Full Report
Healthcare services was the most targeted industry in Australia in the second half of 2025, according to the latest OT and IoT Security Report from Nozomi Networks Labs. The report found that manufacturing ranked second in Australia, while transportation remained the most targeted industry globally, followed by manufacturing and the public sector. Australia also recorded the third…
Analysis Summary
# Incident Report: Surge in Australian Healthcare and Manufacturing Targeting
## Executive Summary
The second half of 2025 saw a significant escalation in cyber threats targeting Australian critical infrastructure, with the healthcare services industry emerging as the primary target. According to Nozomi Networks Labs, Australia now ranks third globally for the volume of cyber alerts per organization, trailing only the UK and Germany. This trend highlights a sustained, aggressive focus on local Operational Technology (OT) and Internet of Things (IoT) environments.
## Incident Details
- **Discovery Date:** February 20, 2026 (Report Publication)
- **Incident Date:** July – December 2025 (Reporting Period)
- **Affected Organization:** Multiple (Aggregated industry data)
- **Sector:** Healthcare (Primary), Manufacturing (Secondary)
- **Geography:** Australia
## Timeline of Events
### Initial Access
- **Date/Time:** H2 2025
- **Vector:** Exploitation of OT and IoT vulnerabilities.
- **Details:** Attackers targeted connected medical devices and industrial control systems within healthcare and manufacturing facilities.
### Lateral Movement
- Moving from corporate IT networks into specialized OT/IoT segments to access critical patient care systems and production lines.
### Data Exfiltration/Impact
- **Healthcare:** Disruption of clinical services and potential compromise of sensitive patient data.
- **Manufacturing:** Disruption of supply chains and industrial processes.
### Detection & Response
- **How it was discovered:** Anomalies detected via Nozomi Networks’ monitoring of OT/IoT security telemetry.
- **Response actions taken:** Increased alerting and industry-wide reporting to notify stakeholders of the heightened threat level.
## Attack Methodology
- **Initial Access:** Targeting exposed IoT devices and legacy OT systems.
- **Persistence:** Not explicitly specified, likely through compromised industrial gateways.
- **Privilege Escalation:** Exploiting weak authentication in OT protocols.
- **Defense Evasion:** Lower levels of logging in traditional OT environments allow for stealthier operations compared to IT environments.
- **Credential Access:** Brute-forcing or exploiting default credentials on IoT hardware.
- **Discovery:** Scanning for connected medical devices and industrial controllers.
- **Lateral Movement:** Traversing the IT/OT "DMZ" or bridge.
- **Collection:** Gathering telemetry from industrial sensors or patient monitoring data.
- **Exfiltration:** Exfiltrating data via standard network protocols bypassed by legacy security tools.
- **Impact:** System downtime and operational disruption in critical services.
## Impact Assessment
- **Financial:** Significant costs associated with incident response, though specific figures for the aggregate period are unavailable.
- **Data Breach:** High risk of PII (Personally Identifiable Information) and PHI (Protected Health Information) exposure.
- **Operational:** High; healthcare providers experienced service delays, while manufacturing saw production interruptions.
- **Reputational:** Erosion of public trust in the security of essential Australian infrastructure.
## Indicators of Compromise
- **Network indicators:** Increased traffic on ports associated with OT protocols (e.g., Modbus, BACnet, DICOM).
- **File indicators:** Known ransomware strains (referenced in related UMMC incident) such as Rhysida.
- **Behavioral indicators:** Unusual login times on OT management consoles and unexpected outbound traffic from medical imaging devices.
## Response Actions
- **Containment measures:** Isolation of compromised IoT/OT segments from the broader internal network.
- **Eradication steps:** Patching documented vulnerabilities in OT/IoT firmware.
- **Recovery actions:** Restoration of services from offline backups where ransomware was involved.
## Lessons Learned
- **Key takeaways:** Critical infrastructure in Australia is no longer a secondary target; it is currently a global priority for threat actors.
- **What could have been done better:** Earlier adoption of specialized OT/IoT monitoring tools could have transitioned "alerts" into "preventions."
## Recommendations
- **Asset Visibility:** Implement comprehensive OT/IoT asset discovery to identify "shadow" devices on the network.
- **Network Segmentation:** Enforce strict micro-segmentation between IT and OT environments.
- **Vulnerability Management:** Prioritize patching of high-risk vulnerabilities in medical devices and industrial controllers.
- **Monitoring:** Deploy 24/7 real-time monitoring specifically tuned for industrial and medical protocol anomalies.