Cyberattacks on Critical Infrastructure Decline in 2025, But Nation-State and Hacktivist Threats Surge
The Waterfall Threat Report 2026 reveals a 25% drop in publicly recorded cyber breaches with physical consequences in 2025, totaling 57 incidents compared to 76 in 2024. The decline is attributed to temporary factors suppressing ransomware activity the dominant threat from 2019 to 2024 though the report warns that attacks are expected to rise again in 2026–2027.
While ransomware incidents decreased, nation-state and hacktivist attacks doubled in 2025, with 14 confirmed cases, five directly linked to the Russia-Ukraine conflict. These adversaries increasingly target critical infrastructure, blurring the line between state-sponsored and hacktivist operations. Unlike ransomware groups, both deliberately seek physical disruption, though distinguishing between them has grown difficult due to potential state backing of hacktivist collectives.
Key incidents in 2025 included:
- Jaguar Land Rover: A production shutdown described as the most costly in a decade.
- Collins Aerospace: A crippled software system caused weeks of flight cancellations and delays.
- Maritime disruptions: Grounded and misdirected ships highlighted vulnerabilities in GPS and external input verification.
- Polish distributed generation: A near-miss event linked to Russian nation-state activity, raising concerns about "bricking" control systems.
The U.S., Germany, and Russia were the top victim geographies, with Russia’s exposure driven by Ukrainian hacktivist and state-sponsored attacks. Discrete manufacturing was the hardest-hit sector, while critical infrastructure breaches spanned oil and gas, water systems, power, metals and mining, and pharmaceuticals.
Ransomware disrupts operations through four primary vectors: direct OT system compromise, precautionary shutdowns, IT-OT dependency failures, and supply chain disruptions. However, the report notes a troubling trend incident reports are growing less detailed, obscuring how cyberattacks lead to physical consequences.
The report argues that software-based defenses alone are insufficient for safety-critical environments, advocating for "unhackable" deterministic controls alongside traditional measures. It cites guidance from the U.K.’s NCSC and CISA, which emphasize hardware-enforced protections to mitigate design failures inherent in software. As industrial systems grow more interconnected, the report warns that relying solely on fallible defenses is no longer tenable.
Jaguar Health cybersecurity rating report: https://www.rankiteo.com/company/jaguar-health
"id": "JAG1774600197",
"linkid": "jaguar-health",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'automotive',
'name': 'Jaguar Land Rover',
'type': 'corporation'},
{'industry': 'aerospace',
'name': 'Collins Aerospace',
'type': 'corporation'},
{'industry': 'energy',
'location': 'Poland',
'name': 'Polish distributed generation',
'type': 'critical infrastructure'},
{'industry': ['oil and gas',
'water systems',
'power',
'metals and mining',
'pharmaceuticals'],
'location': ['U.S.', 'Germany', 'Russia'],
'type': 'critical infrastructure'}],
'attack_vector': ['direct OT system compromise',
'precautionary shutdowns',
'IT-OT dependency failures',
'supply chain disruptions'],
'date_publicly_disclosed': '2026',
'description': 'The Waterfall Threat Report 2026 reveals a 25% drop in '
'publicly recorded cyber breaches with physical consequences '
'in 2025, totaling 57 incidents compared to 76 in 2024. The '
'decline is attributed to temporary factors suppressing '
'ransomware activity, though nation-state and hacktivist '
'attacks doubled in 2025, with 14 confirmed cases, five linked '
'to the Russia-Ukraine conflict. Key incidents included '
'production shutdowns, flight cancellations, maritime '
'disruptions, and near-miss events in critical infrastructure.',
'impact': {'downtime': ['weeks of flight cancellations and delays',
'production shutdown'],
'operational_impact': ['production shutdown',
'flight cancellations',
'maritime disruptions',
'near-miss events in critical '
'infrastructure'],
'systems_affected': ['OT systems',
'GPS systems',
'control systems',
'software systems']},
'lessons_learned': 'Software-based defenses alone are insufficient for '
'safety-critical environments; hardware-enforced '
'protections are necessary to mitigate design failures '
'inherent in software.',
'motivation': ['physical disruption',
'financial gain',
'geopolitical conflict'],
'post_incident_analysis': {'corrective_actions': 'Adopt hardware-enforced '
'protections and '
'deterministic controls for '
'safety-critical '
'environments.',
'root_causes': 'Increasing interconnectivity of '
'industrial systems and reliance on '
'fallible software-based defenses.'},
'recommendations': "Implement 'unhackable' deterministic controls alongside "
'traditional measures, as advocated by the U.K.’s NCSC and '
'CISA.',
'references': [{'source': 'Waterfall Threat Report 2026'}],
'threat_actor': ['nation-state actors', 'hacktivists', 'ransomware groups'],
'title': 'Cyberattacks on Critical Infrastructure Decline in 2025, But '
'Nation-State and Hacktivist Threats Surge',
'type': ['ransomware', 'nation-state attack', 'hacktivist attack']}