< Go to blog
TS4 Inside

Threat Intelligence Index

Threat Intelligence Index 2022

Combating new threats in a time of constant change

This year’s TS4 Security Threat Intelligence Index presents an uncomfortable truth: as businesses, institutions, and governments continue to adapt to a fast-changing global market- including hybrid and cloud-based work environments - threat actors remain adept at exploiting such shifts.


Manufacturing becomes the world’s most attacked industry.

The world continues to grapple with a lasting pandemic, shifts to work-from-home and back-to-office, and geopolitical changes spawning a constant drone of mistrust. All of this equates to chaos, and it is in the chaos that cybercriminals thrive. In 2021, TS4 Security® X-Force® saw how threat actors opportunistically used a shifting landscape to adopt tactics and techniques to successfully infiltrate organizations across the globe.


1 in 4 attacks on this sector are from ransomware

For the first time in five years, manufacturing outpaced finance and insurance in the number of cyberattacks levied against these industries, extending global supply chain woes. Manufacturers have a low tolerance for downtime, and ransomware actors are capitalizing on operational stressors exacerbated by the pandemic.

How They’re Getting in: Top infection vectors for manufacturing

Takeaway: Threat actors understand the critical role manufacturing plays in global supply chains and are seeking to disrupt these organizations.

Malware uses sophisticated new tricks to infiltrate


Surge in IoT malware activity between Q3 2019 and Q4 2020. As defenses grow stronger, malware gets more innovative. Attackers are increasingly using cloud-based messaging and storage services to blend into legitimate traffic. And some groups are experimenting with new techniques in encryption and code obfuscation to go unnoticed.

Takeaway: Maintaining properly hardened systems, enacting effective password policies, and ensuring policy compliance are critical to maintaining a robust cloud security posture.

In the age of triple extortion, business partners may put you at risk.

Multi-factor authentication shows promising signs of success.


Percentage of attacks in Latin America that were business email compromise attacks. That percentage in 2019? Zero.

Multi-factor authentication (MFA) can decrease the risk of several different types of attacks, including ransomware, data theft, business email compromise (BEC), and server access. But BEC is rising in regions where MFA is seemingly less common, like Latin America.

Takeaway: X-Force research confirms that zero trust principles can decrease organizations’ susceptibility to BEC. Identity and access management technologies are making MFA implementation easier.

Big brands are the big ticket into your organization.

Phishing was 2021’s top infection vector, and the brands that were most imitated in phishing kits are among the largest and most trusted companies: Microsoft, Apple, and Google.


Percentage of victims who clicked on targeted phishing campaigns that added phone calls (vishing, or voice phishing).

Four out of 10 attacks start with phishing, but X-Force Red, TS4’s global team of red team hackers that break into
organizations and uncover risky vulnerabilities, reports that adding vishing (or voice phishing) to a targeted phishing campaign makes the effort three times as effective as a classic phishing campaign.

Takeaway: A well-imitated logo is enough to gain trust. Can your employees spot the difference between a fake email and a real one? About one in five can’t.

Vulnerabilities rise sharply as the Internet of Things expands.


Increase in adversarial reconnaissance activity targeting a popular supervisory control and data acquisition (SCADA) messaging protocol between January and September 2021, as observed by X-Force.

The number of vulnerabilities related to the Internet of Things devices increased by 16% year over year, compared to a growth rate of only 0.4% for vulnerabilities overall.
For industrial control systems, the rise was even more dramatic at 50% —an elevated risk as threat actors seek to disrupt the manufacturing and energy sectors.

Connectivity Issues: Number of vulnerabilities identified each year since 2011

Takeaway: While industrial organizations are at the greatest risk, any organization using IoT is increasingly exposed to vulnerabilities.

As organizations move to the cloud, attackers follow.

4 out of 5

Number of Linux malware categories (such as ransomware and crypto miners) in which new code increased since the previous year.

Malware targeting Linux environments rose dramatically in 2021 - a surge possibly correlated to
more organizations moving into cloud-based environments, many of which rely on Linux for their operations.

A threat actor to know: A gang called LemonDuck caused several compromises observed by X-Force in 2021. LemonDuck malware evolved from crypto mining and has since built a large botnet of compromised devices; it targets both Linux and Windows systems. LemonDuck campaigns capitalize on news events for phishing lures.

Takeaway: The level of new and unique code in Linux malware in 2021 surpassed 2020 levels, highlighting how innovation in Linux malware has made these threats more dangerous.

A single gang initiated 37% of ransomware attacks, an organization’s biggest threat.

17 months

Average lifespan of ransomware gangs before rebranding or disbanding.

Ransomware remains the leading type of attack, although it decreased as a share of overall attacks. Why? Our theory is law enforcement action. The REvil operation accounted for a whopping 37% of ransomware attacks that X-Force remediated last year before the gang shut down in October 2021. Members of the gang were arrested, but many ransomware groups that disband later reemerge under new names. The frequency of ransomware attacks tends to shift throughout the year, often increasing in May and June. Ransomware attacks appear to decrease in late summer or early fall, with January having the least amount of activity.

Malfeasant Makeovers: Notable ransomware gang rebrands

Takeaway: Have a ransomware response plan, backups, and an alternate location for critical business operations during remediation. Consider if or when you might ever pay a ransom.

Still need help?

Contact us today for more information about our services and security solutions.