Both cybercriminals and hacktivists have increased cyber-attacks against industrial technology environments, with vulnerability exploits in these systems almost doubling in 2025, according to Cyble.
This according the Cyble Research & Intelligence Labs’ (CRIL) Annual Threat Landscape Report 2025, published on January 15, 2026.
ICS Vulnerability Disclosures Doubled in 2025
One of the key takeaways from the 87-page report was the growing interest of various cyber threat actors in industrial control systems (ICS) and operational technology (OT) environments.
The researchers reported 2451 ICS vulnerabilities disclosures made across 152 vendors in 2025, almost double the 2024 numbers which saw 1690 such vulnerabilities across 103 vendors.
This increase was fuelled by an August activity spike, with 802 ICS vulnerabilities disclosed that month alone. The third quarter of 2025 accounted for 45.26% of the year’s disclosures of ICS vulnerabilities.
Siemens was the vendor with the products most affected by ICS vulnerabilities, with 1175 reported. This far surpassed Schneider electric, which ranked second with 163 ICS flaws reported over the past year.
However, the French automated systems provider faced a higher percentage of high and critical vulnerabilities – approximately 70% compared with less than 40% for Siemens.
Threat Actors Increasingly Exploit ICS Vulnerabilities
This rise of reported ICS vulnerabilities is partly due to a growth in exploits by cyber threat actors, who increasingly scour for security gaps in human-to-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems.
Cyble data showed that two of the most ICS system-reliant industries, manufacturing and healthcare, were the sectors most targeted by ransomware attacks in 2025. The researchers observed 600 manufacturing and 477 healthcare entities affected over the period covered by the report.
Hacktivist groups also heavily targeted ICT-reliant organizations, such as energy and utilities and transportation, in 2025.
Several hacktivist groups which increased their focus on ICS and OT attacks over the past year include:
- Z-Pentest, the most active hacktivist group to target ICS and conducted repeated intrusions against a wide range of industrial technologies
- Dark Engine (aka Infrastructure Destruction Squad) and Sector 16 persistently targeted ICS, primarily exposing HMIs
- A secondary tier of groups, including Golden Falcon Team, NoName057 (16), TwoNet, RipperSec and Inteid also claimed to have conducted recurrent ICS-disrupting attacks, albeit on a smaller scale
Finally, Cyble highlighted that, out of all disclosed ICT vulnerabilities, 27 involve internet-exposed assets across multiple critical infrastructure sectors.
Based on these findings and further investigations, the CIRL team predicted that hacktivists and cybercriminals will increasingly target exposed HMI and SCADA systems as well as conducting virtual network computing (VNC) takeovers in 2026.
Ransomware and Hacktivism Grew in 2025
The report Cyble noted that despite increased pressure from law enforcement and multiple successful legal actions in 2025, the cyber threat landscape “remained turbulent.”
The CIRL team documented 5967 ransomware attacks in 2025, representing a 37% increase from 2024’s total. It also observed 6979 data breaches and leaks and 2059 incidents involving the sale of compromised initial access.
Behind Qilin, Akira emerged as the second-most prolific ransomware group with a focus on construction, manufacturing and professional services sectors.
Meanwhile, Cyble identified 57 new ransomware groups and 27 new extortion groups that appeared in 2025.
Finally, hacktivism continued to grow in 2025 and “evolved into a globally coordinated threat, closely tracking geopolitical flashpoints,” noted the Cyble report.
These activities were predominantly driven by two geopolitical conflicts, the Israel-Iran conflict, which sparked cyber operations by 74 hacktivist groups, and India-Pakistan tensions, which generated 1.5 million intrusion attempts.
“Armed conflicts, elections, trade disputes and diplomatic crises fueled intensified campaigns against state institutions and critical infrastructure, with hacktivist groups weaponizing cyber-insurgency to advance their propaganda agendas,” explained the security researchers.
