Cyber threats to critical infrastructure: defending against new attacker tactics

This year, cybersecurity for Ukrainian hospitals, local government bodies, and FPV operators has become an even higher priority. According to CERT-UA, throughout March-April 2026, an intensification of cyberattacks on local government bodies and communal healthcare institutions, including clinical and emergency medical hospitals, was recorded (cert.gov.ua, moz.gov.ua, zor.gov.ua). These incidents highlight not only an increase in the number of threats but also a shift in attacker tactics, necessitating a review of existing defense strategies.

Persistent Access Tactics: A New Threat to Critical Infrastructure

Traditional cyberattacks aimed at rapid data theft are gradually receding. Since the second half of 2025, hacker groups have changed their tactics, moving from one-time data exfiltration to gaining long-term unauthorized access and establishing persistence within information systems (cip.gov.ua). This means attackers are not just looking to steal information but to remain undetected in the network for extended periods to conduct continuous monitoring, gather data, or prepare for larger-scale sabotage.

This shift in tactics is particularly dangerous for hospitals and local government bodies. Persistent access can lead to the compromise of patient medical data, financial information, employee and citizen personal data, as well as disruption of critical operational processes. This poses risks not only to confidentiality but also to the continuity of service delivery.

Overall, from July 1, 2024, to June 30, 2025, ENISA analyzed 4,875 incidents, indicating the global scale of the problem and the constant evolution of cyber threats (ENISA Threat Landscape 2025).

FPV Operators Under Fire: Threat Specifics and Consequences

The FPV technology sector is also facing growing cyber threats. While direct attacks on FPV operators may be specific, the general context of telecom fraud creates significant risks. According to the CFCA Global Fraud Loss Survey, global losses from telecom fraud in 2025 were estimated at approximately $41.82 billion, a substantial increase from $38.95 billion in 2023 (CFCA Global Fraud Loss Survey 2025). This indicates the growing attractiveness of telecommunication systems for malicious actors.

For FPV operators, who often use telecommunication channels for data transmission and control, this means increased vulnerability to attacks aimed at intercepting signals, compromising control systems, or stealing sensitive information. For example, systems responsible for drone management, supply chain logistics, or processing data from FPV systems can become targets for attacks aimed at destabilizing operations or obtaining intelligence data.

Defense in this sector requires not only standard cybersecurity measures but also specific solutions for protecting radio channels, encrypting data in transit and at rest, and ensuring the integrity of FPV system software.

Expert comment

Yuriy Syvytsky Co-founder of Softline, Member of the Supervisory Board, Intecracy Group

Regarding attempts at rapid Zero Trust adoption, the complexity of integrating with existing systems is often underestimated. In projects of this class, where critical infrastructure relies on legacy systems, a typical failure pattern involves creating new entry points that don't account for the specifics of interaction, for example, with SCADA systems where protocols like Modbus might not be fully compatible with modern authentication mechanisms.

A Common Pitfall: Why a Hasty Zero Trust Transition Can Fail

The Zero Trust concept, which advocates for “never trust, always verify,” is a powerful tool for defending against modern threats. However, attempting a rapid and comprehensive implementation of Zero Trust without proper planning often leads to failure. The common pitfall lies in trying to implement all Zero Trust components simultaneously, ignoring the current state of the infrastructure and operational processes.

Effective Zero Trust implementation requires a phased approach, starting with fundamental elements. The first step should be strengthening Identity and Access Management (IAM), including Multi-Factor Authentication (MFA) for all users and systems. This ensures that only authorized individuals and devices can access resources. The next stage involves implementing network micro-segmentation, which restricts traffic flow between individual segments and applications, minimizing potential damage from a single node compromise. Only after these steps should one proceed to more complex aspects like device trust and continuous risk assessment.

Without such a phased approach, Zero Trust implementation can create more problems than it solves, leading to operational disruptions, management complexities, and a lack of genuine security improvement.

Architectural Example: Building a Resilient Defense System for a Telecom Operator

Let’s consider an architectural example of building a resilient defense system for a large telecom operator, which can also be adapted for FPV operators or critical infrastructure. The primary focus here is on protecting OSS/BSS (Operational Support Systems / Business Support Systems) and customer profiles.

In a typical architecture, defense begins with a centralized Identity and Access Management (IAM) system that integrates with all critical systems, including CRM, billing systems, and network management platforms. IAM provides a single point of control for authentication and authorization, utilizing MFA for all privileged accounts and access to sensitive data. A Security Information and Event Management (SIEM) system is implemented for monitoring and anomaly detection, collecting and correlating security events from all systems, including network devices, servers, and applications. SIEM can be augmented with AI agents, such as those developed by Softengi, to detect sophisticated, long-term attacks that mimic normal user behavior.

To protect customer data and prevent its leakage, a Data Loss Prevention (DLP) system is employed, which monitors the flow of confidential information both inside and outside the organization. Network micro-segmentation ensures that even if one segment is compromised, attackers cannot easily move across the entire infrastructure. For instance, OSS/BSS systems are isolated from external networks and other internal segments, with access strictly controlled.

This approach not only effectively counters modern threats but also ensures readiness for external audits and rapid incident response within the regulatory 24/72-hour timeframe, which is a key business outcome for ensuring operational continuity and compliance with regulatory requirements like NIS2.

Practical Steps to Resilience: Recommendations from CERT-UA and Experts

To effectively counter growing cyber threats, critical infrastructure organizations need to take specific practical steps:

1. Enhance Monitoring and Detection: Implement or optimize SIEM systems for collecting, analyzing, and correlating logs from all critical systems. Utilize AI systems for detecting anomalies and persistent unauthorized access.
2. Identity and Access Management (IAM): Implement Multi-Factor Authentication (MFA) for all users, especially for privileged accounts. Regularly review and update access policies.
3. Network Micro-segmentation: Divide the network infrastructure into small, isolated segments. This limits the spread of an attack in case of a segment compromise.
4. Endpoint Protection: Employ modern Endpoint Detection and Response (EDR) solutions for detecting and responding to threats on workstations and servers.
5. Personnel Training: Conduct regular cybersecurity hygiene training and raise awareness about phishing attacks, social engineering, and other threats.
6. Incident Response Plan (IRP): Develop and regularly test a detailed incident response plan that minimizes downtime and damage from an attack. Readiness to respond within 24/72 hours is critical.
7. Supply Chain Risk Assessment: Vet software and hardware vendors for compliance with security standards, as supply chain attacks are becoming increasingly prevalent.
8. Audit Readiness: Ensure compliance with international standards such as ISO/IEC 27001 and national cybersecurity requirements. This not only enhances the level of protection but also demonstrates readiness for cooperation with European partners.

Projects like these are implemented by companies such as Softline, IQusion, and SL Global Service, helping organizations build resilient and adaptive cybersecurity systems that meet modern challenges.

Readiness Checklist for Modern Cyber Threats to Critical Infrastructure

• Are responsible individuals for cybersecurity identified for each critical segment (healthcare, government, FPV operations)?
• Has an audit of existing systems been conducted to ensure compliance with rapid incident response requirements (24/72 hours)?
• Are mechanisms for monitoring and detecting persistent unauthorized access implemented (SIEM, UEBA)?
• Has an incident response plan (IRP) been developed and tested, accounting for the specifics of each sector?
• Is there an Identity and Access Management (IAM) policy that includes Multi-Factor Authentication (MFA) for all critical systems?
• Has a supply chain security risk assessment been conducted for critical services and equipment?
• Has a phased Zero Trust implementation strategy been developed, starting with identity and access management?