Top critical infrastructure cyberattacks: examples, impact, and how to prevent them

In 2023, the University of Zurich was hit by a cyberattack linked to a slew of attacks on educational and medical facilities in the region. “The perpetrators appear to be acting in a very professional manner and are part of a current accumulation of attacks on education and health institutions,” the University of Zurich stated. 

While the good news is that the attack was largely unsuccessful, it did some damage. The university was forced to isolate parts of its IT system and delayed access to online resources for staff and students.  

Even more troubling is that this seems to be a rapidly growing trend. Several attacks have been carried out on European universities in recent years, disrupting their service delivery. The year before, the University of Neuchâtel was hacked by malicious software, and in 2021, the Swiss town of Rolle was hacked and had their data stolen. A group called ‘Vice Society’ claimed responsibility, threatening to target other municipalities and hospitals and their threat seemed to carry weight. 

Public institutions and critical infrastructures are quickly becoming top targets for cybercrime around the world, and this can have detrimental effects on the countries, organizations, and all people that rely on them. We’ve already seen how cyberattacks have been behind nationwide power outages, the disruption of healthcare services, and even acted as catalysts for invasions in the most extreme cases.  

In this blog, we’ll explore how to protect critical infrastructure from cyberattacks as we look at the most recent cyberattacks 2025-2026 on critical infrastructure.

Why are cyberattacks targeting critical infrastructure?

For years, cyberattacks have been targeting individuals and companies, hoping to catch them unprepared and mine for sensitive data. However, cybercrime is evolving and has identified new opportunities for profit in the process.  

People, as well as infrastructures, have become increasingly more reliant on connectivity. Developments like remote work and the IoT revolution have only hastened this trend towards interconnectedness, opening more doors for cybercriminals to strike.  

A report from cybersecurity firm KnowBe4 reveals that, between January 2023 and January 2024, global critical infrastructure faced over 420 million cyberattacks, averaging approximately 13 attacks per second. While the United States was the primary target, the report indicates that 163 other countries also experienced attacks on critical infrastructure, often attributed to state-sponsored hackers linked to China, Russia, and Iran. In 2025, 50% of ransomware attacks targeted critical infrastructure such as manufacturing, healthcare, energy, transportation, and finance.

As you can expect, governments, enterprises, and regulators have all pushed for increased spending on cybersecurity measures to prevent the devastating effects cybercrime and warfare can have on critical infrastructure.  

Let’s take a look at recent cyberattacks on critical infrastructure.

Deutsche Bahn DDoS attack, 2026

Threat: Transport infrastructure   
Suspected perpetrator: Russian-aligned actors
Instigator: DDoS attacks

In February 2026, Germany's national rail operator was hit with a cyberattack on its systems that disrupted ticketing and timetable information. The DDoS attack caused outages in travel information and booking tools on the website and in the Navigator app.

Deutsche Bahn is Germany's national rail operator, running both passenger and cargo trains as well as suburban commuter railways in many cities. Germany's security agencies have warned about transport infrastructure being a prime target for cyber- and physical attacks, especially with heightened tensions around Russia-linked hacking groups and hybrid threats.

German authorities and cybersecurity experts heavily suspect state-sponsored Russian hackers or pro-Russian hacktivists. 

Milano Cortina Winter Olympics DDoS, 2026

Threat: 2026 Winter Games websites and hotels 
Suspected perpetrator: Noname057 pro-Russian group
Instigator: DDoS attacks 

Italy blocked a series of cyberattacks of “Russian origin” targeting foreign ministry offices as well as websites and facilities connected to the 2026 Winter Games, including hotels in the Alpine resort of Cortina d’Ampezzo.

The “hacktivists” calling themselves NoName 057 aimed to disrupt Milano-Cortina Olympics websites and some hotels in Cortina d’Ampezzo with distributed DDoS attacks. Luckily, these attempts were stopped and couldn’t cause disruptions. 

Swiss government, 2025

Threat: Government websites disruption 
Suspected perpetrator: NoName057(16)
Instigator: DDoS attacks

In January 2025, hackers launched DDoS attacks against various authorities and institutions in Switzerland taking their websites down. The websites of canton of Schaffhausen and the city of Geneva were among those affected by the attacks by Russian hackers. There was also an error message at the Schaffhausen energy supplier SH Power and the city of Sierre VS. Days before, the Zurich and Vaud cantonal banks and websites of several Lucerne municipalities were also paralyzed. 

The Russian group "NoName" claimed responsibility for the attacks. The same group was also behind the DDoS attacks in connection with the Ukraine conference in June 2024, during which several federal administration websites were taken offline.

USA healthcare system, 2024 

Threat: Healthcare services disruption 
Suspected perpetrator: Russian Blackcat/ALPHV ransomware group
Instigator: Intrusion attack followed by ransomware 

The U.S.A.’s biggest health care payment system operated by Change Healthcare that handles some 14 billion transactions a year took a hit from a ransomware attack carried out by the Blackcat/ALPHV ransomware group. Their system was down for nearly a month after the attack on February 21st.  

The impact has been massive – not only in its nationwide spread and financial toll but also in how it has hurt patient care. Pharmacies, clinics, hospitals, and patients have been left in paperwork chaos, unable to issue prescriptions, conduct check-ups, respond promptly to emergencies, or deliver essential treatments. The disruption touched every aspect of care. 

The American Hospital Association labeled the breach “the most significant and consequential incident of its kind against the U.S. health care system in history.”  Either way, the Triton Malware Attack is a good example of how cyberattacks can lead to massive destruction if left unchecked.

The Netherlands: solar panels, 2024 

Threat: Power outages, financial losses, national security 
Suspected perpetrator: Ethical “Dutch” hackers 
Instigator: Zero-day vulnerabilities on IoT devices 

This year, two 'ethical' hackers from the Dutch Institute of Vulnerability Disclosure (DIVD) uncovered six critical zero-day vulnerabilities in Enphase IQ Gateway devices, which are essential for converting solar power for home use. Three of these flaws would have allowed actual hackers to gain full control over the devices, if the devices were connected to the public Internet. Over four million systems deployed in 150+ countries could have been exposed to the potential for malicious takeover. And, if this had been a successful attack, it could have been devastating, leading to widespread power outages, financial losses, and even threats to national security. 

As solar energy systems become embedded in national grids, they grow more vulnerable to cyber threats. The interconnected nature of modern solar infrastructure makes securing it essential for a resilient and secure transition to sustainable energy.  

Pennsylvania water system, 2023 

Threat: Water supply and quality  
Suspected perpetrator: Iranian hacker group “Cyber Av3ngers”
Instigator: Intrusion attack followed by malware attack

A hacking group with links to Iran, known as the “Cyber Av3ngers,” forced a water facility in Pennsylvania into manual operations. The hackers managed to gain control of at least one device at the Municipal Water Authority of Aliquippa, which serves two townships with over 7,000 residents.  

The hackers targeted a programmable logic controller (PLC), specifically a Unitronics Vision system with an integrated human-machine interface (HMI) connected to the Internet. These systems are sometimes vulnerable to attacks, allowing hackers to insert malicious code. In this case, the attackers compromised the PLC responsible for regulating water pressure at one of the authority's booster pump stations. 

Fortunately, this time, no harm was reported to residents reliant on the water supply. 

Ukraine’s power grid, 2022

Threat: Power outages
Suspected perpetrator: Russian hacker group ‘Sandworm’
Instigator: Intrusion attack followed by malware attack

In late 2022, Russia-linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization, deploying OT-level living off the land (LotL) techniques to trip substation circuit breakers. This attack led to an unplanned power outage that coincided with widespread missile strikes on critical infrastructure across Ukraine.  

Tragically, the attack not only caused civilian casualties but also left four regions temporarily without electricity and disrupted supplies across several areas. To add insult to injury, particularly alarming is that the initial intrusion into the SCADA system began as early as June 2022, ultimately resulting in two major disruptive events on October 10 and 12, 2022.  

Colonial Pipeline oil, 2021

Threat: $5 million ransom, oil and gas shortages
Suspected perpetrator: Russian hacker group DarkSide
Instigator: Unknown 

Colonial Pipeline, the largest oil pipeline in the US, was hit with a massive, targeted ransomware attack. The pipeline – which supplied over 45% of the East Coast’s gas, diesel, and jet fuel – was forced to shut down its operations entirely. It took the pipeline 11 days to partially recover after the company ended up paying $5 million dollars in ransom.  
 
While the initial instigating attack or vector is still unknown, the effects of the attack were clearly felt. By the end of the attack, nearly 11,000 gas stations were still out of gas, and the average cost for fuel per gallon rose nationally, the highest cost in over 6 years. 

KillNet, 2022-2023

Threat: Disruptions to health, energy, and defense sectors
Suspected perpetrator: Pro-Russian hacker group KillNet
Instigator: DDoS

KillNet has led a barrage of sustained DDoS attacks at Ukrainian allies since the start of the conflict. More recently, they have targeted US and Dutch hospitals for aiding in Ukraine’s defense against Russia and taken down Lithuania’s power grid in unprecedented DDoS strikes. They also struck over a dozen US airports, canceling flights and disrupting operators.

KillNet has been a vocal supporter of Russia’s war in Ukraine, using DDoS attacks as its primary weapon to disrupt operations in allied countries. While DDoS in itself is not threatening to many systems, it has been used as a cover for more serious malware attacks. 

If you would like to learn more about how reducing your network attack surface can prevent DDoS and ransomware attacks, read this blog.

A way forward with SCION

While connectivity has become our greatest strength, it’s also become our greatest vulnerability. With critical systems and infrastructure being connected and reliant on one another, malicious parties only need to infiltrate one connection to cause massive damage.

Thankfully, there is another way for nations to combat the surge of cyberattacks on critical infrastructure. SCION elevates sensitive data communications and connections beyond the opportunity of attack for cybercriminals. By operating their networks on the SCION Internet, organizations, federal institutions, and public infrastructure can operate safely, with bad actors completely unaware of their presence. 

If you want to see exactly how it can work for your organization, read about two SCION use cases for critical infrastructure below. 

Use case 1: Securing critical infrastructure with a closed network 

For closed, critical infrastructure with well-defined entities, EDGE-to-EDGE is the right solution. It enables the safe exchange of communication between businesses and other organizations while ensuring cyber resilience.    

For example, the Secure Swiss Finance Network (SSFN) powered by SCION is a controlled and secure network launched by the Swiss National Bank and SIX, the infrastructure provider, which connects participants in the Swiss financial center. On this SCION-powered network, the SIC interbank payment system processes over 220 billion CHF and 2.6 million transactions daily, on average. 

The newest feature of Anapaya EDGE, SCION Secure Access Groups, lets you build a private, invite-only WAN designed for modern enterprises that need strong isolation with the flexibility needed for hybrid cloud integrations, partner connectivity, and a global footprint. To see how this compares with other solutions, read the blog “Alternatives to MPLS, SD-WAN, and VPNs: SCION Secure Access Groups for modern enterprises.”

Use case 2: Securing critical infrastructure with a community network

For networks requiring both closed and open properties, the combination of EDGE and GATE is the optimal architecture. The network remains closed through strong governance that strictly controls participant access, while simultaneously enabling openness through the selective exposure of critical applications and services and granting external access via the GATE to specific ISPs and their users. 

The Secure Swiss Utility Network, initiated by the Association of Swiss Electricity Companies is a semi-open energy network connecting energy and utilities companies within the country.  The SSUN provides a semi-open, sovereign communication infrastructure for the secure exchange of data between utility companies in Switzerland. For specific applications that require remote access, for example, field engineers and home offices, the SSUN network offers remote users the ability to access critical systems without jeopardizing the security of the entire system. You can read more about how the SSUN works here. 

Similarly, the Secure Swiss Healthcare Network, is a community network serving medical institutions such as hospitals, clinics, and doctor's offices. It provides a secure infrastructure for exchanging sensitive data reliably and safely.

Use case 3: Protecting critical infrastructure with an open network for IoT and remote access  

Every connection to the Internet – be it a service, device, or user – presents a potential entry point for malicious actors into your network. Critical infrastructures today have countless entry points that cybercriminals can exploit. As seen in cases like the solar panel hack in the Netherlands, the Pennsylvania water system breach, or the Change Healthcare cyberattack in the USA, critical services exposed to the Internet face massive attack surfaces simply because they are accessible to millions of IoT devices and users on the public Internet. 

By operating your infrastructure on the SCION Internet, you can strategically control which services are visible to the public and which are accessible only to select ISPs and their users through Anapaya GATE. This approach effectively hides your service from the public Internet, reducing your attack surface by up to 99.9%. It is a network built on trust. 

What is next with SCION 

In Switzerland, the Secure Swiss Utility Network (SSUN) is being developed as a community network, designed for integration with validated ecosystems and industry platforms, cloud applications, BPO providers, IoT, technicians, remote workers, security operation centers, and more. While the SSUN is still in the conceptual stage, another network that is already in technical implementation phase is the Secure Swiss Health Network (SSHN). Once completed, healthcare professionals will be able to access digital healthcare services on the SCION Internet via the GATE.  

Protect your critical service from intrusion and DDoS attacks that lead to ransomware and malware, while keeping it accessible to IoT devices and remote users. All you need is Anapaya GATE.   

In both use cases, SCION effectively renders your data and communication invisible to users who have no business reading it.  

Anapaya – The SCION Company builds enterprise products that operationalize SCION’s architecture. Beyond technical advantages, SCION offers a solid business case as demonstrated by the whitepaper “Cost savings and business benefits of SCION.”

If you’re ready to take the security of your business, organization, or critical infrastructure seriously, see how SCION can help you.