The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the information technology industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the information technology industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the Information Technology industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
Information technology organizations featured in 8 out of the 17 observed campaigns, which is a presence in 47% of all campaigns.
In the last 90 days, we observed a significant spike of activity targeting information technology sector in July.
The 8 observed campaigns were carried out by a wide variety of threat actors. From Ulture in Philippines to US17IRGCorp in Iran.
Recorded victims of observed attack campaign span 23 different countries. There does not appear to a be clear geographic pattern. Considering suspected TAs, it is suggesting opportunistic targeting and possibly financial motivation over geopolitical in most cases.
Web applications continue to be the most targeted technology across industries, followed by Operating System and Cloud technologies.
Risk Level Indicator: Moderate
In the past 90 days, information technology industry have been significantly impacted by advanced persistent threat (APT) campaigns. 47% (8 out of 17) of observed APT campaigns recorded victims affecting this industry.
Monthly Trends
After a period of relative calm, We observed a surge in July during the last 90 days.
Key Threat Actors
No single threat actor has stood out in the past 90 days. Nearly all observed campaigns were evenly distributed with one threat actor per campaign. One exception is Ulture, a threat actor from Philippines with 2 campaigns.They also come from different countries. CoralRaider from Vietnam, FIN11 from Russia, US17IRGCorp from Iran and an unknown Thai-speaking group among others.
Geographical Impact
Observed geographies align with the interests of the threat actors. Nation-state groups have an interest in rival countries and regional cybercrime is looking for victims at home and region.
Targeted Technologies
Web applications, operating systems and cloud services are top – attacked technologies.
Over the past 3 months, CYFIRMA’s telemetry detected 42,338 phishing campaigns themed around information technology brands out of a total of 251,575.
The chart below illustrates the global distribution of observed themes. Combined Online/Cloud Services and Email Provider accounts for 16.82% of all captured phishing.
Office 365 is mostly commonly used, mainly due to the fact is serves as a vessel for other phishing themes and techniques. Following are Netflix, Telegram and Outlook. In total 53 brands were impersonated.
The geographical sources of observed phishing campaigns show that most of it comes from the US.
Risk Level Indicator: Moderate
The information technology sectors remain popular phishing themes since various IT services are used to facilitate many other phishing themes as well as allow direct monetization.
Office 365 stands out as the most frequently exploited service for phishing. Following this, Netflix, Telegram, Outlook and various Webmail providers also significantly targeted.
Overall, the list includes 53 organizations from 73 countries. Many international and regional platforms are being impersonated.
ASN-origin data reveals that the United States is the leading source of phishing emails impersonating information technology organizations, reflecting the sheer size of the market in the U.S. and the vast number of compromised devices used in botnets to send phishing emails. Significant activity is also observed in the Netherlands, Germany, Hong Kong and India.
Southeast Asia, Latin America and even Africa are steadily growing as sources and targets of phishing.
The presence in both developed and developing nations highlights that phishing campaigns are opportunistic and globally pervasive. Regional variations suggest more sophisticated attacks in high-count countries, while lesser-known regions like Malawi or Turkmenistan show expanding attacker reach.
In the past 90 days, CYFIRMA has identified 115 verified ransomware victims in information technology industry. This accounts for 8.8% of the overall total of 1,306 ransomware victims during the same period.
IT Services, consulting and software development are the most frequent victims of ransomware in IT industry.
Monthly activity chart shows sustained interest by threat actors with a mild spike in June activity.
A breakdown of the monthly activity provides insights into which gangs were active each month. For example, RansomHub became very active during June, driving the observed spike. LockBit3 returned after it’s law enforcement disruption and contributed to numbers in May.
In total 34 out of 59 active groups recorded IT organizations victims in the past 90 days. Notable is a high distribution among large number of groups in this industry.
Comparing the IT industry to all recorded victims, RansomHub stands out as a group with high interest in this industry with 31 out of 61 (50.8%) victims. Next is Cactus with 7 out of 48 (14.5%) victims.
The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.
In total 27 countries recorded ransomware victims with the US alone accounting for 50% of all victims with identified geography.
Risk Level Indicator: High
The information technology industry ranked 4th out of 14 industry categories. With a share of 8.8% of all ransomware victims, it faces a significant ransomware risk.
Organizations from IT services, IT consulting and software development sectors were the most frequent victims.
Monthly Activity Trends
Ransomware activity in this industry has shown a sustained numbers of victims each month, with a spike in June.
June spike was driven by RansomHub heightened activity and a focus on IT organizations.
Ransomware Gangs
A total of 34 out of 59 active ransomware groups targeted the Information Technology industry in the past 90 days:
RansomHub: This growing affiliate-based RaaS recorded the most victims in this industry (31 out of total 115 victims). They also showed high focus in this industry with 50.8% of all their victims (31 out of 61) being from IT sectors.
LockBit3: Due to its large affiliate base and sheer volume, it presents a high risk (15 out of 209 victims).
Cactus: It has the next highest share of victims in this industry. 14.5% (7 out of 48) of all their victims were IT organizations.
Geographic Distribution
50% of all victims are located in the US, underscoring US dominance in the information technology industry. Following is Israel, currently facing frequent attacks by Handala group. Italy, Brazil and Spain also recorded higher numbers of victims.
In total, 27 countries recorded ransomware victims in this industry
For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.
In the past 90 days, Information Technology organizations have faced medium to high risks across monitored categories.
APT campaigns: The risk is moderate to high, with 47% of observed APT campaigns targeting the IT sector. Key actors included Ulture (Philippines), CoralRaider (Vietnam), FIN11 (Russia), US17IRGCorp (Iran), and an unknown Thai-speaking group. These campaigns mainly exploited web applications, operating systems, and cloud services. Activity surged in July after a period of calm, impacting geographies aligned with the interests of these threat actors.
Phishing: The risk remains moderate, with IT services being a popular vessel for other phishing themes. Office 365 was the most frequently exploited service, followed by Netflix, Telegram, Outlook, and various webmail providers. Phishing campaigns targeted 53 organizations across 73 countries, with the US being the leading source. Significant activity was also noted in the Netherlands, Germany, Hong Kong, and India, with growing sources and targets in Southeast Asia, Latin America, and Africa.
Ransomware: The IT industry faces a high ransomware risk, ranking 4th out of 14 industry categories and accounting for 8.8% of all ransomware victims. IT services, IT consulting, and software development sectors were the most frequent targets. Monthly activity remained steady, with a spike in June driven by RansomHub. In the past 90 days, 34 ransomware groups targeted the industry, with RansomHub, LockBit3, and Cactus posing significant risks. Victims were widespread, with 50% in the US and significant activity in Israel, Italy, Brazil, and Spain, affecting 27 countries overall.