The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the government & civic organizations, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the government & civic organizations over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the government & civic sectors.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
Over the past 90 days, government & civic organizations featured in 18 out of the 18 observed campaigns, which is a presence in 100% of all campaigns. That is double from 8 in the previous 90 days, as well as a jump in overall share from 69% (8 out of 13).
Of the majority of observed campaigns, we detected or updated during September, many continue into December.
Activity has been dominated by PRC-aligned espionage actors (Volt Typhoon, Mustang Panda, APT27, etc.) focused on long-term access and strategic intelligence collection. Secondary activity includes persistent but lower-visibility operations from North Korean, Russian, Iranian, and Pakistani-linked groups, with the limited presence of financially motivated actors like FIN7 appearing opportunistically.
Japan is the most frequent target, closely followed by the US. South Korea, Australia, India, and the UK are in shared third place. Countries with multiple victims are mostly from Asia, with the Kingdom of Saudi Arabia and Germany mixed in.
Web Applications are the most frequent primary attack vector. The second most exploited are operating system vulnerabilities. Additionally, various network, management, and remote access software were observed.
Over the past 90 days, government & civic organizations have been significantly affected by advanced persistent threat (APT) campaigns.
All of the 18 observed APT campaigns targeted this sector, representing 100% of the observed campaigns. This is an increase from the previous 90-day period, during which 8 out of 13 campaigns targeted this government or civic orgs.
Monthly Trends
12 out of 18 campaigns were observed or updated during September.
Key Threat Actors
Active threat actors originate from various regions worldwide. The majority were Chinese APTs such as Typhoons, APT27 or Stone Panda, Russian Gamaredon and FIN7, Turkish, Pakistani, Vietnamese, and Iranian groups, English-speaking TA, and North Korean Lazarus Group.
Geographical Impact
Overall, 32 countries recorded victims in observed campaigns. Japan and the US lead the chart. South Korea, Australia, India, and the UK share third place. Furthermore, we can see many Asian countries targeted by multiple campaigns alongside Saudi Arabia, and Germany.
Targeted Technologies
Most campaigns employed Web Applications as their primary attack vectors. Many campaigns also exploited operating system vulnerabilities. Furthermore, various network, management, infrastructure, and remote access software were observed.
Over the past three months, CYFIRMA’s telemetry has identified 8,260 mentions of government & civic organizations out of a total of 90,936 industry mentions. This is from a total of 300k+ posts across various underground and dark web channels and forums.
Government & civic organizations placed 5th out of 14 industries in the last 90 days, with a share of 9.1% of all detected industry-linked chatter.
Below is a breakdown by 30-day periods of all mentions.
Data leaks and data breaches are the most frequently mentioned topics in recorded conversations, with a remarkably sustained interest over the past 90 days. In contrast, ransomware chatter has experienced a substantial decline over the last 30 days.
In total, government & civic organizations comprise 9.1% of all detected industry underground and dark web chatter in the last 90 days. And ranking 5th out of 14 industries.
Below are observed key trends across 90 days:
Data Breach
1247 → 1162 → 1136, Very high but slightly gradually declining. Government and civic entities continue to be heavily targeted, though the slight reduction suggests fewer large-scale breaches being surfaced or a shift toward quieter exploitation methods.
Data Leak
1134 → 1052 → 1081, Consistently elevated with minor fluctuation. Indicates ongoing circulation of government-related data, including citizen records, credentials, and internal documents, with no meaningful reduction in exposure.
Ransomware
424 → 466 → 227, High activity early on followed by a sharp drop in the latest period. Suggests a temporary reduction in ransomware campaigns or a strategic shift by threat actors toward data theft and access sales rather than overt encryption attacks.
Claimed Hacks
44 → 30 → 35, Dip in the middle period with a modest rebound. Points to continued, but limited, public claiming of intrusions—likely a mix of genuine incidents and exaggeration for reputation-building.
DDoS
57 → 36 → 9, Clear and sustained decline. Indicates reduced focus on disruptive attacks against government services, possibly due to improved mitigation or attacker preference for less visible tactics.
Hacktivism
29 → 21 → 18, Gradual decline across all periods. Ideologically motivated activity remains present but appears less intense, with fewer sustained campaigns.
Web Exploit
21 → 20 → 11, Stable initially, then dropping in the latest period. Suggests reduced exploitation of public-facing government portals, or a shift toward credential-based compromise and insider-style access.
Over the past three months, CYFIRMA’s telemetry has identified 95 mentions of government & civic organizations out of a total of 2,803 industry mentions. This is from over 10k CVEs reported and updated in the last 90 days.
Government & civic organizations ranked 10th out of 14 industries in the last 90 days, with a share of 3.4% of all detected industry-linked vulnerabilities.
Below is a breakdown by 30-day periods of all mentions.
Remote & Arbitrary Code Execution (RCE & ACE) are leading the chart with a major spike during the previous 30 days. Privilege Escalation & Access Control issues with Injection Attacks follow in the top three. Most categories recorded a significant uptick in the first 30 days.
In total, government & civic organizations comprises 3.4% of all detected industry-linked vulnerabilities in the last 90 days. And ranking 10th out of 14 industries.
Below are observed key trends across 90 days.
Remote & Arbitrary Code Execution (RCE & ACE)
9 → 27 → 16, A pronounced spike in the middle period followed by a reduction, though still elevated. This pattern suggests a concentrated wave of research and disclosure activity against widely used government platforms or infrastructure components.
Privilege Escalation & Access Control Issues
12 → 1 → 3, High initial reporting followed by a sharp drop and partial rebound. Indicates earlier focus on authentication and role-management flaws, with fewer recent discoveries being reported.
Injection Attacks
9 → 2 → 4, Noticeable decline after the first period with a small uptick in the latest window. Suggests reduced researcher focus on injection flaws in government systems compared to earlier periods.
Information Disclosure & Data Leakage
2 → 2 → 1, Low and stable. Indicates only limited reporting of exposure-related issues in government and civic software during this timeframe.
Cross-Site Scripting (XSS) & Clickjacking
2 → 1 → 1, Very low and tapering. Suggests fewer newly identified client-side vulnerabilities in public-facing government portals.
Denial of Service (DoS) & Resource Exhaustion
2 → 1 → 0, Gradual decline to zero. DoS vulnerabilities appear to be a decreasing focus in recent disclosures for this sector.
In the past 90 days, CYFIRMA has identified 102 verified ransomware victims in government & civic organizations. This accounts for 5.1% of the overall total of 1,990 ransomware victims during the same period, placing the government & civic sectors 8th out of 14 industries.
Furthermore, a quarterly comparison reveals a major increase of victims in government & civic organizations, with a jump of 50% from 68 to 102 victims. The overall share of victims also grew from 4.5% to 5.1% of all victims.
Over the past 180 days, the number of victims has fluctuated significantly. July recorded a spike followed by a major dip in August. The activity grew towards the highest spike in October and declined again in November. December is poised for another spike so far.
A breakdown of monthly activity per gang provides insights into which gangs were active each month. For example, by far the most active gang, Qilin, was active across all months and recorded a lump of victims in October. On the other hand, the fourth most active gang, Sinobi, was active mostly in October, recording a large number of victims, and then disappeared after a few victims in November.
Out of the 69 gangs, 30 recorded victims in this industry in the last 90 days (43% participation). Qilin had the highest number of victims (27) with a low share (6.5%).
The share of victims for many gangs in this industry is relatively high. From the top 10, only 3 gangs recorded a share of around or below 10%.
Brotherhood (18%), LockBit5 (15%), and Devman (13%) had the highest shares of victims among gangs with more than 2 victims, implying a higher focus on this industry.
Municipal & Local Governments are the most frequent victims of ransomware in this industry. Second place is Public Health & Social Services, and in third place is Religion & Cultural Institutions.
The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded in the last 90 days.
The chart shows quarter-to-quarter changes in targeted countries. Data is sorted by the last 90 days and compared to the previous 90 days, marked in blue.
In the last 90 days, the USA recorded 53 victims (52% of all victims). France, Canada, and Colombia recorded major increases in victims; meanwhile, Germany saw their number cut in half.
Many countries recorded their first victims in the last 180 days.
Government & civic organizations placed 8th out of 14 monitored industries, recording 102 victims in the last 90 days. A major increase of 50% from 68 victims in the previous 90-day period.
Overall share also grew from 4.5% to 5.1% of all ransomware victims.
Monthly Activity Trends
Monthly activity trends show choppy activity, fluctuating between 30, 15, 40, and 28 victims per month. December so far is poised to form another spike.
Ransomware Gangs
A total of 30 out of 69 active ransomware groups targeted this industry in the past 90 days, representing a 43% participation:
Qilin: The most active, with 27 victims and 6.5% (27 out of 416) of all their victims.
Incransom: Second most active with 11.3% (12 out of 106) share.
Brotherhood, LockBit5, and Devman: Highest shares of 18% (3 out of 17), 15% (3 out of 20), and 13% (8 out of 64) victims among the top gangs, suggesting a high focus on this industry.
Geographic Distribution
The geographic distribution of ransomware victims is relatively high yet quite concentrated in the USA*(USA warrants a higher risk), which accounts for 52% of all victims. France, Canada, and Colombia also recorded a jump in victims. Furthermore, many countries recorded their first victims over the last 180 days in the recent period.
In total, 27 countries recorded ransomware victims in this industry in the last 90 days, eight more than 19 in the previous period.
For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.
APT Campaigns (High): Government and civic organizations were the most consistently targeted sector, with all 18 observed APT campaigns (100%) affecting this space – an increase from 8 of 13 campaigns in the previous period. Activity peaked in September, when two-thirds of campaigns were either launched or updated. The threat landscape was dominated by Chinese state-linked APTs (Typhoon clusters, APT27, Stone Panda), alongside Russian Gamaredon and FIN7, North Korean Lazarus, and multiple Turkish, Pakistani, Vietnamese, Iranian, and English-speaking threat actors. Victims were recorded across 32 countries, with Japan and the U.S. most frequently hit, followed by South Korea, Australia, India, and the UK. Web applications were the primary entry point, often paired with OS, remote access, and infrastructure software exploitation.
Underground & Dark Web Chatter (High): Government & civic entities accounted for 9.1% of all industry chatter, ranking 5th overall. Data breach and leak activity remained very high, despite a gradual decline, indicating continued exposure of citizen data, credentials, and internal documents. Ransomware chatter dropped sharply in the latest period, while DDoS, hacktivism, and web exploit discussions also declined, pointing to a shift away from visible disruption toward quieter access-based operations and data monetization.
Vulnerabilities (Low): The sector represented 3.4% of disclosed vulnerabilities, ranking 10th. RCE disclosures spiked mid-period before easing, suggesting a concentrated wave of research or vendor disclosure against widely deployed government platforms. Privilege escalation and injection flaws declined overall, while information disclosure and XSS remained low. The vulnerability landscape suggests fewer newly discovered issues, but not necessarily lower exploitation risk, given the heavy APT focus.
Ransomware (Moderate*): Ransomware activity rose sharply, with 102 victims – a 50% increase that pushed government & civic organizations to 8th place overall. Activity was volatile month to month, with December already shaping up as another spike. Qilin led in volume, while Incransom, Brotherhood, LockBit5, and Devman showed elevated proportional focus on the sector. The U.S. accounted for 52% of victims, but France, Canada, and Colombia all saw notable increases. The number of affected countries expanded to 27, underscoring a widening global attack surface.
