Cyber-Attacks Now Target Tech More Than Finance
▼ Summary
– The high-tech sector was the most targeted industry for cyber-attacks in 2025, representing 17% of Mandiant investigations.
– The global median dwell time, or time attackers go undetected, increased from 11 days in 2024 to 14 days in 2025.
– A key global event was the widespread adoption of the ClickFix social engineering technique, which tricks users into running malicious commands.
– Vulnerability exploits remained the top initial infection vector, while voice phishing (vishing) surged to become the second most common method.
– Mandiant began tracking 661 new threat clusters and 714 new malware families in 2025, increasing its total tracked totals.
The cybersecurity landscape has shifted significantly, with the high-tech sector now bearing the brunt of malicious activity. According to the latest M-Trends report from Google Cloud’s Mandiant, technology companies accounted for 17% of all incident response investigations in 2025. This figure places the industry at the top of the target list, surpassing the financial services sector, which had led in previous years. Finance represented 14.6% of investigations over the past year, while business services and healthcare followed at 13.3% and 11.9%, respectively.
A concerning trend highlighted in the data is the increase in global median dwell time, which rose from 11 days in 2024 to 14 days in 2025. Dwell time measures the period an attacker remains undetected within a compromised network. Researchers attribute this rise primarily to prolonged campaigns linked to North Korean cyber espionage and IT worker scams, both of which exhibited median dwell times of 122 days.
The report details 91 significant cyber incidents from 2025, comprising 83 distinct campaigns and eight global cyber events that impacted organizations across 73 countries. Among the most active events was the widespread adoption of the ClickFix social engineering technique. This method deceives users into executing system commands, often via phishing pages, by pretending to resolve issues like software updates or meeting verifications. Dozens of threat clusters employed this tactic last year to gain initial access.
Mandiant and the Google Threat Intelligence Group began tracking 661 new threat clusters and 714 new malware families in 2025. This brings their total tracking to over 5,000 clusters and 6,000 malware families. While the number of encountered threat groups decreased from the previous year, the diversity of malware used in attacks increased, with 224 families identified in investigations.
For the sixth consecutive year, vulnerability exploits remained the leading initial infection vector, identified in 32% of relevant investigations. A notable shift occurred with voice phishing (vishing), which surged to become the second most common vector at 11%, indicating a move toward more interactive social engineering. Conversely, email phishing continued to decline as a primary method of access.
Threat actors increasingly abused native system functionalities and legitimate administrative tools to evade detection. Furthermore, Mandiant observed a strategic pivot among ransomware operators, whose primary objective is now deliberate recovery denial. This involves systematically targeting backup systems, identity services, and virtualization management to cripple an organization’s ability to restore operations without paying a ransom.
(Source: Infosecurity Magazine)
