Cyber Threats 2022: A Year in Retrospect

Keeping up with hostile cyber activity is not enough, getting ahead is.

What should CEOs and boards do in a world where geopolitics and cyber mix?

Cybersecurity's worst-case scenario is being blindsided – the attack you don't see coming and the hacker hiding undetected in your networks that can take a company down. Threat intelligence aims to expose such unknowns.

In 2022, organisations faced a variety of threat actors, including APTs, cybercriminals, hacktivists, and insiders, who changed tactics and shared tools. Geopolitics dominated the headlines and the cyberspace, as cybercriminals were driven by the pursuit of sabotage, espionage, and money. And in 2022, the public and private sectors joined forces and shared intelligence, strengthening organisations' defences.

Our report "Cyber Threats 2022: A Year in Retrospect" examines the threat actors, trends, tools, and motivations that captured the cyber threat landscape last year. It includes incident response case studies with detailed insight into tools, techniques, and procedures (TTPs) used in intrusions as well as detection logic to help you find malicious actors. We also provide context for 2023 and strive to stay ahead of hostile cyber activity through public-private sector collaboration.

Download the study

The report’s key findings

In 2022, the cyber threat landscape reflected real-world events and geopolitical tensions, with much of the year influenced by Russia's invasion of Ukraine. In the struggle for political, territorial, and economic supremacy, some states are targeting cybercrime tactics and technologies. Economic cyber security is thus increasingly becoming synonymous with national security.

The Log4Shell software zero-day vulnerability ushered in a chaotic start to 2022, highlighting the positive impact of industry collaboration and the importance of patching and understanding widely used software in environments. Cybercriminals adapted to security measures with tactics like delivering malicious payloads through ISO and LNK files. Threat actors also continued to target identity and privileged access, as well as cloud environments, to gain entry into networks.

Ransomware, the biggest cyber threat in 2021, remained a key concern, with LockBit accounting for the highest volume of leak site activity. Nearly half of financially motivated incidents we responded to were ransomware attacks, with the professional services, financial services, transport and logistics, retail, and manufacturing sectors most affected.


Three key trends we observed in 2022 and which we believe are important to watch out for in 2023 and beyond are:

Vulnerability and threat actor agility

In 2022:

The Log4Shell vulnerability in Apache's Log4j Java logging framework impacted 93% of business cloud environments and millions of machines. Numerous cyber threats took advantage of this vulnerability, using shared tooling and frameworks to accelerate their operations. Attackers employed brute force tactics, such as social engineering and multifactor authentication (MFA) bypassing, to fatigue users and security measures. Some threat actors improved their espionage and intellectual property theft operations by using obfuscation-as-a-service proxies, making it harder to detect their activities and stolen information.

Looking ahead:

Attackers will exploit unpatched systems and software library vulnerabilities, targeting networks with poor or inconsistent patching regimes. Most successful attacks exploit already-remediated vulnerabilities, while 0-day exploits are rare. Attackers will do the minimum they need to gain access to a network and will not burn higher-end capabilities unnecessarily. We therefore recommend that organisations prioritise defence in depth and rigorous patching in their security strategies to raise the barrier to entry for attackers.

Geopolitical issues and the threat landscape

In 2022:

Espionage and sabotage-driven threat actors utilised their offensive cyber capabilities in conjunction with traditional warfare to weaken digital and physical infrastructure of countries and private entities supporting perceived enemies. Economic supremacy was also a key objective, with IP theft exacerbating supply chain issues and financial challenges. High-end technology firms, telecommunications, manufacturing, and logistics sectors were targeted through procured infrastructure and compromised assets to infiltrate supply chains and undermine secure communications worldwide.

Looking ahead:

Public disclosures will be employed by security and law enforcement agencies, as well as the commercial security industry, to counter advanced persistent threat actors (APTs) and disrupt their operations. APTs will increasingly target cloud, managed service, identity, and access management (IAM) providers to gain privileged access and compromise targets for their espionage and intellectual property theft operations at scale.

Evolving cybercrime

In 2022:

Ransomware remained a significant threat across various industries worldwide, with threat actors successfully infecting networks and extorting high ransoms. Sanctions and blacklisting shut down at least one major ransomware group, but many cybercriminals shifted to other operations. Credential stealing malware increased demand for Access-as-a-Service (AaaS) and other commoditised offerings, fueling cyber-enabled fraud and opportunistic attacks globally.

Looking ahead:

Governments will continue to explore the use of sanctions to restrict ransomware and other threat actors' access to stolen funds. To defend against more frequent attacks from the increasingly commoditised cybercriminal ecosystem, organisations will need to build stronger defence efforts and security strategies.

“In 2023, we expect the threat landscape to be dominated by the targeting of identity and privileged access capabilities, as a broad range of threat actors continue to evolve and employ TTPs to bypass security mechanisms.”

Johannes DohrenPartner, Cyber Threat Intelligence Lead, PwC Switzerland

Sector view

Different sectors are exposed to different threats. While the motivation for cyber-attacks remains the same across most industries – cybercrime, espionage, sabotage, hacktivism – different sectors face sector-specific threats. The top 5 industries affected by all the incidents we analysed were professional services, financial services, transport and logistics, retail, and manufacturing.


In 2022, the digitisation and automation of factories through operational technology (OT) increased cyber threats, with ransomware attacks being the primary concern. Manufacturing companies ranked number one (15%) among ransomware leak site victims in 2022. A ransomware attack on a factory's OT can cause revenue loss, production delays, and endanger workers. Production halts can ripple through the supply chain and exacerbate other shortages. Semiconductor manufacturing is a 2023 watchlist concern due to imposed restrictions and potential cyber threats.

Professional services

Threat actors target professional services companies for valuable information like project data, client information, and financial data. They may use compromised networks or email accounts for fraud, phishing, and social engineering. Money is a big motivator for professional services (PS) breaches, with 9% of ransomware leak victims in 2022 coming from this sector. With PS companies increasingly using cloud and other technologies, threat actors will likely work harder to compromise these services and bypass identity and access management (IAM) controls.

Financial services

In 2022, financial services (FS) were heavily targeted by threat actors driven by money. 5% of all ransomware leak site victims came from this sector, and millions of US dollars were lost due to cryptocurrency theft. Fraud was also a concern, with threat actors using cyber methods to commit identity theft, hack into financial accounts, and buy items with others' payment cards. Some threat actors aimed to cripple economies by sabotaging financial transactions. Additionally, sensitive financial data and systems were still at risk of being viewed by threat actors.


The retail industry is a lucrative target for cybercriminals and fraudsters. Phony processing applications were used in 2022 to steal customer data, including payment card information, as the use of contactless payments grew. Threat actors also used customer credentials to access their retail accounts for fraudulent purchases and return tactics. Ransomware attacks were a significant issue, with the retail sector accounting for 8% of all leaked organisations. Cyber espionage was also a concern as retailers and developers compete, risking the security of proprietary and customer information.

Transport and logistics

The global supply chain's critical transportation and distribution of goods face increased risks due to the connection of more systems through operational technology (OT) and industrial control systems (ICS). Threats to transport and logistics grew and became more sophisticated, with one attack shutting down an entire country's railway system. The interconnectedness of supply chains and sectors in 2022 increased the likelihood of incidents affecting not only breached companies but also their customers and third parties. Ransomware actors seized on this likelihood, targeting transport and logistics firms in aggressive attacks.

PwC classifies cyber threats by the attackers' motivations:

  • Espionage threat actors (often referred to as “Advanced Persistent Threats”, or APTs) seek to steal valuable information for economic or political gain, often originating from competitors or state-sponsored actors.
  • Cyber criminals are largely indiscriminate in who they attack as they simply seek to make money through a range of methods and target individuals or organisations.
  • Hacktivists disrupt services to raise awareness for their cause, sometimes targeting specific organisations or individuals. They are sometimes influenced by real-world events, meaning the risk of such attacks is subject to change.
  • Saboteurs seek to damage or destroy data and systems, sometimes using sabotage as a diversion tactic. As with espionage and hacktivist attacks, saboteurs tend to be influenced by real-world events.

Seven (non-rhetorical) questions for boardroom discussion

Boards want to know: What is our risk exposure to these developments? Which of our strategic and business initiatives increase this risk exposure? Do they push us beyond our risk appetite? Is management, including the CISO and the CIO, moving swiftly enough to mitigate the risks?

We recommend that CISOs and other C-suite executives be prepared with answers to these questions:

Do we have our basics covered? Have we implemented defense-in-depth security — that is, do we have layers of defense so that if one mechanism fails, another steps up to thwart the attack? Does it include strong identity and access management, continuous monitoring, and zero trust? Is our remote desktop protocol internet-facing? If so, have we properly secured it?

Are we resilient? Do we thoroughly understand our critical dependencies? Have we mapped our systems? Do we back up our systems and data, and can we gain access to them quickly?

Have we tested our crisis management, disaster recovery, business continuity and disaster management plans? Do we have a designated executive empowered to lead these efforts organization-wide?

Have we anticipated the decisions we’ll need to make quickly in the event of an attack? Under what circumstances would we pay a ransom, if any? Do we have the information on potential damages — operational, financial, legal, reputational — to make a good decision? Is our process in line with our corporate values?

Have we tested our communication plan in the event of an attack? How do we inform the board and CEO? How and when would we communicate an attack within the organization and to our shareholders?

Do we have cyber insurance and is it adequate to cover our losses? What does it pay for? Does it cover ransom payments? How does it work? If we do not have cyber insurance, what is our plan to cover the cost?

Have we thought through potential new geopolitical conflicts? Do we view data protection, privacy, and cybersecurity rules in a larger context — for instance, that nations might be using them to improve their own economic competitiveness? When confronted with a proposed data protection law or economic sanctions, do we want to continue doing business in that market at our current level, or at all? Is it a risk worth taking? Do we want to reorganize our portfolio, shifting some of or all our focus to other markets? Are we concerned that our IP may be vulnerable? If so, how can we protect it?

Threat Intelligence

PwC Cybersecurity solutions are intelligence-driven and informed by these insights, ensuring we are addressing the most pressing security and risk challenges our clients face as the cyber threat landscape grows more complex with technological advancements and supply chain evolutions. We bring together a global team of specialists with expertise in security management, threat detection and monitoring, threat intelligence, security architecture and consulting, behavioural change and regulatory and legal advice in our efforts to help our clients protect what matters most to them.

Cyber Threats 2022: A Year in Retrospect

Get the latest insights on threat actors, trends, tools and motivations throughout the cyber threat landscape.

Building trust to succeed

Trust in a team that truly helps your organisation transform by designing, implementing, and continuously monitoring the right cybersecurity solutions. Together, we create sustainable value and trust – now and in the future.

Contact us

Urs Küderli

Urs Küderli

Partner and Leader Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 42 21

Johannes Dohren

Johannes Dohren

Partner, Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 22 20

Yan Borboën

Yan Borboën

Partner, Leader Digital Assurance and Cybersecurity & Privacy, PwC Switzerland

Tel: +41 58 792 84 59