Threat Intelligence Report: Summer 2025 Cyber Threat Landscape

1.0 Strategic Overview: Key Trends and Statistics

The Summer 2025 threat landscape is characterized by a continued and significant escalation in the frequency, scale, and sophistication of global cyber threats. Adversaries, ranging from state-sponsored espionage groups to financially motivated cybercriminals, are refining their tactics with greater efficiency and impact. This section provides a high-level statistical baseline derived from observed activity, highlighting the key trends that inform the detailed campaign analyses and mitigation guidance that follow.

1.1 Global Attack Volume and Geopolitical Influence

The year-over-year increase in global cyber-attack frequency is substantial, driven largely by geopolitical tensions that are increasingly fought on digital battlegrounds. State-sponsored operations targeting critical infrastructure and government entities have become a primary method of geopolitical confrontation, accounting for a record number of confirmed incidents.

• Global Cost of Cyber Warfare: The estimated global cost of damages related to cyber warfare in 2025 is $13.1 billion, a 21% increase from the previous year.
• State-Sponsored Attribution: 39% of all major cyber-attacks in 2025 were attributed to state-sponsored actors.
• Critical Infrastructure Attacks: Attacks targeting critical infrastructure sectors saw a 34% increase in 2025.
• Primary State Actors: The United States, China, and Russia collectively accounted for 61% of all observed cyber warfare activity.

Geopolitical tensions are a primary driver of these trends, with observed attacks on critical infrastructure increasing by 30% since 2022. This environment of heightened conflict directly fuels the targeted campaigns analyzed in this report.

1.2 The Dominance of Ransomware and Extortion

The first quarter of 2025 was a record-breaking period for ransomware activity, characterized by a fragmented but highly active ecosystem of threat groups employing double-extortion tactics, a landscape shaped in part by recent law enforcement takedowns of major players. Ransomware and extortion-based attacks remain a dominant and escalating threat to organizations of all sizes.

Q1-Q2 2025 Ransomware Metrics

This dramatic surge underscores the persistent evolution of ransomware groups, whose evolving tactics and operational models are detailed in the following sections.

2.0 Analysis of Prominent Threat Actor Campaigns

Understanding the distinct Tactics, Techniques, and Procedures (TTPs) of key adversary groups is essential for developing effective, threat-informed defenses. This section deconstructs the operational playbooks of prominent state-sponsored, ransomware, and social engineering campaigns observed during Summer 2025, providing insight into their objectives, initial access vectors, and post-compromise behaviors.

2.1 State-Sponsored Campaign: PRC Actors Targeting Network Infrastructure

People's Republic of China (PRC) state-sponsored Advanced Persistent Threat (APT) actors (tracked commercially as Salt Typhoon, OPERATOR PANDA, and others) have been conducting a widespread campaign targeting global network infrastructure.

• Objective: The primary objective of this campaign is global espionage. The actors target telecommunications providers, government entities, and transportation infrastructure to collect intelligence and gain persistent, long-term access to feed China’s intelligence services.
• Initial Access: The actors' primary initial access method is the exploitation of publicly known vulnerabilities in internet-facing network edge devices. A key vulnerability leveraged in this campaign is CVE-2023-20198, a web UI authentication bypass in Cisco IOS XE software. This flaw allows attackers to create unauthorized administrative accounts on vulnerable routers.
• Post-Exploitation TTPs: Once access is gained, the actors demonstrate a sophisticated understanding of network device operations to maintain persistence and evade detection.
  • Persistence: Actors modify router configurations to ensure continued access. This includes adding permissive Access Control Lists (ACLs), often named "access-list 20," opening non-standard SSH or HTTP ports (e.g., in 22x22 or xxx22 patterns), and deploying on-box Linux containers like Cisco's Guest Shell to stage tools and operate from within the device.
  • Lateral Movement & Collection: From compromised edge devices, the actors pivot into the networks of trusted partners and customers. A key collection technique involves capturing network traffic (PCAP) directly on the router to harvest credentials. They specifically target unencrypted TACACS+ authentication traffic (TCP port 49) to steal administrator credentials, enabling further lateral movement across network devices.
  • Defense Evasion: The actors are meticulous about covering their tracks. They frequently clear or delete logs on compromised routers to hide their activity. The use of the Guest Shell container also serves as an evasion technique, as activity within the container is often not closely monitored by standard security tools.

The sophisticated, network-focused TTPs of these state actors stand in contrast to the financially motivated, high-volume operations of modern ransomware groups.

2.2 Ransomware & Extortion Operations: Akira and Qilin

The ransomware ecosystem continues to be highly active, with the Akira and Qilin groups emerging as prominent threats following the disruption of larger players like LockBit.

Akira Ransomware Group

Akira has demonstrated a sharp rise in activity, significantly increasing its victim count since its launch in 2023. The group operates a Ransomware-as-a-Service (RaaS) model and employs a standard double-extortion methodology, exfiltrating sensitive data before deploying encryption across Windows, Linux, and ESXi systems. Their primary initial access vector has been observed as exploiting VPNs that lack multi-factor authentication, allowing them to enter networks using compromised credentials.

Qilin Ransomware Group

Qilin has maintained a consistent operational tempo, gaining notoriety for its deliberate targeting of the healthcare sector. The attack on Synnovis, a critical pathology service provider, exemplifies the group's willingness to cause significant real-world disruption. Operating as a RaaS, Qilin also uses the double-extortion model. Their initial access often relies on well-crafted spear-phishing emails to deliver malware and gain a foothold in the target's environment.

The disruption of major ransomware brands has led to a more fragmented but no less dangerous landscape. Experienced affiliates migrate between RaaS platforms, ensuring the continuity and evolution of ransomware TTPs, while new groups constantly emerge to fill perceived voids.

2.3 Social Engineering Campaigns Targeting Cloud Platforms

In August 2025, a highly coordinated and effective social engineering campaign targeted the Salesforce CRM instances of numerous high-profile organizations.

• Threat Actor & Objective: The campaign is attributed to the financially motivated group ShinyHunters, with potential collaboration from Scattered Spider. Their objective was to gain access to cloud-based CRM platforms to exfiltrate large volumes of sensitive customer and corporate data for extortion.
• Attack Vector: The attackers used a sophisticated, multi-stage social engineering attack that bypassed technical controls by targeting the human element. The process involved:
  1. Voice Phishing (Vishing): Attackers made phone calls or sent text messages to employees, impersonating members of the company's IT or HR departments.
  2. OAuth Token Abuse: Through social engineering, they coerced employees into navigating to a malicious site and granting a threat-actor-controlled OAuth application permissions to access their Salesforce account.
  3. Data Exfiltration: With the authorized permissions from the malicious OAuth token, the attackers then used APIs to perform bulk exports of CRM data.
• Impacted Organizations: This campaign successfully breached a notable list of global brands, including Adidas, Qantas, Dior, Chanel, Google, Air France-KLM, and Cisco.

This campaign exemplifies the growing trend of sophisticated social engineering attacks targeting enterprise SaaS platforms, highlighting the critical importance of user awareness and robust identity verification protocols.

3.0 Attacker TTPs Mapped to MITRE ATT&CK®

This section provides a consolidated mapping of observed adversary behaviors to the MITRE ATT&CK® for Enterprise framework. This mapping serves as a valuable tool for defenders, helping to contextualize individual techniques within the broader attack lifecycle and align defensive controls and threat hunting efforts against specific, real-world adversary actions.

Consolidated MITRE ATT&CK® Mapping - Summer 2025 Campaigns

This mapping of adversary tradecraft provides the tactical foundation for the specific threat hunting and mitigation guidance that follows.

4.0 Actionable Threat Hunting and Mitigation Guidance

This section provides actionable guidance for Security Operations teams derived directly from the preceding analysis of threat actor campaigns and TTPs. The recommendations are designed to enable proactive threat hunting, enhance detection capabilities, and strengthen strategic defenses against the threats discussed in this report.

4.1 Threat Hunting and Detection

Security analysts should use the following guidance to proactively hunt for evidence of compromise related to the campaigns detailed in this report.

• Network Infrastructure Compromise:
  • Actively hunt for signs of exploitation of the Cisco IOS XE vulnerability CVE-2023-20198. The following Snort rule can help detect exploit attempts targeting the Web Services Management Agent (WSMA) endpoint:
  • Monitor for SSH services enabled on non-standard high ports. Be particularly suspicious of ports following patterns like 22x22 or xxx22.
  • Audit network devices for unusual packet capture (PCAP) files stored locally, especially in directories like bootflash:. Look for suspicious filenames such as mycap.pcap or tac.pcap.
• Ransomware and Precursor Activity:
  • Hunt for the anomalous use of built-in Windows tools commonly misused by ransomware to inhibit system recovery. Monitor for suspicious execution of the following: bcdedit.exe, fsutil.exe (deletejournal), vssadmin.exe, wbadmin.exe, and wmic.exe (shadowcopy).
  • Monitor for signs of credential dumping activity. Look for the execution of tools like Mimikatz, Sysinternals ProcDump, or native utilities such as NTDSutil.exe.
  • Check for the presence and execution of common data exfiltration tools used by ransomware actors, including Rclone and Rsync.
• Cloud and SaaS Compromise:
  • Utilize automation to detect and generate alerts for modifications to Identity and Access Management (IAM), network security, and data protection resources within cloud environments.
  • Continuously monitor for the creation of new firewall rules that permit open ingress traffic from any source (e.g., 0.0.0.0/0), as this is a common misconfiguration exploited by attackers.

4.2 Strategic Mitigations and Hardening

The following strategic initiatives are recommended to build long-term resilience against the observed threats.

• Adopt a Zero Trust Architecture: Minimize cyber risk by operating under the assumption that the network is already compromised. A Zero Trust model enforces granular, least-privilege access for every request, regardless of its origin, and continuously verifies user and device identity before granting access to resources.
• Enforce Phishing-Resistant Multi-Factor Authentication (MFA): The widespread compromise of credentials via phishing and social engineering underscores the necessity of strong MFA. Implement phishing-resistant MFA across all services, prioritizing email, VPNs, remote access solutions, and cloud platforms.
• Implement Network Segmentation: Contain the impact of intrusions by logically or physically segmenting networks. Isolate critical IT, Operational Technology (OT), and Internet of Things (IoT) devices from general corporate networks to prevent attackers from moving laterally from a less-secure device to a high-value asset.
• Prioritize Vulnerability and Patch Management: Maintain a rigorous program for regular vulnerability scanning and timely patch application. Prioritize internet-facing systems, network edge devices (e.g., Cisco routers), and software with known exploited vulnerabilities (e.g., Microsoft SharePoint) to reduce the attack surface.
• Strengthen Supply Chain and Third-Party Risk Management: An organization's security is dependent on its partners. Assess the cyber hygiene of all third-party vendors and Managed Service Providers (MSPs). As mandated by emerging regulations like NIS2, embed specific security requirements, controls, and incident notification timelines directly into vendor contracts.