From cloud infrastructure to the global food chain, no industry is safe from the advancing complexity of cyber threats. The latest reports from both the IT-ISAC and Food and Ag-ISAC shed light on the 2025 cyber threat landscape, revealing a harsh reality where all companies face persistent adversaries, ranging from state-sponsored groups to organized cybercriminals. These reports also emphasize how adversaries’ technical tactics and global tensions create a challenging threat environment for organizations across all sectors.
Assessing Risk: The PASS Framework
To gain a comprehensive understanding of the threat landscape and identify high-risk threat actors, both ISACs leverage the Predictive Adversary Scoring System (PASS). Developed collaboratively with ISAC members and partners, PASS translates raw intelligence into a prioritized list. It assesses adversaries based on their recent activity, sector targeting frequency, technical complexity, and motivations, assigning them a score from 0 to 100. This data-driven approach enables organizations to pinpoint and prioritize the actors most likely to pose a credible threat to their specific operations.
The 2025 Cyber Threat Overview
The 2025 data highlights the widespread activity of threat actors across various sectors. Analysts identified 77 active adversaries in the IT industry and 72 in the food and agriculture sector. While these actors may overlap between sectors, their impact and scores differ due to varying motivations, attack frequency, and focus on exploiting specific vulnerabilities in products and services.
Leading the threat landscape are high-capability nation-state actors, notably the Lazarus Group, ranking first in both sectors with scores of 89.0 (IT) and 84.0 (food and agriculture). This group maintains a persistent presence to facilitate state-sponsored theft and cryptocurrency revenue.
While the IT sector faces groups like Sandworm (84.0) focusing on geopolitical disruption, the food and agriculture sector sees an increase in ransomware-focused entities like Qilin and Akira. Additionally, the emergence of hacktivist groups like Dark Engine (76.0) in the agricultural sector highlights how the global food supply has become a battleground for ideological conflicts.
Geopolitical Implications on the Digital Front Line
The origins of these threats reflect global competition and conflicts. Threat actors based in Russia contribute to 48.4% of IT threats and a staggering 59.3% of food and agriculture threats. This ecosystem blends state-affiliated espionage with ransomware gangs leveraging critical sectors for extortion.
China hosts the second-largest share of observed threat actors, representing 29% of IT threats and 25.4% of food and agriculture threats. Tactics in China have shifted towards pre-positioning, embedding actors in telecommunications, cloud environments, and research networks for long-term reconnaissance purposes.
Although Iran (11.3% in IT, 5.1% in food and agriculture) and North Korea (6.5% in IT, 6.8% in food and agriculture) host fewer observed threat actors, these actors exhibit high capability and creativity. Iranian actors promote the goals of the Iranian regime relentlessly, while North Korean actors are known for using fraudulent identities to bypass security measures and fund the regime.
Modern Strategies: The Rise of LOTL
A significant trend highlighted in both reports is the widespread adoption of “living-off-the-land” (LOTL) techniques by threat actors.
- Every identified adversary in both sectors utilizes native system tools like PowerShell or WMI.
- Over 96% of observed actors across industries modify existing malware to evade traditional antivirus tools.
By leveraging a computer’s legitimate administrative tools, attackers blend in with genuine traffic, emphasizing stealth. This trend is reflected in the high percentage of groups employing extended persistence and defense evasion (84.4% in IT and 94.4% in food and agriculture), prioritizing longevity over immediate disruption. Notably, adversaries compromise third-party vendors in approximately 80% of attacks in both sectors before demanding ransom.
Fostering Collective Defense
In response to a threat environment characterized by skill, stealth, and persistence, organizations must strategically allocate their security resources for maximum impact. Based on adversary behavior, implementing multi-factor authentication (MFA) remains a crucial mitigation measure, creating a significant barrier for attackers using stolen credentials.
Furthermore, considering the spread of attacks from corporate to operational environments, segregating IT and operational technology (OT) environments can mitigate risks. While integrating IT and OT may offer business benefits, segmenting networks ensures that a security breach in the corporate environment does not extend to disrupt critical industrial control systems or production machinery. Companies should assess the security risk against the business benefits.
Given that attackers leverage legitimate tools, enhancing monitoring for anomalous activities is essential. While traditional file-based detection methods are necessary, they are no longer sufficient in the face of evolving threats.
Organizations are advised to maintain recoverable backups and establish, maintain, and practice incident response plans. No organization is immune to cyber threats, necessitating preparedness to effectively respond to breaches and mitigate potential damages.
The 2026 landscape underscores the necessity for collaborative defense strategies. By participating in shared intelligence networks, companies can leverage collective insights for informed decision-making and bolster the global infrastructure’s resilience against evolving threats. Engaging with industry peers through voluntary information sharing complements internal security efforts and enhances the sector’s overall security posture.
Scott C. Algeier, the Founder, President, and CEO of cybersecurity consulting firm Conrad, Inc., also serves as the Executive Director of the IT-ISAC and Food and Agriculture-ISAC. With two decades of experience in cybersecurity policy and operations, Scott’s expertise is instrumental in addressing complex cyber threats. Previously, he managed Homeland Security initiatives at the U.S. Chamber of Commerce, focusing on critical infrastructure protection, cybersecurity, and disaster management public policy. Scott holds a Master’s degree in International Relations and European Studies from the University of Kent and is an honors graduate of Gettysburg College.
