Healthcare services was the most targeted industry in Australia in the second half of 2025, according to the latest OT and IoT Security Report from Nozomi Networks Labs.
The report found that manufacturing ranked second in Australia, while transportation remained the most targeted industry globally, followed by manufacturing and the public sector.
Australia also recorded the third highest number of alerts per organisation in the second half of 2025, up from fourth position in the first half of the year. The UK ranked first, followed by Germany. Nozomi said Australia’s continued high ranking indicates sustained attacker focus on local organisations.
The findings align with recent warnings from the Australian Security Intelligence Organisation about nation-state actors pre-positioning within telecommunications, energy, water and transport networks. The report noted increasing activity across IT, IoT and OT environments, reflecting the convergence of operational and enterprise systems.
Default credentials and valid account abuse remained the dominant attack techniques in Australia, accounting for more than one-third of all alerts. Remote system discovery and network service scanning were also common, indicating continued reconnaissance activity within targeted environments.\
The report highlighted security risks associated with wireless networks in industrial and critical infrastructure environments. It found that 68% of observed wireless networks lacked Management Frame Protection, and only 2% of organisations used enterprise-grade authentication such as 802.1X. Approximately 98% relied solely on pre-shared key authentication, increasing the risk of credential reuse and unauthorised access.
Globally, ransomware activity continued to disproportionately affect English-speaking countries. The report said 70% of global ransomware incidents targeted the US, UK and Canada. It also observed that threat actors increased their use of generative AI tools in campaigns during the latter half of the year.
Among named threat actors, US-based Scattered Spider accounted for 42.9% of actor-related alerts in the second half of 2025. Other active groups included North Korea’s Kimsuky, Russia-linked APT29, Iran-linked CURIUM and Mustard Tempest. Nozomi said geopolitical tensions are expected to drive continued activity linked to China, Iran and Russia in 2026.
The company said operators of critical infrastructure should prioritise asset visibility, risk-based vulnerability management, anomaly detection and intelligence sharing to address the evolving threat landscape.
You can read the full report here.
