Self Assessment

CYFIRMA INDUSTRIES REPORT – INFORMATION TECHNOLOGY

Published On : 2025-08-04
Share :
CYFIRMA INDUSTRIES REPORT – INFORMATION TECHNOLOGY

EXECUTIVE SUMMARY

The CYFIRMA Industries Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the information technology industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the information technology industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the information technology organizations.
 
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

  • Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
  • Each attack campaign may target multiple organizations across various countries.
  • Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
  • Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

UNDERGROUND & DARKWEB CHATTER

  • Using freshly developed and dictionary based tagging and processing of underground & darkweb chatter logs, our DeCYFIR platform can now identify industry based topics and multiple categories of context in which the industry is being discussed.
  • This feature is still in development and matching algorithms are actively fine tuned. Some keywords/phrases which are essential for specific industry are very common in cybercrime chatter. Typically many IT terms. For purpose of data gathering, we attempt a fine balance between accurate identification and removal of some keywords that trigger too many false positive detections.

VULNERABILITIES

  • Using very similar freshly developed tagging and processing of underground & darkweb chatter logs over reported CVE logs, our DeCYFIR platform can now identify industry and multiple categories of vulnerabilities in which the industry is being present in reported CVE.
  • This feature is still in development and matching is actively fine tuned. Some keywords which are essential for specific industry are very common in vulnerabilities description. Typically many IT terms. We attempt the same fine balance between accurate identification and removal of some keywords that trigger too many false positive detections.

RANSOMWARE

  • The victim data presented in this report is directly sourced from the blogs of respective ransomware groups. However, it’s worth noting that certain blogs may provide limited victim information, such as only names or domains, while others may be entirely obfuscated. These limitations can impact the accuracy of victimology during bulk data processing.
  • In some cases, multiple companies share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was compromised. In such a case, we count the country of the company’s HQ.
  • During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
  • Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
  • Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Information technology industry over past 90 days featured in 8 out of the 18 observed campaigns, which is a presence in 44% of all campaigns.  That is increase from 4 in previous 90 days, however a decline in overall share from 67% (4 out of 6).

OBSERVED CAMPAIGNS PER MONTH

July has witnessed most of the campaigns, which have been preceded by sustained activity in May and June.

SUSPECTED THREAT ACTORS

Active threat actors come from many corners of the world: Chinese Volt Typhoon and Stone Panda, Russian TA505 and FIN11, Vietnamese and Thai cybercriminals, or Pakistani Transparent Tribe.

GEOGRAPHICAL DISTRIBUTION

Japan is leading the chart with presence in 8 out 8 observed campaigns. At shared second place are Thailand, the USA and India. South Korea and the UK share third place.

TOP ATTACKED TECHNOLOGY

8 out of 8 campaigns used Web Application as primary attack vector. 5 exploited operating system vulnerabilities. Additionally various network, management and infrastructure software was observed.

APT CAMPAIGNS EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

Over the past 90 days, the information technology industry has been significantly affected by advanced persistent threat (APT) campaigns.

Out of the 18 observed APT campaigns, 8 targeted this industry, representing 44% of the observed campaigns. This is an increase from the previous 90-day period, during which 4 out of 6 campaigns targeted this industry.

Monthly Trends

  • July saw the majority of the campaigns.
  • May and June observed sustained sustained activity, signalling persistent risks.

Key Threat Actors
Active threat actors originate from various regions worldwide. Examples include Chinese Volt Typhoon and Stone Panda, Russian TA505 and FIN11, Vietnamese and Thai cybercriminals, and Pakistani Transparent Tribe.

Geographical Impact
Overall 24 countries recorded victims in observed campaigns. Japan leads the chart with its presence in eight out of oeght observed campaigns. Thailand, the US and India share second place, while South Korea and the UK share third place.

Targeted Technologies
Eight out of eight campaigns employed Web Applications as their primary attack vectors. Five of these campaigns exploited operating system vulnerabilities. Furthermore, various network, management, and infrastructure software was observed.

UNDERGROUND & DARKWEB CHATTER ANALYSIS

Over the past three months, CYFIRMA’s telemetry has identified 10,823 mentions of information technology industry out of a total of 59,236 industry mentions. This is from total of 300k+ posts across various underground and dark web channels and forums.

Information technology industry placed 1st out of 14 industries in last 90 days with share of 18.3% of all detected industry-linked chatter.

Below is a breakdown by 30 days periods of all mentions.

GLOBAL CHATTER CATEGORIES

Data Leaks and Data Breaches are by far the most common category of recorded chatter for this industry, gradually growing and showing high sustained interest. Ransomware chatter has mildly surged in last 30 day.

UNDERGROUND & DARKWEB EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

In total, information technology industry comprise 18.3% of all detected industry underground and dark web chatter in the last 90 days. And ranking 1st out of 14 industries.

Below are observed key trends across 90 days:

Data Breach
1245 → 1450 → 1587, Consistently high and rising — IT firms remain a prime target for credential theft, code leaks, and customer data compromise.

Data Leak
1278 → 1399 → 1575, Parallels the breach trend, suggesting not only breaches but widespread exfiltration or reselling of data. Likely impacts cloud providers, software vendors, and MSPs.

Ransomware
283 → 295 → 445, Sharp spike in the last 30 days. Indicates a wave of ransomware campaigns targeting IT infrastructure and SaaS providers, possibly leveraging third-party access to downstream clients.

DDoS
222 → 149 → 83, Steady decline, though still notable. May reflect more targeted extortion tactics over broad denial attacks.

Web Exploit
153 → 146 → 147, Stable volume suggests continued exploitation of public-facing IT services, apps, and web infrastructure. Consistent with frequent CVEs in this area.

Claimed Hacks
102 → 69 → 53, Downtrend may indicate fewer public disclosures or quiet, high-value intrusions (e.g., supply chain compromises or stealth access-for-sale listings).

Hacktivism
49 → 65 → 28, Recent drop may signal a shift from ideological attacks to profit-driven activity, or fewer campaign targets in the IT space currently.

VULNERABILITIES ANALYSIS

Over the past three months, CYFIRMA’s telemetry has identified 894 mentions of information technology industry out of a total of 2,499 industry mentions. This is from over 10k CVEs reported and updated in last 90 days.

Information technology industry ranked 1st out of 14 industries in last 90 days with share of 35.8% of all detected industry linked vulnerabilities.

Below is a breakdown by 30 days periods of all mentions.

VULNERABILITY CATEGORIES

Remote & Arbitrary Code Execution (RCE & ACE), Injection Attack and XSS & clickjacking are leading the chart. Most categories recorded significant uptick in last 30 days.

VULNERABILITIES EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

In total, information technology industry comprise of 35.8% of all detected industry-linked vulnerabilities in the last 90 days. And ranking 1st out of 14 industries.

Below are observed key trends across 90 days.

Remote & Arbitrary Code Execution (RCE & ACE)
88 → 82 → 127 A sharp rise in the latest period suggests increased weaponization of code execution flaws.

Injection Attacks
37 → 53 → 63 Indicates an uptick in SQL, command, and template injection vectors, pointing to improperly sanitized inputs across APIs and applications.

Cross-Site Scripting (XSS) & Clickjacking
73 → 34 → 42 The rebound may reflect renewed focus on client-side vulnerabilities.

Denial of Service (DoS) & Resource Exhaustion
39 → 27 → 47 Surge likely tied to newly discovered flaws in infrastructure services.

Privilege Escalation & Access Control Issues
27 → 22 → 16 Drop may suggest either fewer new privilege bugs disclosed or less visibility into privilege management flaws during this window.

Memory & Buffer Vulnerabilities
14 → 20 → 22 Continued presence of memory-related flaws, likely in native codebases, drivers, or low-level services, though not dominant.

Information Disclosure & Data Leakage
16 → 7 → 20 Jump suggests increased risk of data exposure via misconfigurations, logging issues, or unintended system behaviours.

Directory Traversal & Path Manipulation
6 → 3 → 6 Modest volume but persistent — typically associated with file access vulnerabilities in web applications and storage systems.

Security Misconfigurations & Insecure Defaults
2 → 0 → 1 Remains infrequent in CVE reporting but is likely underrepresented. Real-world exploitation may still be significant, particularly in cloud environments.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 140 verified ransomware victims in information technology industry. This accounts for 9.9% of the overall total of 1,417 ransomware victims during the same period. Placing the IT industry 4th out of 14 industries.

Furthermore, a quarterly comparison reveals a drastic drop in victims in the IT industry, with a reduction of -48% from 268 to 140 victims. The overall share of victims also dropped from 13% to 9.6% of all victims.

INDUSTRY MONTHLY ACTIVITY CHART

Over the past 180 days, numbers of victims have dropped from January to April and then remained remarkably sustained around 50 victims each month until end of July.

BREAKDOWN OF ACTIVITY PER GANG

A breakdown of monthly activity per gang provides insights into which gangs were active each month. For example, by far the most active gang Qilin was active evenly across months. On the other hand, third most active gang Incransom recorded most victims in July. Conversely fourth most active gang Play contributed mostly in May.

This illustrates that even with remarkably even numbers of victims over time, different groups are being active.

Out of the 73 gangs, 34 recorded victims in this industry in the last 90 days (47% participation). Qilin had the highest number of victims (20) with high share (10.1%).

The share of victims for most gangs in this industry is relatively high. From the top 10, only one gang recorded a share below 10% – Akira (4.7%).

Incranosm (14.8%, 13 out of 99), Nova (33%), and Arcusmedia (31%) had the highest share of victims; implying high focus on this industry.

VICTIMS PER INDUSTRY SECTOR

IT Consulting & Managed Services are the most frequent victims of ransomware in this industry. Distant second place are Software Development & Engineering companies.

GEOGRAPHIC DISTRIBUTION OF VICTIMS

The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded in last 90 days.

INDUSTRY VICTIMS PER COUNTRY

Chart shows quarter-to-quarter changes in targeted countries. Data is sorted by the last 90 days and compared to the previous 90 days, marked in blue.

In the last 90 days, the USA recorded 63 victims (45% of all victims). Canada and Germany follow in second and third place. Germany, Italy, India and Taiwan recorded significant drops from previous 90 days period.

Many countries from previous 90 days did not record new victims at all.

RANSOMWARE EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate*

Information technology industry placed 4th out of 14 monitored industries recording 140 victims in last 90 days. Drastic decrease of -48% from 268 victims in previous 90 days period.

Overall share also declined from 13% to 9.6% of all ransomware victims.

Monthly Activity Trends
Monthly activity trends show sharp drop from February of 118 to March 85 and April 53. Then until July we saw remarkably stable number of victims (51, 50, 50)

Ransomware Gangs
A total of 34 out of 73 active ransomware groups targeted the this industry in the past 90 days representing 47% participation:

Qilin: The most active with 20 victims and 10.1% (20 out of 199) of all their victims.

Incransom: Third most active with 13.1% (13 out of 99) share.

Nova, Arcusmedial: Highest shares of 33% (5 out of 15) and 31% (5 out of 16) victims among top gangs. Suggesting high focus on this industry.

Geographic Distribution
The geographic distribution of ransomware victims is relatively high yet quite concentrated in the USA* which accounts for 45% of all victims.

Notably previously heavily hit countries like Germany, Italy, India or Taiwan recorded significant decline in victims.

In total, 36 countries recorded ransomware victims in this industry in last 90 days, thirteen less than 49 in previous period.

For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

APT Campaigns (Moderate): 8 of 18 APT campaigns (44%) targeted the IT industry—up from 4 of 6 previously. Activity was sustained across May–July, peaking in July. Key actors included Chinese (Volt Typhoon, Stone Panda), Russian (TA505, FIN11), and Southeast Asian groups (Vietnamese, Thai, Pakistani). Japan was affected in every campaign, followed by Thailand, U.S., India, South Korea, and UK. All campaigns targeted web applications, with five also exploiting OS vulnerabilities and broader infrastructure software.

Underground & Dark Web Chatter (High): The IT sector generated 18.3% of all dark web chatter—ranking 1st. Data breaches (↑27%) and leaks (↑23%) rose sharply, reflecting sustained interest in cloud platforms, software vendors, and MSPs. Ransomware chatter spiked to 445 mentions (↑51%), while DDoS dropped steadily. Web exploit chatter remained steady. Claimed hacks fell, possibly reflecting more covert breaches. Hacktivism dropped, pointing to a shift toward financially driven targeting.

Vulnerabilities (High): The IT industry accounted for 35.8% of all reported CVEs—by far the highest. RCEs surged (127), and injection attacks climbed (63), indicating escalating application-layer threats. DoS (47) and XSS (42) also rose. Memory flaws (22) persisted, while privilege escalation dropped. Directory traversal, disclosure bugs, and misconfigurations remained low but relevant—especially in cloud or multi-tenant environments.

Ransomware (Moderate*): 140 ransomware victims were recorded (↓48%), placing IT 4th overall. Sector share declined from 13% to 9.6%. After a steep drop from February, activity stabilized between May–July. Qilin (20 victims) led activity; Incransom, Nova, and Arcusmedial showed high proportional focus. U.S. accounted for 45% of all victims. A total of 36 countries were affected, down from 49 in the prior period.