Critical Infrastructure Under Siege: 2024-2025 Cybersecurity Landscape

The cybersecurity landscape of 2024-2025 has been marked by unprecedented attacks on critical infrastructure, sophisticated state-sponsored campaigns, and a rapid evolution of both offensive and defensive techniques. From Norwegian dams to cryptocurrency markets, threat actors are demonstrating increasing capability and audacity in targeting essential systems and services that underpin modern society.

Dam breach highlights industrial control vulnerabilities

In April 2024, unidentified hackers breached the control systems of Norway's Lake Risevatnet dam near Svelgen and opened its water valve at full capacity for four hours. The attack exploited a weak password for the valve's web-accessible control panel, causing water to pour 497 liters per second over the minimum flow requirement. While the incident didn't endanger lives—the river could handle up to 20,000 liters per second—it exposed critical vulnerabilities in industrial control systems (ICS) that manage essential infrastructure.

This incident underscores the growing cybersecurity threats to hydropower facilities and demonstrates how easily accessible industrial control systems can be compromised through basic security failures. The attack highlights the urgent need for stronger authentication and security measures for remotely accessible industrial control systems, particularly as critical infrastructure becomes increasingly connected to the internet.

Government policy shifts reshape cybersecurity landscape

Governments worldwide have implemented sweeping policy changes throughout 2024-2025, fundamentally altering how organizations approach cybersecurity. The US House of Representatives banned WhatsApp from all government-issued devices in June 2024, citing "lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks." This decision, which approved alternatives like Microsoft Teams, Wickr, and Signal, reflects growing concerns about data sovereignty and foreign influence in communication platforms.

Meanwhile, multiple US states enacted comprehensive Bitcoin ATM regulations following a surge in fraud losses. The FBI reported $247 million in Bitcoin ATM fraud losses in 2024—a 99% increase from 2023—with elderly Americans disproportionately targeted. States like Nebraska, Vermont, and Arizona established licensing systems, daily transaction limits, and mandatory fraud warnings, while Senator Dick Durbin introduced federal legislation requiring Treasury Department registration.

The European Union published its most comprehensive post-quantum cryptography roadmap in June 2025, establishing three critical milestones: national PQC strategies by December 2026, high-risk system implementation by December 2030, and complete transition by December 2035. This represents one of the world's most comprehensive governmental approaches to quantum-safe cryptography, potentially setting global standards for PQC adoption.

Russia continues developing its national IMEI database to combat financial fraud, originally proposed in 2018. The system would only allow devices with authorized IMEI numbers to register on communication networks, enabling authorities to block individual devices from mobile networks even after fraudsters change phone numbers.

The FDA released enhanced cybersecurity requirements for medical device manufacturers in June 2025, mandating NIST Federal Information Product Standards and CISA guidelines. With 53% of networked medical devices having at least one known critical vulnerability and 22% of healthcare organizations experiencing cyberattacks directly impacting medical devices, the FDA now issues "refuse to accept" letters for non-compliant cybersecurity submissions.

International cooperation emerges through cyber fund

The UK and Canada jointly launched the Common Good Cyber Fund in June 2024, providing $5.7 million over five years to support cybersecurity nonprofits and civil society organizations. Managed by the Internet Society and Global Cyber Alliance, the fund addresses systemic underfunding of cybersecurity nonprofits that provide essential internet security services, representing the first international effort to fund cybersecurity for the "common good."

State-sponsored actors escalate operations

The release of four REvil ransomware members in Russia during 2024-2025 highlights the complex geopolitical dynamics affecting cybercrime prosecution. Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev were sentenced to five years but released immediately because their pre-trial detention counted toward their sentences. Notably, their charges focused on carding activities and malware distribution rather than ransomware attacks, reflecting deteriorated US-Russia cooperation after the Ukraine invasion.

Iranian cyber capabilities came into sharp focus following US airstrikes on Iranian nuclear facilities on June 21, 2025. The Department of Homeland Security issued a National Terrorism Advisory System bulletin warning of heightened Iranian cyber retaliation threats against US targets through September 2025. Historical precedent includes the 2012 Shamoon attacks on Saudi Aramco affecting 30,000 computers and 2014 Sands Casino attacks. Recent Iranian activities include the CyberAv3ngers group targeting US water systems using default passwords on programmable logic controllers.

Iranian-linked information operations conducted a significant breach of Saudi Games data in June 2025. The Cyber Fattah hacktivist group accessed phpMyAdmin backend systems, compromising thousands of athlete and visitor records including passport scans, medical certificates, and government official data. The attack demonstrates Iran's shift from Israel-centric to broader anti-Western operations, strategically timed to exploit regional tensions.

Criminal ecosystems demonstrate remarkable resilience

The shutdown of Huione Guarantee and Xinbi Guarantee marketplaces on Telegram in May 2025 revealed the remarkable resilience of criminal ecosystems. Following FinCEN's designation of Huione Group as a money laundering concern and Telegram's removal of channels that facilitated over $35 billion in illicit transactions, successor platforms immediately filled the void. Tudou Guarantee captured most displaced activity, processing over 300,000 transactions by mid-June 2025, with user numbers doubling and transaction volumes matching pre-shutdown levels.

The identification of Christian Nieves as the leader of a $4 million Coinbase customer theft operation demonstrates both the sophistication of modern social engineering attacks and the power of blockchain investigation. Operating under aliases "Daytwo" and "PawsOnHips," Nieves managed a small call center impersonating Coinbase support, directing victims to create wallets using scammer-controlled seed phrases. Blockchain investigator ZachXBT's detailed analysis exposed poor operational security, making it "rather easy case for law enforcement to pursue."

Sophisticated attack techniques target enterprise systems

Several sophisticated attack campaigns emerged throughout 2024-2025, demonstrating evolving threat actor capabilities. The fake SonicWall NetExtender campaign distributed trojanized VPN clients with modified components that bypassed digital certificate validation and stole credentials. The malware, digitally signed with fraudulent certificates, exfiltrated VPN configuration data to remote servers, enabling attackers to gain legitimate VPN access without exploitation.

The EvilConwi campaign exploited ConnectWise ScreenConnect using "Authenticode stuffing" techniques, manipulating certificate tables to create validly signed remote access malware. Distributed through phishing emails with OneDrive links redirecting to Canva pages, the campaign achieved high success rates with most antivirus products failing to detect the malicious installers as of May 2025.

New WinRAR vulnerabilities continue to pose significant risks, with CVE-2025-6218 representing a critical directory traversal vulnerability enabling remote code execution. The legacy CVE-2023-38831 remains actively exploited by APT29 and APT28 in targeted campaigns, while CVE-2025-31334 bypasses Windows security warnings through symbolic links in archive files.

Artificial intelligence faces novel attack vectors

The Echo Chamber LLM attack, discovered by Ahmad Alobaid of NeuralTrust in 2025, represents a sophisticated jailbreak technique using context poisoning and multi-turn reasoning. The attack exploits LLM context management through "poisonous seeds" and "steering seeds" to manipulate model responses without explicit dangerous prompts. Controlled testing achieved success rates exceeding 90% for generating sexism, violence, hate speech, and pornographic content across major models including GPT-4o, Gemini-2.0-flash-lite, and Gemini-2.5-flash.

Advanced persistent threats intensify targeting

APT36 (Transparent Tribe) demonstrated significant evolution in 2024-2025 through enhanced ElizaRAT campaigns targeting Indian defense, government, and diplomatic missions. The group deployed Circle ElizaRAT with improved evasion capabilities alongside ApoloStealer for targeted file collection, abusing cloud services including Google Drive, Telegram, and Slack for infrastructure. Recent campaigns exploited the April 2025 Pahalgam terror attack for spear-phishing and implemented ClickFix techniques through fake error messages.

The emergence of LapDogs botnet represents sophisticated Chinese-nexus operations utilizing over 1,000 compromised SOHO routers and IoT devices as an Operational Relay Box (ORB) network. The campaign deployed ShortLeash custom backdoor variants across Linux and Windows systems, using spoofed TLS certificates impersonating LA Police Department signatures for investigative misdirection. The geographic distribution spans 90% across the US, Japan, South Korea, Taiwan, and Hong Kong, targeting real estate, IT, networking, and media sectors.

Mobile malware evolution targets cryptocurrency users

SparkKitty mobile malware emerged as a significant threat to cryptocurrency users throughout 2024-2025, targeting both iOS and Android platforms to steal wallet seed phrases through photo gallery exfiltration. Distributed via official app stores and unofficial channels, the malware requests gallery access permissions before harvesting all images for OCR processing to identify sensitive text. Notable samples included the "SOEX" Android app with over 10,000 downloads and the "币coin" iOS crypto tracker before removal from official stores.

Industry infrastructure faces policy disruptions

Microsoft Windows 11 implemented a significant policy change in June 2025, reducing System Restore point retention from 90 days to 60 days for version 24H2. The change standardizes previously inconsistent retention periods but reduces the recovery window for system administrators and affects incident response timelines, forcing more proactive backup strategies.

The libxml2 project announced a major security disclosure policy shift in June 2025, moving to immediate public disclosure of security vulnerabilities rather than coordinated disclosure with embargoes. Sole volunteer maintainer Nick Wellnhofer cited unsustainable workload for the policy change, potentially creating zero-day exploitation windows for the billions of devices using libxml2. This highlights the broader open-source sustainability crisis affecting critical infrastructure components.

Innovative defense techniques emerge

Akamai researchers developed innovative botnet disruption techniques using "Bad Shares" methods for cryptocurrency mining botnets. The XMRogue proof-of-concept tool connects to malicious mining proxies as legitimate miners, submitting invalid mining results to trigger pool-level bans of attacker infrastructure. Demonstrated effectiveness includes reducing botnet revenue from $50,000 to $12,000 annually (76% reduction) and eliminating $26,000 annual revenue from single proxies, representing near-instantaneous disruption compared to lengthy traditional takedown processes.

Conclusion

The cybersecurity landscape of 2024-2025 demonstrates unprecedented sophistication in both offensive and defensive capabilities. Critical infrastructure faces mounting threats from basic security failures to state-sponsored operations, while governments implement comprehensive policy frameworks addressing emerging technologies from post-quantum cryptography to cryptocurrency regulation. The resilience of criminal ecosystems, evolution of artificial intelligence attacks, and continued APT sophistication underscore the need for proactive, internationally coordinated cybersecurity strategies.

The convergence of geopolitical tensions, technological advancement, and criminal innovation creates a complex threat environment requiring adaptive defense strategies. Organizations must prioritize supply chain security, implement comprehensive mobile device management, enhance monitoring for state-sponsored espionage, and develop frameworks for handling immediate vulnerability disclosure policies. The emergence of innovative defense techniques like Akamai's botnet disruption methods suggests promising directions for proactive cybersecurity, while policy initiatives like the Common Good Cyber Fund address systemic funding gaps in critical cybersecurity infrastructure.

As threat actors continue evolving their techniques across traditional boundaries of cybercrime, espionage, and warfare, the cybersecurity community must maintain vigilance and adapt defensive strategies to protect the interconnected systems that underpin modern society.