2025 was a defining year for cybersecurity. The volume, diversity, and impact of cyber incidents continued to grow, but more importantly, clear patterns emerged in how attackers operate, which sectors they prioritize, and where defensive strategies continue to fall short.
From the rise of AI-powered cyber operations to sustained pressure on critical infrastructure, the year offered important signals about how the threat landscape is evolving.
The Rise of AI-Powered Cyber Attacks
There is no doubt that AI was the defining story of 2025. However, its role in enabling real-world cyberattacks unfolded gradually in the first part of the year before then accelerating rapidly in the latter half. The first major story of AI abuse emerged in May, when reports revealed that hundreds of North Korean IT operatives had successfully infiltrated Fortune 500 companies by posing as remote workers.
What distinguished this campaign was the operational use of AI and deepfake technology, not merely as supporting tools but as core components of the intrusion strategy. Operatives relied on AI-generated responses to pass technical interviews and used deepfake video and manipulated identity documents to bypass hiring and identity verification controls.
Critical Infrastructure Under Sustained Pressure
A July report from Cyble highlighted a growing trend in hacktivist operations targeting industrial control systems and access-based infrastructure. These campaigns accounted for 31 percent of all attacks in Q2 2025, up from 29 percent in Q1. While often ideologically motivated, hacktivist groups increasingly adopted more coordinated and impactful techniques, raising concerns about potential physical consequences.
This trend persisted throughout the year. In December, a multinational advisory warned that hacktivist groups were actively targeting water utilities, energy providers, and food and agriculture systems. Although these actors typically lack advanced tooling, they frequently exploit exposed remote access services, particularly VNC, along with weak authentication and poor network segmentation.
In several cases, these relatively simple techniques resulted in real operational disruption, demonstrating how even low-skill actors can generate meaningful impact in poorly secured OT environments.
The advisory reinforced a consistent theme: insecure remote access remains one of the most common and avoidable sources of risk in critical infrastructure. Legacy access solutions introduce unnecessary exposure and make credential abuse and lateral movement far easier than they should be. As a result, critical infrastructure operators are increasingly encouraged to move away from these systems and adopt Zero Trust approaches that tightly control access and limit blast radius.
Similar findings appeared in November, when the Canadian Centre for Cyber Security released anonymized reporting on recent OT intrusions affecting power generation, water utilities, manufacturing, and transportation. Many incidents stemmed from internet-accessible OT assets, weak authentication mechanisms, and inadequate segmentation, highlighting systemic challenges across aging industrial environments.
As remote access tools, IIoT devices, and cloud-connected industrial equipment continue to proliferate, the identity and access attack surface has expanded beyond the reach of traditional IT security controls. Hacktivists are no longer confined to web defacements or denial-of-service activity. They are increasingly abusing exposed ICS environments, making publicly reachable OT systems a viable target for a much broader range of threat actors.
The financial incentives driving these attacks remain significant. A joint Dragos and Marsh McLennan report estimated that a catastrophic OT-focused cyber event could cost $330 billion annually, with $172 billion attributed to business interruption alone.
In July, reporting also revealed that the Iranian-linked ransomware group Pay2Key.I2P offered affiliates up to 80 percent of ransom proceeds for attacks targeting U.S. and Israeli organizations, generating approximately $4 million since February. These developments reflect a growing alignment between financially motivated actors and state-linked interests, increasing both scale and impact.
Logistics Sector Disruptions
According to a report from Proofpoint, logistics and transportation organizations saw a surge in cyber-enabled cargo theft, with losses estimated at more than $35 billion annually. Threat actors infiltrated logistics platforms, compromised fleet management systems, and manipulated digital freight marketplaces to redirect shipments and conduct double-brokering scams.
Organized theft groups increasingly blended cyber intrusion, social engineering, and physical supply chain manipulation, operating at global scale. In September, a ransomware attack on Collins Aerospace’s check-in systems forced major airports, including Brussels and London Heathrow, to cancel dozens of flights and delay many others while reverting to manual processes. The incident illustrated how third-party system failures can quickly cascade across transportation infrastructure.
Energy Infrastructure Faces Expanding Risk
The energy sector also saw heightened activity. In Pakistan, state-owned Pakistan Petroleum reported an attempted breach linked to the emerging Blue Locker ransomware strain. More broadly, ransomware targeting oil and gas surged by 935 percent year over year, driven by digital transformation and expanding connectivity.
A scan of 21 major U.S. energy providers identified more than 5,750 vulnerabilities, nearly 380 of which were already under active exploitation. For OT devices, patching is often impractical, leaving organizations exposed for extended periods without compensating controls.
Investigations into U.S. solar infrastructure uncovered undocumented “kill switches” in Chinese-made power inverters widely deployed across solar farms. These embedded cellular radios raised concerns about potential remote disruption and highlighted the risks introduced by opaque supply chains within energy infrastructure.
Taken together, the incidents and trends of 2025 point to a common theme: cyber risk is no longer defined by isolated exploits or individual breaches, but by systemic weaknesses in how access, identity, and connectivity are managed. Attackers are increasingly patient, adaptive, and efficient, favoring techniques that exploit trust, reuse legitimate access, and target environments where downtime carries real-world consequences.
Across sectors, familiar patterns repeated themselves. AI lowered the barrier to entry for sophisticated attacks. Legacy VPNs and perimeter defenses struggled to contain modern threats. And critical infrastructure continued to feel the impact when digital incidents crossed into physical operations.
At the same time, 2025 also showed progress. Governments moved more decisively on regulation and standards. Vendors tightened controls and acknowledged emerging risks. Organizations increasingly recognized that resilience depends on architecture, not reaction. Security strategies that emphasize least privilege, continuous verification, segmentation, and identity-aware access proved far more effective than patch-driven or perimeter-based approaches alone.
As organizations look ahead, the lesson from 2025 is not that threats are unprecedented, but that the way they succeed is increasingly predictable. Addressing that reality requires moving beyond incremental fixes and toward security models designed for dynamic, interconnected environments. In the years to come, those that prioritize secure access by design will be better positioned to limit disruption, contain incidents, and operate with confidence in an evolving threat landscape.
This feature is a portion of the full blog, which can be found here.
