One of the most overlooked fundamental issues is the sheer number of critical systems, such as water treatment interfaces or medical imaging systems, that are exposed to the public internet with either no authentication or default/weak credentials, according to Sparrow’s Lei.
“In these cases, attackers don’t even need to leverage exploits; they can simply log in,” Lei explained. “The core problem isn’t just a particular class of vulnerability; it’s the systemic exposure and accessibility of sensitive systems that should never be directly reachable in the first place.”
Trade in exploit code
IBM’s X-Force found four of the 10 most mentioned common vulnerabilities and exposures (CVEs) on the dark web were linked to sophisticated threat actor groups, including nation-state intelligence agencies.
“Exploit codes for these CVEs were openly traded on numerous forums — fueling a growing market for attacks against power grids, health networks, and industrial systems,” IBM’s X-Force reports.
IBM’s threat intel arm adds: “This sharing of information between financially motivated and nation-state adversaries highlights the increasing need for dark web monitoring to help inform patch management strategies and detect potential threats before they are exploited.”
Of the 10 CVE’s highlighted in IBM’s X-Force 2025 Threat Report, five of them impacted edge devices and each were also featured in the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Scott Caveza, senior staff research engineer at Tenable, commented: “Because these devices are often mission-critical and downtime may require significant planning, it may be one of the reasons these devices are patched less frequently, even in the wake of critical vulnerabilities impacting them.”
Attackers targeting critical infrastructure also exploit unpatched vulnerabilities across legacy operating systems, as well as industrial control systems.
“These systems often remain unpatched for longer periods of time given the downtime risks, making them attractive targets,” IBM X-Force’s Alvarez said. “As a result, attackers can leverage vulnerabilities to gain control over critical systems and disrupt essential services.”
Appetite for disruption
The list of attacks against critical infrastructure organizations that relied, wholly or in part, on vulnerability exploitation is large and growing.
US government security agencies warned in February 2024 that Chinese state-sponsored hackers had penetrated multiple critical infrastructure networks, spanning communications, energy, transportation, and water sectors, and were maintaining persistent access.
The Volt Typhoon group typically gained initial access by exploiting vulnerabilities in public-facing network appliances from vendors such as Fortinet, Citrix, and Cisco.
Intel agencies warned that the group was setting up the ability to disrupt or destroy services in the event of a major crisis or conflict between the US and China.
The MOVEit Transfer hack hit multiple healthcare and government organizations in June 2023 after a zero-day vulnerability in enterprise file transfer software was exploited by ransomware groups, a textbook example of a supply chain attack.
Another example is the CyberAv3ngers attacks on US water and wastewater systems (2023-2024). This group, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), targeted Unitronics programmable logic controllers (PLCs) used in many facilities.
“By exploiting publicly exposed interfaces and weak security configurations, they defaced human-machine interfaces (HMIs) and, in at least one Texas incident, manipulated water pumps and alarms,” Bharat Mistry, director of product management at cybersecurity software company Trend Micro, said. “These attacks highlight the ongoing risks posed by vulnerable industrial control systems.”
Andy Thompson, offensive cybersecurity research analyst at global identity security firm CyberArk, said that the biggest threat to critical infrastructure is the disruption of availability, as exemplified by the May 2021 Colonial Pipeline ransomware attack.
The Colonial Pipeline breach started with a compromised VPN login, but it was the lack of multi-factor authentication and poor patching that allowed it to escalate so severely, according to Huntress’s Agha.
The attack disrupted fuel supplies and triggered panic buying and widespread gasoline shortages across the US East Coast.
Countermeasures
The escalating threat to critical infrastructure systems, which shows little sign of abating, ought to prompt a rethink in how to defend critical systems.
“Traditional methods for defense are not resilient enough for today’s evolving risk landscape,” said Andy Norton, European cyber risk officer at cybersecurity vendor Armis. “Legacy point products and siloed security solutions cannot adequately defend systems against modern threats, which increasingly incorporate AI. And yet, too few organizations are successfully adapting.”
Norton added: “It’s vital that organizations stop reacting to cyber incidents once they’ve occurred and instead shift to a proactive cybersecurity posture that allows them to eliminate vulnerabilities before they can be exploited.”
Mark Hughes, global managing partner of cybersecurity services at IBM, said: “Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes, and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”
No Responses