Cyber Threats 2022: A Year in Retrospect

“Blindsided” is cybersecurity’s worst-case scenario. The threat you don’t know about; the attack you don’t see coming; the hacker hiding undetected in your networks: unknowns are what can take a company down. Exposing them is what threat intelligence lives to do.

Companies in 2022 faced an array of threat actors: sophisticated advanced persistent threats, or APTs; ruthless cyber criminals; disgruntled insiders; a resurgence in hacktivism and distributed denial of service (DDoS) attacks, and more. Geopolitics dominated the headlines and the cybersphere, even as threat actors continually shifted tactics and techniques and shared their tools, motivated by sabotage, espionage and money.

And in 2022, public and private sectors joining forces and sharing their intelligence bolstered organisations’ defences. 

Our report “Cyber Threats 2022: A Year in Retrospect” examines the threat actors, trends, tools and motivations that captured the cyber threat landscape last year. It includes incident response case studies with direct and detailed insight into tools, techniques and procedures (TTPs) used in intrusions. We also provide detection logic throughout the report to assist your defenders when scanning your own systems and networks, to help you find malicious threat actors.

With context for what to expect in 2023 from the report, we strive, as always, to not only keep pace with hostile cyber activity, but to get ahead of it, and stay ahead. 


Vulnerability and threat actor agility

In 2022:

  • The Log4Shell vulnerability in Apache’s Log4j Java logging framework is thought to have affected 93% of business cloud environments and hundreds of millions of machines. A range of cyber threats jumped on the opportunity to exploit this vulnerability as organisations worked to identify impacted instances in their environments.
  •  Threat actors ranging in motivation and sophistication made use of commoditised and shared tooling and frameworks to accelerate and optimise their operations. Attackers also engaged in fast-moving, brute force attempts to fatigue users and security measures through social engineering or multifactor authentication (MFA) bypassing.
  • Some threat actors developed better ways of obfuscating their espionage operations and intellectual property theft, making it increasingly difficult to identify who they were and what they were stealing. The use of obfuscation-as-a-service proxies became the method of choice for these threat actors to hide their tracks as they compromised victims and exfiltrated confidential and sensitive information.

Looking ahead:

Attackers will continue scouring unpatched systems for Log4Shell and other vulnerabilities and will exploit where they can. Software library vulnerabilities are also likely to be an exploitation focus for threat actors in the year ahead.

Poor or inconsistent patching regimes continue to be a key factor behind successful intrusions into networks. Most successful attacks exploit vulnerabilities that have already been remediated by manufacturers or developers and are available to customers for implementation. Successful attacks that are the result of 0-day exploits are still comparatively rare. Attackers will do the minimum they need to in order to gain access to a network and will not burn higher-end capabilities unnecessarily.

We therefore recommend that organisations prioritise defence in depth and rigorous patching in their security strategies to raise the barrier to entry for attackers.

Geopolitical issues and the threat landscape

In 2022:

  •  Espionage and sabotage motivated threat actors used their offensive cyber capabilities to complement traditional warfare approaches. They used these against countries and private entities seen to be supporting their perceived enemies. They sought to gain strategic advantage by weakening digital and physical infrastructure.
  • Threat actors continued to engage in the contest for economic supremacy through intellectual property theft, with cyber attacks exacerbating ongoing supply chain issues and financial challenges. Threat actors used procured infrastructure, as well as compromised assets, to infiltrate and interdict supply chains, as well as to undermine secure communications around the world. Targets included high-end technology firms and telecommunications, manufacturing and logistics sectors.

Looking ahead:

Security and law enforcement agencies, along with the commercial security industry, will continue to use public disclosures to counter the activities of APTs and thwart their operations. Cloud service, managed service and identity and access management (IAM) providers with privileged access to client networks will increasingly become targets of choice for the most sophisticated actors – to achieve the scaled access they need to compromise the targets of their espionage and intellectual property theft operations.

In the full Cyber Threats 2022: A Year in Retrospect report, learn about these significant events and trends in more detail.

Evolving cyber crime

In 2022:

  • Ransomware continued to be a major threat to industries around the world, as threat actors were able to circumvent security measures and successfully infect networks, from manufacturing to retail and beyond, and extort high ransoms from their victims. Governments and private companies responded to cyber threats with sanctions and blacklisting, which shut down the operations of at least one major ransomware group. Due to the fractured and fluid nature of ransomware groups, many cyber criminals simply moved to deploy their skills and capabilities in other, lesser-known brands and operations.
  • Credential stealing malware proliferated within the cyber criminal ecosystem and bolstered the demand for Access-as-a-Service (AaaS) and other commoditised cyber criminal offerings, which powered cyber-enabled fraud and opportunistic attacks spanning multiple industries and countries.

Looking ahead:

Governments will also explore the continued use of sanctions as a way of hamstringing ransomware and other threat actors, as well as their access to and use of extorted and stolen funds. Organisations will increasingly be required to build their defence efforts and security strategies to account for more frequent attacks powered by an increasingly commodotised -as-a-Service cyber criminal ecosystem.


Threat actors vary in motivation and sophistication, tailoring operations and opportunistic attacks in different sectors. In 2022, attacks in one sector cascaded to other industries and inflicted greater damage. That’s due to increased interconnections among increasingly digitised supply chains and industries.

Click on a sector to learn sector-specific motivations summarized by PwC Threat Intelligence from 2022 case studies and in-house analytics.

Aerospace and Defence

Motivations: Espionage, cyber crime, sabotage, hacktivism

Military secrets and sophisticated technologies make this highly sensitive and important sector a prime target every year by cyber threats. But 2022 proved especially challenging as threat actors worked hard to penetrate A&D organizations and contractors, particularly in Europe. Their motives ran the gamut:

Espionage-motivated threat actors wanted research and development secrets as well as military plans and capabilities.

Saboteurs, hoping to weaken a rival’s defences, might try to inhibit research or halt production.

Ransomware attackers were willing to bet that high-value, defence contracting companies would pay to recover sensitive data. They often upped the ante by threatening to publish ransomed data on leak sites to collect from victims a second time.


Motivations: Cyber crime, espionage

The auto industry is speeding along on the digital highway, transforming rapidly and perhaps more completely than many other sectors. 

Automakers must secure not only the software and hardware that make up their vehicles but also the factories that manufacture them. Their distributors and suppliers are targets, as well. 

Ransomware operators hit the automotive supply chain worldwide in 2022 and posted information on leak sites from 75 organisations. Many of these incidents brought operations to a standstill and left manufacturers without needed parts or equipment. 

We also saw evidence of espionage, including compromises resulting in threat actors stealing sensitive and proprietary information from victims.


Motivations: Cyber crime, espionage, sabotage, hacktivism

The many builders, engineers and suppliers who must work together on construction projects increasingly use digital technologies to operate and connect. Each is vulnerable to intruders who seek primarily, in this sector, money and information. 

Among ransomware leak site victims in 2022, 10% were in construction and engineering, making it number two among sectors. Only manufacturing suffered more ransomware-generated leaks.

Meanwhile, espionage agents sought to steal information or halt operations in the moment and to plant the seeds for doing so later. Their attacks stood to affect projects linked to government agencies, public infrastructure, and the public interest, including water and utilities, transportation, public buildings and even corporate facilities.


Motivations: Espionage, cyber crime, sabotage

Knowledge is power. Espionage-motivated threat actors know this, and have targeted academia for sensitive data and research, as well as information on researchers.

Attackers have more ways to get in than ever before. Partly as a result of the COVID-19 pandemic, so much of learning itself now happens online, and school administrations have increasingly gone digital. Each new connection, device and platform expands the attack surface of educational systems and networks. 

Ransomware attacks had an immense impact on this sector in 2022, and cyber criminals dominated headlines, as victims in many cases were forced to shut down operations while systems were being restored. Education’s traditional role as an open space for the free exchange of ideas and information may make the sector an easier target. We saw hundreds of schools’ data and systems around the world held for ransom in 2022.


Motivations: Espionage, cyber crime, sabotage, hacktivism

Among the most critical of infrastructure and most important of resources, energy has become a prime target for cyber criminals and other threats. But the stakes rose in 2022.

Last year we saw espionage-motivated threat actors and saboteurs targeting energy producers and distributors as a complement to conventional warfare. The intruders had often positioned themselves in advance, breaching systems to gain a foothold in victim networks, gather information and plant malware for future use. Hacktivists also re-emerged and targeted energy sector organisations in 2022, often through DDoS attacks.

Ransomware attacks, too, increased, with actors frequently using double extortion to coerce victims. In exchange for the first payment, they’d decrypt the victims’ data. The second would keep them from posting the stolen data on leak sites or selling it.

Financial Services

Motivations: Cyber crime, espionage, sabotage, hacktivism

Perhaps not surprisingly, money was the ultimate driver for threat actors targeting financial services (FS) in 2022. Ransomware hit FS hard in 2022: the sector accounted for 5% of all ransomware leak site victims. Cryptocurrency theft resulted in the loss of millions of US dollars, as well. And fraud was an ongoing concern as threat actors used cyber methods to buy items using others’ payment cards, hack into financial accounts, commit identity theft, and conduct other fraudulent acts.

But money wasn’t the only objective. Some used sabotage to slow and even halt financial transactions and stymie the flow of money, aiming to cripple economies. And threat actors continued to slip in to view sensitive financial data and systems.


Motivations: Espionage, cyber crime, sabotage, hacktivism

Adversaries, eyeing the sensitive information that governments collect and maintain, carried out sophisticated attacks in acts of cyber espionage in 2022.

Saboteurs, too, were active. They attempted to disable or disrupt government services and destroy or manipulate sensitive information and communications. They also released disinformation and leaked data regarding high-profile events and issues. 

Opportunistic cyber criminals, too, targeted the government. They followed headlines to launch ransomware attacks on public agencies and organisations. And as world events and tensions evolved, they injected themselves into geopolitical conflicts.


Motivations: Cyber crime, espionage, sabotage

Healthcare perhaps faced the most peril from cyber threats of any sector, with people’s very lives potentially at stake. And as providers’ and patients’ use of technology grew, so did opportunities for theft and worse.

Espionage by those seeking personal and proprietary information remained a concern, as did sabotage that might shut down systems and compromise patient care. But ransomware posed the greatest threat in 2022.

The damage that threat actors can do is vast in a cyber attack: they can bring down entire networks, affecting patients, providers, third parties, operators, facilities and more.


Motivation: Cyber crime, espionage, sabotage, hacktivism

Operational technology (OT) took center stage among cyber concerns in 2022 as factories continued to digitise, moving toward increased automation. Each new connection poses a new cyber threat, number one of which is ransomware.

A ransomware attack that freezes or shuts down a factory’s OT costs revenue and time, and could endanger workers. Cyber criminals are making use of these concerns, first striking and then attempting to extort for profit. Manufacturing companies ranked number one (15%) among ransomware leak site victims in 2022.

A production halt can ripple up and down the supply chain and exacerbate other shortages, as happened last year. Critical infrastructure, government, business, suppliers and distributors could all suffer losses.

On our 2023 watchlist: semiconductor manufacturing, as the US and others continue to impose restrictions. Cyber criminals are savvy about world events, and are certainly watching.

Pharmaceuticals and Life Sciences

Motivations: Cyber crime, espionage, sabotage

Research is the lifeblood of pharma, but it’s also a prime attractant for espionage.

As companies rely on technologies to advance their research and produce groundbreaking medicines ever more rapidly, they also create incentives for cyber criminals to break in and provide them with more avenues through which to do so.

Espionage-motivated threat actors abound, working to infiltrate laboratories via third parties, Internet of Things (IoT) technologies, cloud environments, software misconfigurations and more to view and steal sensitive and proprietary information and disrupt production.

The stakes go far beyond a product or pill, and even beyond such high profile projects as the development of new vaccines and other lifesaving treatments. Bad actors can also undercut companies’ profits and cause regulatory problems and reputational damage. In 2022, we saw them use ransomware to extort pharma and life sciences companies: Pay or suffer the consequences.

Professional Services

Motivations: Cyber crime, espionage, sabotage, hacktivism

Threat actors want badly what professional services (PS) companies have: namely, a wealth of project and operations information as well as sensitive proprietary, personal and financial data about clients in the private and public sectors.

Threat actors often target PS organisations with fraud in mind, using these companies’ compromised networks to access their clients’ data. Or they may use access to email accounts to conduct convincing spoofing, phishing and social engineering campaigns.

But money remains a significant motivator in PS breaches. Among victim data posted to ransomware leak sites in 2022, 9% came from professional services, making it the third highest sector last year among ransomware leak site victims.

As more PS organizations use the cloud and other technologies, we expect to see threat actors work more diligently to compromise these services as well as to circumvent identity and access management (IAM) controls.


Motivations: Cyber crime, espionage, sabotage, hacktivism

The retail industry is a cash cow for cyber criminals and fraudsters. As the use of contactless payments grew in 2022, we saw more widespread use of phony processing applications to steal customer data, including payment card information.

Threat actors may use customers’ credentials to gain access to their retail accounts and make fraudulent purchases of items that they then return for a refund to their own accounts — a popular tactic in 2022.

Attackers also may disable retailers’ online marketplaces for ransom, effectively shutting down business. The retail sector was the fourth hardest hit among ransomware leak site victims last year and accounted for 8% of all organisations leaked by ransomware threat actors.

Such a competitive industry is bound to have its share of cyber espionage, as well. As retailers and developers create and patent their own software and technologies in heated competition, they face the enduring balancing act of security vs. speed. Threat actors can then slip in to view companies’ proprietary information and their customers’ personally identifiable information (PII), payment information, and online behaviours.

Sports and Entertainment

Motivations: Cyber crime, espionage, sabotage

Sports and entertainment has become a highly transactional, technology-driven, on-demand service — one that suffered an onslaught of cyber attacks in 2022.

Interrupting scheduled events can cost sports and entertainment organisations a lot of money. This includes content creators and owners, teams, venues and platforms. Criminals capitalized on this vulnerability, timing ransomware deployments to coincide with time-sensitive events. We anticipate more such attacks in 2023.

Threat actors pilfered from fans and subscribers, as well, intercepting their purchases to steal payment card information, for instance.

And they stole embargoed media, then leaked it for money or notoriety, as we saw in one widely publicised instance in 2022.


Motivations: Espionage, cyber crime, sabotage, hacktivism

In the digital age, technology all but makes the world go around, making it a prime target for power-and-money-hungry cyber criminals and espionage-motivated threat actors.

Its omnipresent reach, extending into every sector, prompted threat actors to break into managed service providers, cloud service providers, and other widely-used services that provided access to users’ systems and networks.

Sophisticated cyber intrusions slipped into enterprise systems via software updates or systems maintenance tasks. Others used social engineering to exhaust security mechanisms and exploit users for granting access. 

Then, lurking inside their victims’ networks, a range of threat actors stole proprietary secrets and personal data, disrupted supply chains, launched attacks and damaged trust along the digital supply chain.


Motivations: Espionage, cyber crime, sabotage

This somewhat beleaguered sector suffered hits from a variety of threat actors, sometimes suffering punches from all sides in quick succession.

And because its data and telemetry contain much confidential intelligence, espionage-motivated actors focused keenly on telco, eager to scale their targeting and reconnaissance operations and enable future attacks.

Transportation and Logistics

Motivations: Cyber crime, espionage, sabotage, hacktivism

The global supply chain links most critically in the transportation and distribution of raw materials and goods. The risks increased as companies connected more systems through operational technology (OT) and industrial control systems (ICS). We saw threats to transport and logistics not only grow, but also become more sophisticated.

The consequences could be dire. We saw an attack shut down one country’s entire railway system.

Supply chain and sector interdependencies in 2022 made it more and more likely that an incident might enormously affect not only the breached company but also its customers and third parties. Ransomware actors seized on this likelihood, often targeting transport and logistics firms in aggressive attacks.

Follow us

Contact us

Umang Handa

Umang Handa

Partner, National Cybersecurity Managed Services Leader, PwC Canada

Tel: +1 416 815 5208

Cristina Onosé

Cristina Onosé

Lead, Privacy Advocacy and Thought Leadership, PwC Canada

Tel: +1 416 687 8104

Kris McConkey

Kris McConkey

Global Threat Intelligence Lead Partner, PwC United Kingdom

Tel: +44 (0)7725 707360

Rachel Mullan

Rachel Mullan

Global Threat Intelligence Lead, Director, PwC United Kingdom

Jason Smart

Jason Smart

Global Threat Intelligence Lead, Director, PwC Australia

Tel: +44 (0)7718 979 308

Allison  Wikoff

Allison Wikoff

Global Threat Intelligence Lead, Director, PwC US

Matt Carey

Matt Carey

Global Threat Intelligence Lead, Director, PwC Sweden