Healthcare tops cyber attacks on Australian OT & IoT

Nozomi Networks Labs reports that healthcare services was the most targeted industry in Australia for operational technology (OT) and internet-connected environments in 2025, followed by manufacturing. The findings also place Australia among the countries generating the highest number of security alerts per organisation, rising to third in the second half of the year.

The report tracks activity across OT and IoT environments, including industrial control systems and connected devices used in sectors such as energy, transport and healthcare. It links the Australian results to sustained attacker interest in the country’s critical infrastructure and major service providers.

Australia’s ranking for alerts per organisation rose from fourth in the first half of 2025. The UK recorded the highest number of alerts per organisation in the second half, followed by Germany.

Warnings from Australian security agencies have increasingly focused on threats that cross boundaries between traditional IT networks and operational environments. The report notes threat actor interest in telecommunications, energy, water and transport networks, often involving extended reconnaissance and access preparation rather than immediate disruption.

Techniques observed

Default Credentials and Valid Accounts were the most common threat techniques identified in Australia, accounting for more than one third of alerts in the dataset. They often involve unchanged factory passwords or compromised legitimate logins.

Remote System Discovery and Network Service Scanning followed, typically associated with attackers mapping a target environment and identifying services that can be accessed remotely.

The same two credential-based techniques were also prevalent in the previous six-month period, suggesting continued use of basic access methods against Australian organisations even as other tooling becomes more sophisticated.

Wireless exposure

Wireless networks remain a persistent risk factor in industrial and critical infrastructure settings. Wireless communications are increasingly present in these environments without formal design processes, and sometimes without operators being aware they exist.

Across the observed dataset, 68% of wireless networks still operated without Management Frame Protection, despite using modern encryption. Only 2% of organisations used enterprise-grade authentication such as 802.1X.

Most wireless networks relied on pre-shared key authentication-about 98% across observed environments. Shared credentials reduce accountability and can be reused over long periods, making it harder to distinguish legitimate access from misuse once credentials become known.

Sector targeting

Australia’s sector ranking diverged from global patterns. Globally, transportation was the most targeted industry in both halves of 2025; in the second half it was followed by manufacturing and the public sector.

In Australia, healthcare services ranked first, with manufacturing second. The report also points to a spike in attacks against the public sector between the first and second halves of 2025, linking the rise to increasing geopolitical tensions and higher levels of nation-state activity and hacktivism.

For public sector targets, the most commonly detected activity fell under Discovery tactics, consistent with threat actors still exploring environments they plan to attack.

Threat actor activity

Scattered Spider was the most prolific threat actor recorded in the second half of 2025, accounting for 42.9% of all actor-related alerts during that period.

Other active groups included Kimsuky, APT29, CURIUM and Mustard Tempest, ranked second through fifth. Kimsuky is described as operating out of North Korea, APT29 out of Russia, and CURIUM out of Iran, while Mustard Tempest is not affiliated with a nation-state.

Nozomi also reports increased use of generative AI by threat actors in the second half of 2025, alongside attacks against companies in English-speaking countries that are growing in scale and more likely to succeed.

It adds that 70% of global ransomware activity targets English-speaking countries, with the US, UK and Canada the three most targeted. The report argues these countries’ economic weight increases the broader impact of successful attacks.

Based on its findings and current geopolitical conditions, Nozomi expects activity related to China, Iran and Russia to be among the dominant trends to watch in 2026.

Chris Grove, Director of Cybersecurity Strategy at Nozomi Networks, said operators need to account for the scale of activity facing critical infrastructure environments.

“Critical infrastructure has never faced a more dangerous threat landscape, and the scale and severity of attacks against it will only increase,” said Chris Grove, Director of Cybersecurity Strategy at Nozomi Networks. “It is imperative for operators to understand the current threat landscape and prepare their systems accordingly. They must establish clear asset visibility, leverage AI-driven security systems to detect anomalies and threats, prioritise risk-based vulnerability management, and enable intelligence sharing to keep up with evolving tactics.”