The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the government & civic organizations, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the government & civic organizations over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the government & civic.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
Government & civic organizations did feature in 7 of the 7 observed campaigns, which is a presence in all 100% of all campaigns, same as the previous period (2 out of 2), also a presence in 100% of campaigns.
Observed campaigns were distributed across all months of the last 90-day period.
Besides the usual suspects in the form of Chinese Pandas and Volts with Russian syndicates FIN11 and TA505, we observed a diverse range of emerging threat actors from Algeria, Thailand, Vietnam, and what appears to be an international English-speaking group.
Out of 7 campaigns, the most affected were Japan and Thailand, targeted in 5 campaigns. The US, the UK, South Korea, Taiwan, Australia, and India recorded victims in 4 out of 7 campaigns. Also, China itself is now facing cyber threats from the emerging groups in heating up geopolitical and economic waters.
The observed campaign targeted web applications, operating systems, routers, network monitoring tools, application infrastructure, and database management software.
In the past 90 days, government & civic organizations have been highly affected by advanced persistent threat (APT) campaigns. 7 out of 7 observed APT campaigns targeted the this industry, representing a 100% presence.
This is the same as the previous 90-day period, when 2 out of 2 campaigns targeted the government & civic organizations.
Monthly Trends
The observed campaign occurred during all months of the last 90-day period, mostly in February (3) and April (2).
Key Threat Actors
The campaigns are attributed to wide range of threat actors. Beyond the well known Chinese and Russian APTs, we observed emerging and a diverse range of TAs from Algeria, Thailand, and Vietnam.
Geographical Impact
The campaigns have affected a total of 22 countries with Japan and Thailand being most affected with victims in 5 out of 7 campaigns.
Targeted Technologies
Web applications and operating systems remain the most frequently targeted technology. Additionally, routers and network monitoring tools, app infrastructure, and database management software have been compromised.
Over the past three months, CYFIRMA’s telemetry has identified 6,489 mentions of government & civic organizations out of a total of 64,103 industry mentions. This is from a total of 314,514 posts across various underground and dark web channels and forums.
Government & civic organizations placed 5th out of 14 industries in the last 90 days with a share of 10.12% of all detected industry-linked chatter.
Below is a breakdown by 30-day periods of all mentions.
Data Leaks and Data Breaches are the most common category of recorded chatter for this industry. Ransomware chatter was high in first 30 days and declined sharply during last 60 days.
In total, government & civic organizations comprise of 10.12% of all detected industry underground and dark web chatter in the last 90 days, ranking 5th out of 14 industries.
Below are the observed key trends across 90 days:
Decline Across Most Threat Categories
Data Breach: 797 → 826 → 546 (↓34% from peak)
Data Leak: 815 → 875 → 619 (↓29%)
Ransomware: 581 → 344 → 217 (↓63% since initial period)
Web Hack Activity Still Elevated
97 → 161 → 133
Despite a slight decline, mentions remain higher than at the start, indicating ongoing probing of web-facing assets.
Web Exploits Dropped and Stabilized
67 → 22 → 17 → Suggests improved patching or reduced success of previous exploit vectors.
DDoS Attacks Trending Down
109 → 96 → 63 → Gradual decline, but still a notable risk for service disruption in critical infrastructure.
Hacktivism Slightly Rebounding
45 → 27 → 32 → While not at original levels, its resurgence may reflect renewed activism around specific causes or geopolitical events.
Over the past three months, CYFIRMA’s telemetry has identified 94 mentions of government & civic organizations out of a total of 4,940 industry mentions. This is from total of 11,000 CVE published in 90 days.
Government & civic organizations ranked 12th out of 14 industries in the last 90 days with a share of 1.90% of all detected industry linked vulnerabilities.
Below is a breakdown by 30-day periods of all mentions.
Remote & Arbitrary Code Execution (RCE, ACE) are leading the chart. Cross-Site Scripting (XSS) & Clickjacking, and Injection Attacks are nearly equal in second and third place, respectively.
In total, government & civic organizations comprise of 1.90% of all detected industry vulnerabilities in the last 90 days, ranking 12th out of 14 industries.
Below are observed key trends across 90 days.
Overall Decline in Reported Vulnerabilities
Every major CVE category has declined steadily from the first 30 days to the most recent.
This indicates either effective patching or reduced vulnerability disclosures in this sector.
Remote Code Execution (RCE) Still Leads
18 → 14 → 8
Though dropping, RCE remains the top vulnerability class, and is still a critical threat due to the potential for full system compromise.
Web-Based Vulnerabilities Down Sharply
Cross-Site Scripting (XSS): 11 → 8 → 3
Injection Attacks: 10 → 6 → 2
This reflects either improved web app security or a shift in attacker focus.
Other CVEs Remain Low-Level
Privilege Escalation: 4 → 2 → 1
Information Disclosure: Low and inconsistent
Memory Issues & DoS: Stable at 1 or fewer mentions
In the past 90 days, CYFIRMA has identified 117 verified ransomware victims in the government & civic organizations. This accounts for 5.6% of the overall total of 2,106 ransomware victims during the same period, placing government & civic organizations 8th out of 14 industries.
Furthermore, a quarterly comparison reveals a major increase in interest in government & civic organizations of 62.5% from 72 to 111 victims. The overall share increased from 4.3% to 5.6% of all victims.
Over the past 180 days, we have observed sustained activity across months. March recorded a major spike, nearly tripling the monthly average.
A breakdown of monthly activity per gang provides insights into which gangs were active each month. For example, the most active gang, Babuk2, was behind the sharp spike during March when they dumped a lot of government & civic organizations as alleged victims.
This dump was old data from previous leaks obtained by the group before launch of their own ransomware group in attempt to obtain credibility on forums.
Out of the 74 gangs, 36 recorded victims in this sector in the last 90 days. The Babuk2 gang had the highest number of victims (24), followed by RansomHub (14) and Qilin (11).
The share of victims for some gangs in this industry is relatively high. Five out of the top 10 gangs recorded 10% or more of the victims in this industry.
Among the top 5 gangs, Babuk2 (32%), IncRansom (14%), and Mesuda (12%) recorded significant shares in this industry.
In contrast, Cl0p’s rampage resulted in only 0.3% of their victims being affected by this industry.
Municipal & local governments are the most frequent victims of ransomware in this sector in the past 90 days. Religion & cultural institutions and national government & executive bodies follow in second and third place, respectively.
The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.
The chart shows quarter-to-quarter changes in targeted countries. Data is sorted by the last 90 days and compared to the previous 90 days, marked in blue.
The USA recorded 47 victims in the last 90 days, an increase from 35, and represents 41% of all victims. Canada, France, Indonesia, the UK, and Germany follow in the top. Notably, Thailand also ranked high, due to Babuk2’s focus on the SEA region.
Government & civic organizations placed 8th out of 14 monitored industries, recording 117 victims in the last 90 days, a major increase of 62.5% from 72 victims in the previous 90-day period.
The overall share increased from 4.3% to 5.6% of all ransomware victims.
Monthly Activity Trends
Monthly activity was steady and sustained across last the 180 days with a major spike in March, nearly tripling the monthly average.
Babuk2 was the most active gang overall and responsible for the March spike.
Ransomware Gangs
A total of 36 out of 77 active ransomware groups targeted this industry in the past 90 days:
Babuk2: The most active with 24 victims and 32% of their victims from the government & civic sectors (24 out of 75 victims).
IncRansom, Medusa: Highest share in top 10 gangs. 14% and 12% of victims in this industry (9 out of 63 and 7 out of 57) respectively, suggesting a higher interest in this industry.
Geographic Distribution
The geographic distribution of ransomware victims is relatively high compared to other industries, with the USA (47) accounting for 41% of all victims, followed by Canada and France.
Due to Babuk2’s focus on Southeast Asia, Indonesia and Thailand also recorded high number of victims.
In total, 34 countries recorded ransomware victims in this industry in the last 90 days, a major increase from 23 in the previous period.
For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.
APT Campaigns: Government & civic organizations were the sole target of all seven observed APT campaigns over the past 90 days (100% hit rate), continuing the trend from the previous quarter. Activity was spread across all months, peaking in February and April. While Chinese and Russian APTs remain prominent, this period saw new players from Algeria, Thailand, and Vietnam. Attacks impacted 22 countries, with Japan and Thailand hit in five of the seven campaigns. Web applications and operating systems were consistently targeted, along with routers, monitoring tools, databases, and application infrastructure.
Underground & Dark Web Chatter: Government entities accounted for 10.1% of dark web activity, ranking 5th overall. Mentions of data breaches, leaks, and ransomware all declined, yet volume remained substantial. Ransomware dropped 63% since the start of the period. Web hack activity stayed elevated, while web exploit mentions stabilized at lower levels. DDoS activity declined steadily. Hacktivism showed a mild rebound, likely linked to emerging geopolitical events.
Vulnerabilities: Government & Civic CVE exposure remained low, accounting for just 1.9% of total vulnerabilities (12th out of 14). Most CVE categories declined across the quarter, possibly due to improved patching. RCE remained the top threat, though counts fell. Web-based vulnerabilities (XSS and injection) saw sharp drops. Other issues like privilege escalation, DoS, and memory flaws stayed minimal.
Ransomware: With 117 victims, the Government & Civic sector ranked 8th but rose 62.5% from the previous period. Share increased from 4.3% to 5.6% of global cases. March saw a major spike, largely due to Babuk2. Of 77 active gangs, 36 hit this sector. Babuk2 alone accounted for 24 attacks (32% of its victims). IncRansom and Medusa also showed strong focus. The U.S. saw 41% of cases, followed by Canada, France, Indonesia, and Thailand. Attacks occurred in 34 countries—up from 23 previously—underscoring the sector’s growing global exposure.
