From cloud computing to worldwide food supply chains, no industry is safe from the constantly changing nature of cyber threats. The 2025 sector cyber threat reports recently published by IT-ISAC and Food and Ag-ISAC highlight a clear truth: organizations in every field are up against determined adversaries, including both state-backed hacking groups and organized cybercriminal networks. These reports also shed light on how adversaries are shifting their techniques and how rising global tensions are making the threat landscape more complicated for all organizations, no matter the industry.
Understanding Risk Through the PASS Framework
To get a clearer picture of the threat landscape and identify the most dangerous threat actors, both ISACs rely on the Predictive Adversary Scoring System (PASS). Built in partnership with ISAC members and industry collaborators, PASS turns raw data about threats into a prioritized ranking. It assesses adversaries based on several factors—how recently they were active, how often they target particular industries, how technically advanced their methods are, and what drives them—then gives each one a score between 0 and 100. This fact-based system helps organizations zero in on the actors that present the most credible danger to their specific operations.
A Snapshot of the 2025 Threat Environment
As expected, the 2025 data confirms that threat actors are active across a wide range of sectors. Analysts tracked 77 distinct adversaries in the IT sector and 72 in the food and agriculture sector. There is some overlap between the two, but each group’s impact and PASS score can vary significantly depending on their motivations, attack frequency, and the particular products and services they choose to exploit.
At the top of the threat rankings are highly capable nation-state actors, particularly the Lazarus Group, which came in first in both sectors with scores of 89.0 (IT) and 84.0 (food and agriculture). This group maintains a long-running presence, working on behalf of a nation-state to steal funds and generate cryptocurrency revenue.
While the IT sector frequently deals with groups such as Sandworm (84.0), whose main focus is geopolitical disruption, the food and agriculture sector is seeing more frequent attacks from ransomware-driven groups like Qilin and Akira. Beyond that, hacktivist collectives such as Dark Engine (76.0) have also emerged in the agricultural space, suggesting that global food supply chains are becoming a new arena for ideologically motivated conflict.
Geopolitics Playing Out in Cyberspace
Where these threats originate paints a picture of worldwide rivalry and tension. Threat actors linked to Russia account for 48.4% of IT-sector threats and a striking 59.3% of food and agriculture threats. This ecosystem combines state-aligned espionage campaigns with opportunistic ransomware operators who exploit critical industries to extort payments.
China is the second-largest source of observed threat actors, responsible for 29% of IT threats and 25.4% of food and agriculture threats. Chinese actors have noticeably shifted their playbook toward pre-positioning—rather than carrying out immediate data theft, they embed themselves within telecommunications systems, cloud infrastructure, and research networks, building long-term footholds that can be leveraged during future geopolitical conflicts.
While Iran (11.3% in IT, 5.1% in food and agriculture) and North Korea (6.5% in IT, 6.8% in food and agriculture) account for smaller shares of the observed threat landscape, the groups based there are highly skilled and inventive. Iranian operators relentlessly pursue the objectives of the Iranian regime, while North Korean actors—already well-known for using fake remote-worker identities to sidestep traditional security measures and funnel money back to their government—also field an array of capable state-sponsored hacking teams.
Evolving Tactics: The Spread of Living-off-the-Land (LOTL)
One point that both reports make unmistakably clear is the widespread embrace of “living-off-the-land” (LOTL) techniques by threat actors across the board.
- 100% of identified adversaries in both sectors leveraged built-in system tools such as PowerShell and WMI.
- More than 96% of observed actors in both industries altered existing malware to evade signature-based antivirus defenses.
By using tools that are already part of a computer’s normal operations, attackers can disguise their activities to look like routine traffic. This emphasis on stealth is further reflected in how many groups focus on long-term persistence and evasion—84.4% in IT and 94.4% in food and agriculture. Rather than causing immediate disruption, adversaries now prioritize staying hidden for as long as possible, often gaining initial access through third-party vendors—a method seen in about 80% of the attacks across both sectors before any ransom demand is ever made.
Building a Unified Defense Strategy
Facing a threat landscape defined by skillful, stealthy, and persistent adversaries, organizations need to make the most of their limited security budgets and resources. One of the most impactful countermeasures remains multi-factor authentication (MFA), which creates a major obstacle for attackers attempting to exploit stolen login credentials.
Additionally, given how attacks often spread from corporate IT networks to operational environments, it’s wise to segment IT and operational technology (OT) networks from each other. While integrating IT and OT brings real business advantages, keeping them separate on the network side ensures that a corporate security breach cannot spread over to critical industrial control systems or production equipment. Every organization should weigh whether the operational benefits are worth the added security risk.
Because attackers are now hiding inside legitimate system tools, companies should also ramp up monitoring for unusual behavior. This doesn’t mean abandoning traditional file-based detection entirely—those approaches are still necessary—but relying on them alone is no longer sufficient.
Organizations should also maintain backups that can be reliably restored and put in place a well-tested incident response plan. No company is completely safe, so every business should be ready for the possibility of being compromised. The way a company responds to a breach can be the difference between surviving the incident and shutting down for good.
Looking ahead, the 2026 threat landscape shows that the complexity of cyber risks is too great for any single organization to handle on its own. By joining a shared intelligence network, companies can pool their individual insights into collective strength and smarter strategic decisions, building a more resilient global cyber infrastructure. Voluntary collaboration with peers in the same industry is a cost-effective way to supplement internal security efforts and strengthens the entire sector.
About the Author
Scott C. Algeier serves as Founder, President, and CEO of cybersecurity consulting firm Conrad, Inc. He also holds the role of Executive Director at both the Information Technology – Information Sharing and Analysis Center (IT-ISAC) and the Food and Agriculture – Information Sharing and Analysis Center. Over the past twenty years, Scott has worked at the crossroads of cybersecurity policy and hands-on operations. Earlier in his career, he was Manager for Homeland Security at the U.S. Chamber of Commerce, where he led the Chamber’s public policy efforts on critical infrastructure protection, cybersecurity, and disaster management. Scott holds a Master’s degree in International Relations and European Studies from the University of Kent (England) and graduated with honors from Gettysburg College.
