Darktrace’s Threat Research team highlighted a significant rise in malware-as-a-service (MaaS) threats, which accounted for 57 percent of detected threats, marking a 17 percent increase from the first half of 2024. The Darktrace 2024 Annual Threat report also notes the growing sophistication of phishing attacks, with spearphishing making up 38% of incidents. Cybercriminals are increasingly focusing on evasion tactics, exploiting edge device vulnerabilities, using living-off-the-land (LOTL) techniques, and hijacking critical business tools like Dropbox and SharePoint. Additionally, attackers are leveraging compromised Software-as-a-Service (SaaS) credentials, underscoring identity management as a costly and persistent challenge for enterprises.
The report emphasizes that attackers prioritize evasion through edge device vulnerabilities and LOTL techniques while exploiting SaaS credentials. It also highlights the intensified race to identify software vulnerabilities, particularly in Critical National Infrastructure (CNI). The number of vulnerabilities listed by MITRE has surged from 18,000 in 2020 to over 29,000 in 2024, reflecting the growing complexity of the threat landscape.
While the total number of vulnerabilities worldwide is around 240,000, the Darktrace 2024 Annual Threat report noted that it is important to note that the U.S. Cybersecurity and Infrastructure Agency’s (CISA) Known Exploited Vulnerability (KEV) catalog lists over 1,200 vulnerabilities as being actively exploited. “While threat actors continue to evade detection as much as ever, understanding a smaller scope of edge network technology allows for repeated reverse engineering and continued exploit findings, enabling zero-day discoveries and initial access.”
The Darktrace 2024 Annual Threat report found that ransomware groups are evolving their tactics beyond phishing to include interactions with IT teams to elicit information to improve access, SaaS-based attacks, and even studying file-transfer technology for rapid exploitation and double extortion methods. The work conducted by the research team in 2024 underscores the escalating threat that sophisticated cyber actors may present to critical national infrastructure organizations in 2025.
The team disclosed an increase in sophisticated threat actors targeting organizations within designated CNI globally over the past year. “This trend is informed both by the heightened warnings from national intelligence agencies as well as an overall focus of threat analysis on activity identified within customers in these industries. The targeting of CNI entities, and the subsequent operations following access, suggest threat actors may be building strategic pathways to yield geopolitical leverage in the event of conflict. This reality manifests in both the focus and content of Darktrace’s threat investigations throughout 2024.”
Also, the past year saw multiple high-profile public disclosures of malicious activity within CNI sectors. “The Darktrace Threat Research team conducted threat-hunting investigations across the customer base driven by information suggesting Advanced Persistent Threats (APTs) infiltrating CNI organizations.”
It noted that APTs targeting CNI sectors are also increasingly relying on LOTL tactics to remain undetected. “Moreover, malicious groups exploiting CNI networks may have differing aims based on their operating context. Some APT groups may not have immediate objectives once persistence is obtained within CNI networks. Potentially state-sponsored actors may take a lay-and-wait approach: opting to sit within networks with minimal activity beyond beaconing only increasing activity when outside strategic conditions change.”
The Darktrace 2024 Annual Threat report identified that following the public disclosure that groups such as Salt Typhoon and LiminalPanda were targeting Internet Service Providers (ISPs), analysts actively sought evidence of their activities. Additionally, 2024 witnessed the rise of new ICS/OT-native malware, including Fuxnet and FrostyGoop, alongside the ongoing threat posed by ransomware groups targeting high-risk sectors like healthcare.
The research team also identified that the varying methods of attack and long-term orientation of goals by such threat actors will pose unique challenges to CNI organizations. “Many instances of CNI compromise have stemmed from the exploitation of internet-facing devices through both zero-day and known exploits.”
They also pointed out that threat actors targeting CNI organizations may pursue a more aggressive approach by attempting to exfiltrate sensitive data that can support broader strategic goals for sponsor nations.
Darktrace observed this pattern of behavior in June-July 2024 when a government agency in the Asia-Pacific (APAC) region was likely exploited by Mustang Panda to exfiltrate sensitive data to cloud storage providers. Similarly, Darktrace research identified evidence of a potential North Korean APT exfiltrating data from a manufacturing organization, likely in response to geopolitical developments. This trend extends even to actors targeting sectors such as healthcare where Darktrace analysts have observed a shift towards favoring data exfiltration over traditional encryption during ransomware events.
The Darktrace 2024 Annual Threat report noted that certain threat actors will also leverage malware aimed at causing immediate disruption to suit their goals. This threat is particularly relevant for organizations with operational technology (OT) and industrial control systems (ICS) environments, such as customers within the energy sector, as well as traditional targets of ransomware like hospitals and financial institutions.
Darktrace Threat Research analysts noted an uptick in attacks in the energy sector motivated by disruption. The means of disruption observed by Darktrace ranged from an OT-specific attack on a Canadian energy provider’s PLC motor in the SCADA environment at a field substation to multiple Fog ransomware attacks that led to encryption.
“APT groups also are increasingly targeting healthcare organizations for non-financial goals,” according to the Darktrace 2024 Annual Threat Report. “OSINT suggests many of these compromises attempted to inhibit public health services to promote general instability. This trend also became apparent in the evolution of Ransomware-as-a-Service (RaaS) groups are leveraging such services in furtherance of nation-state aims, targeting both healthcare and non-medical organizations via ransomware platforms.”
The report revealed that the team’s investigations into Darktrace/OT customers revealed how common it is for OT networks to be insecure by design. “These security gaps include insecure protocols and systems, unsegmented networks, and insufficient asset inventory. As OT becomes more integrated with IT systems, it presents more opportunities for attackers. OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network.”
In 2024, Darktrace’s Threat Research team focused on producing industry-specific outputs, including for the energy sector. They identified that technological advancement brings cyber risks. IoT adoption and control automation in non-dispatchable solar and wind sectors increase the attack surface and IT/OT convergence makes islanding during cyber incidents more difficult, while overdependency on few vendors and systems and a movement towards cloud operations creates further single points of failure, whilst tangled supply chains reduce visibility and management of assets.
Furthermore, AI-driven attacks have not yet been observed in the energy sector based on Darktrace’s findings. The energy sector has long been using AI in the sector, although not yet been adopted sector-wide due to a lack of data quality readiness, data risks, and heavy sector regulation. Stakeholders are facing challenges in becoming data-driven to develop in-house AI systems.
Identifying the implications of these findings, the Darktrace 2024 Annual Threat report called upon businesses to ensure comprehensive asset management across their supply chains, conduct regular risk assessments, and practice response plan scenarios. Efforts should not be siloed; increased collaboration across the sector is essential. They must also enhance email security to reduce initial access, and address vulnerabilities by enforcing MFA policies and securing internet-facing devices is vital. Governments should enhance preparedness and response to nation-state attacks and fund innovation in cyber detection and defense within the energy sector.
“Email is at the forefront of the evolving threats we’re seeing across the threat landscape,” Nathaniel Jones, vice president of threat research at Darktrace, said in a media statement. “Ransomware-as-a-Service tools, combined with the growing use of AI, are allowing even low-skilled attackers to engineer convincing, targeted [attacks] at scale, and making it harder than ever for traditional security measures to keep up.”
Focusing on the healthcare sector, Darktrace aimed to analyze the threat landscape across the U.K., U.S., and Brazil, with an emphasis on APTs and attack vectors targeting healthcare organizations. The study examined how the threat landscape has evolved since the sector’s last major review following the WannaCry ransomware attack in 2017, and assessed whether advancements in AI and the growing adoption of medical IoT devices have reshaped the threat landscape.
The Darktrace 2024 Annual Threat report detected that ransomware continues to pose a key threat to healthcare, although threat actors have demonstrated a preference for data exfiltration for extortion, rather than encryption. Business Email Compromise (BEC), cloud account takeovers, and other network intrusions were highly prevalent. Fraud was a common objective for US threat actors, who used social engineering to access payroll systems and accounting personnel to re-route banking information.
It also found access to sensitive data (potentially in preparation for second-stage attacks) was observed in other regions. Attackers frequently exploited trusted relationships in supply chains, either through direct compromise of a supplier or ‘typo-squatting’ a supplier’s domain. There is no significant difference in the number of cyber-attacks targeting healthcare suppliers compared to those targeting healthcare providers.
Last October, a likely state-linked espionage operation targeted a European manufacturing customer. The threat actor remained dormant for weeks before initiating data exfiltration, using stealthy methods like distributing masqueraded executable files and collecting sensitive information from an internal server. Darktrace’s Cyber AI Analyst detected suspicious activities, launching an investigation that connected various events into a comprehensive incident.
Post-incident analysis suggested potential links to both the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea (DPRK). While some evidence pointed towards the PRC, stronger indicators favored a DPRK connection, particularly through observed tactics and infrastructure similar to previous DPRK intrusions.
Darktrace assesses with medium to high confidence that a nation-state, very likely linked to the DPRK, was responsible based on its applied resources, patience, obfuscation, and evasiveness combined with external reporting, collaboration with the cyber community, and assessment of the attacker’s motivation and world geopolitical timeline. Such an assessment left question marks over the link between the October exfiltration activity and the July ShadowPad activity but does highlight that attribution is an arduous task.
“Given that state-linked actors are known to use misdirection techniques to evade attribution, the possibility of a false flag operation was explored,” according to the Darktrace 2024 Annual Threat report. “To further investigate the incident, Darktrace’s Threat Research team also collaborated with a world-leading cyber intelligence firm and a well-known government agency; their expertise provided additional insights, although the definitive attribution remains unresolved.”
Darktrace’s Threat Research team recommends a couple of actions to enhance cybersecurity posture including staying informed by keeping up to date with the evolving threat landscape; adopting a risk-based approach to understand the business impact of losing critical data and adopt a risk-based approach; and using AI Integration to prepare for and understand how AI will be incorporated into different levels of the business. They also suggest identifying exposed assets; prioritizing edge devices by focusing on them within the vulnerability management processes; and evaluating supply chain risks by assessing internal and external readiness and critical attack paths.
Furthermore, organizations must review and test their incident response plans; implement zero trust policies and principles; ensure robust identity access management policies and technologies are in place; and investigate lower-level anomalies in the earlier stages of the kill chain before they have a significant impact.
