Government Sector Hit Hardest as Cyberattacks Escalate

A new report analyzing global cyber threats reveals that government entities endured the highest number of targeted attack campaigns throughout 2025, underscoring a critical vulnerability in public sector digital infrastructure. The findings, which tracked over a thousand distinct campaigns, illustrate a dangerous escalation in both the frequency and sophistication of cyber assaults, with nation-states and critical services bearing the brunt of the offensive.

The data places government agencies at the top of the list, having been the focus of 274 separate campaigns. The financial services sector followed as the second-most targeted, facing 211 campaigns, while technology firms experienced 179. Other heavily impacted industries included defense with 98 campaigns, manufacturing with 75, and telecommunications and healthcare each with 63. Sectors like education and transportation were also significant targets, each recording 61 campaigns. This pattern highlights a deliberate focus on organizations that manage sensitive citizen data, national security interests, and essential operational networks.

The evolution of attack methodologies has been stark, with adversaries leveraging automation and artificial intelligence to increase their effectiveness. Threat actors are now employing automated, assembly-line processes to exfiltrate stolen data in real-time, often coordinating these efforts through encrypted messaging platforms. More alarmingly, the use of generative AI has become a tool for social engineering, enabling the creation of convincing synthetic voices and deepfake videos. These are deployed in sophisticated vishing attacks and scams that impersonate corporate executives. In a notable example, one extortion group conducted detailed market research on virtual private network weaknesses to better tailor its intrusion strategies.

When examining the types of threats observed, ransomware was the most prevalent, constituting 22% of all campaign activity. Infostealer operations, designed to harvest credentials and data, followed closely at 19%, while phishing campaigns accounted for 17%. Remote Access Trojans (RATs) made up 11% of the activity, and other forms of malware represented 9%. The scale of the malicious infrastructure supporting these attacks was immense, with researchers identifying nearly 150,000 malicious domains, over 65,000 harmful URLs, 58,000 malicious files, and tens of thousands of suspicious IP addresses. Throughout the year, attackers successfully exploited 549 distinct software vulnerabilities.

Network telemetry provides a clear view of the relentless probing by hackers. A global deception network logged an astonishing 44.5 million connection attempts from hundreds of thousands of unique source IP addresses. A significant portion of this traffic targeted known weaknesses in internet-connected devices and services. Attack patterns showed a heavy focus on exploiting exposed services, with Digital Video Recorder (DVR) remote code execution attempts appearing 4,700 times. Exploits against Huawei routers were observed 3,490 times, and abuses of Docker APIs occurred 3,400 times. Other frequently targeted vulnerabilities included those in PHP units, TP-Link devices, and network printers. The most commonly exploited specific vulnerabilities were older flaws like CVE-2017-17215 and CVE-2014-8361, alongside newer entries such as CVE-2023-1389, demonstrating that unpatched systems across all vintages remain a primary attack vector.