The Food and Ag-ISAC paints a stark picture of a sector facing sustained and increasingly sophisticated cyber pressure, with 72 active threat actors identified from a pool of more than 330 monitored adversaries. The analysis, powered by the Predictive Adversary Scoring System (PASS), highlights both nation-state groups and financially motivated cybercriminals are consistently targeting the farm-to-table supply chain, using a mix of persistence, technical sophistication, and clear strategic intent to exploit sector vulnerabilities.
In its ‘The 2025 Food and Agriculture Cyber Threat Report,’ the findings point to a threat landscape shaped heavily by geopolitical and economic interests, with Russia accounting for nearly 59.3% of observed adversary activity, followed by China at 25.4%, underscoring the dual role of ransomware ecosystems and state-backed operations in targeting the sector. Common attack techniques range from living-off-the-land tactics and modified malware to supply chain compromises and data extortion, reinforcing that attackers are persistent and highly adaptive, forcing organizations to rethink how they prioritize defenses and allocate limited cybersecurity resources.
PASS provides a comprehensive scoring system based on specific factors, including the adversary’s motivation, capabilities, and past actions, allowing organizations to assess their risk exposure and allocate resources accordingly. It evaluates adversarial risk using four core metrics. It assesses the level of activity by examining how recently an adversary has been active. It measures the frequency of sector targeting by tracking how often the adversary has targeted the sector. It evaluates sophistication and impact by analyzing the complexity of the adversary’s tactics, techniques, and procedures and the scale of their effects. It also considers motivation, identifying whether the adversary is driven by financial, geopolitical, ideological, or reputational objectives.
PASS employs a comprehensive set of metrics to assign adversaries a score ranging from 0 to 100, representing the highest level of threat when a threat actor satisfies all predefined system criteria. Higher scores indicate a greater risk to organizations within the sector. Adversaries with elevated scores represent significant threats due to their frequent targeting of the sector and their demonstrated sophistication and impact in past operations. PASS is available to Food and Ag-ISAC members and is one tool in the suite of capabilities the ISAC uses to equip its members with actionable threat intelligence that advances their resilience and preparedness in an evolving threat landscape.
Among the top-scoring adversaries, Lazarus Group and Moonstone Sleet, both nation-state actors, tied for the highest PASS scores at 84, followed by APT41, another nation-state actor, at 79. Cybercriminal group Scattered Spider scored 77, while Qilin (Ransomware), LockBit 5.0 (Ransomware), Lapsus$ Hunters (Cybercriminal), and Dark Engine (Hacktivist) each received a score of 76.
APT18, a nation-state actor, scored 75, and Akira, a ransomware group, rounded out the top ten with a score of 73. Adversaries with elevated scores represent significant threats due to their frequent targeting of the sector and their demonstrated sophistication and impact in past operations.
“Russia had the highest concentration of adversaries observed in the food and agriculture sector in 2025. This is largely due to a majority of ransomware operations occurring in the region, out of reach of Western law enforcement,” the Food and Ag-ISAC reported. “Indictments against a Russian adversary rarely lead to an arrest unless the individual travels to a country with a U.S. extradition treaty. Ransomware operators account for the majority of Russian-based activity observed in the sector, though Russia also maintains an active contingent of nation-state threat actors with a demonstrated presence within the food and agriculture sector.”
It added that China ranked second in terms of nations targeting the sector. “China has a long history of targeting food and agriculture largely because of its interest in the sector’s valuable intellectual property. The latest reports on long-term pre-positioning are ones that Food and Ag-ISAC analysts will continue to watch closely. While reports of just-in-case malware being found on food and agriculture sector networks are scarce, the sector would be a valuable target during geopolitical conflicts.”
When it comes to techniques tracked across PASS-scored adversaries, reveals that the most commonly observed behaviors are the use of readily available tools or living-off-the-land (LOTL) techniques, recorded across 72 adversaries, followed closely by the modification of existing malware and tools at 70. Lengthy persistence and defense evasion, as well as stealthy exfiltration techniques, were each observed across 68 adversaries. The development of custom malware and tools and targeted spearphishing attacks were each noted across 65 adversaries. Disruptive tactics appeared in 59 instances, while supply chain compromise was recorded across 58 adversaries.
Further down the list, leveraging extortion was observed across 46 adversaries, and data encrypted for impact across 44. Discovering and exploiting zero-days was counted 43 times, with destructive tactics at 35 and the leveraging of AI at 34. Receiving state-sponsored assistance was observed across 29 adversaries, while mass phishing campaigns and leveraging insiders were among the least common techniques, recorded at 18 and 16, respectively. Taken together, these findings underscore that adversaries targeting the sector most frequently rely on accessible and adaptive methods, such as LOTL techniques and tool modification, rather than more resource-intensive approaches like insider recruitment or mass phishing.
The 2025 Food and Agriculture Cyber Threat Report outlines a set of mitigations addressing tactics observed across the sector, noting that organizations should prioritize these measures based on their security maturity and threat exposure, as even incremental improvements can reduce risk. It emphasizes that multi-factor authentication should be enabled wherever possible across systems and services, as combining passwords with device-based verification significantly reduces the likelihood of unauthorized access, even when credentials are compromised.
The report further highlights the need for application whitelisting to prevent unauthorized code execution, supported by enhanced monitoring of native tool abuse, and recommends deploying behavior-based endpoint detection and response solutions to counter increasingly evasive threats. It stresses that adversaries often move from IT systems into operational technology environments, making network segmentation critical to protecting industrial assets.
It also underscores enforcing least privilege, conducting regular audits and credential reviews, and deploying data loss prevention capabilities alongside network traffic analysis to detect abnormal data flows. Continuous user training to identify phishing and social engineering attempts remains essential. Finally, the report calls for maintaining tested offline backups, developing robust incident response plans with cross-functional coordination, and ensuring organizations do not rely solely on ransom payments but on the ability to restore operations securely.
In February, data from the Food and Ag-ISAC identified that ransomware activity escalated in 2025, with Qilin, Akira, CL0P, Play, and Lynx leading attacks against the food and agriculture sector. In partnership with the IT-ISAC, the organization recorded approximately 6,377 ransomware incidents across sectors, an 82% increase from the 3,508 cases tracked in 2024. Since launching its monitoring effort in 2020, the joint initiative has documented more than 15,265 ransomware attacks using automated tools that collect data from public breach disclosures, RSS feeds, dark web leak sites, and internal threat intelligence sources.
