Executive Summary
We see five major emerging trends reshaping the threat landscape.
-
First, threat actors are augmenting traditional ransomware and extortion with attacks designed to intentionally disrupt operations. In 2024, 86% of incidents that Unit 42 responded to involved business disruption — spanning operational downtime, reputational damage or both.
-
Second, software supply chain and cloud attacks are growing in both frequency and sophistication. In the cloud, threat actors often embed within misconfigured environments to scan vast networks for valuable data. In one campaign, attackers scanned more than 230 million unique targets for sensitive information.
-
Third, the increasing speed of intrusions — amplified by automation and streamlined hacker toolkits — gives defenders minimal time to detect and respond. In nearly one in five cases, data exfiltration took place within the first hour of compromise.
-
Fourth, organizations face an elevated risk of insider threats, as nation-states like North Korea target organizations to steal information and fund national initiatives. Insider threat cases tied to North Korea tripled in 2024.
-
Fifth, early observations of AI-assisted attacks show how AI can amplify the scale and speed of intrusions.
Amid these trends, we're also seeing a multi-pronged approach in attacks, as threat actors target multiple areas of the attack surface. In fact, 70% of the incidents Unit 42 responded to happened on three or more fronts, underscoring the need to protect endpoints, networks, cloud environments and the human factor in tandem. And on the human element — nearly half of the security incidents (44%) we investigated involved a web browser, including phishing attacks, malicious redirects and malware downloads.
Drawing from thousands of incident responses over years of experience, we've identified three core enablers that allow adversaries to succeed: complexity, gaps in visibility and excessive trust. Fragmented security architectures, unmanaged assets and overly permissive accounts all give attackers the space they need to succeed.
To confront these challenges, security leaders must accelerate their journey to Zero Trust, reducing implicit trust across the ecosystem. Equally crucial is securing applications and cloud environments from development to runtime, ensuring that misconfigurations and vulnerabilities are swiftly addressed. Finally, it's essential to empower security operations to see more and respond faster — with consolidated visibility across on-premises, cloud and endpoint logs, as well as automation-driven threat detection and remediation.
1. Introduction
Over my two-decade career as an incident responder, I've witnessed countless shifts in the threat landscape and attacker tactics.
When ransomware first appeared, file encryption became the tactic of choice for cybercriminals. Locking up files, getting paid for an encryption key, and moving on. Backups got better, and double extortion became more popular. Cybercriminals leveraged harassment (and still do) to tell companies “pay, or we will leak sensitive data.” But even that is losing its luster.
Almost every month, I receive notice of a data breach. Occasionally, I open and read these letters; admittedly other times, they go directly into the trash. Like many people, I've invested in identity theft protection software and adhere to best practices in cyber hygiene. With the onslaught of these notifications, it's hard not to imagine the everyday person thinking: My data has been leaked again, so what? This desensitized mindset is unsettling. And yet, despite this public apathy, a data breach can still cause substantial damage to a company.
The past year has marked yet another shift in attacker focus to intentional operational disruption. This new phase in financially motivated extortion prioritizes sabotage — where attackers are intentionally destroying systems, locking customers out of their environments, and forcing prolonged downtime — so threat actors can maintain their ability to have maximum impact with their attacks and command payment from organizations.
In 2024, Unit 42 responded to over 500 major cyberattacks. These incidents involved large organizations grappling with extortion, network intrusions, data theft, advanced persistent threats and more. The targets of these attacks spanned all major industry verticals and 38 countries.
We've responded to breaches occurring at unprecedented speed, causing severe operational disruption and cascading impacts — from downtime and service outages to costs reaching billions of dollars. In every case, the situation had escalated to the point where the security operations center (SOC) called for backup.
When Unit 42 is called, our Incident Response team works swiftly to contain threats, investigate incidents, and restore operations. After the crisis, we partner with clients to strengthen their security posture against future attacks.
The Unit 42 mission is clear: protecting the digital world from cyberthreats. Operating 24/7 across the globe, our team is united by the purpose of stopping threat actors, hunting evolving threats and helping organizations prepare for and recover from even the most sophisticated attacks.
This report is organized to guide you through our key findings and actionable insights:
-
Emerging Threats and Trends: A look at what's coming, including the rise of disruption-driven extortion, AI-assisted attacks, cloud and software supply chain-based attacks, nation-state insider threats, and speed.
-
Threat Actors Succeed: Analysis of the most common effective tactics, techniques and procedures, from initial access to impact.
-
Recommendations for Defenders: Practical guidance for executives, CISOs and security teams to fortify their defenses, build resilience and stay ahead of the threat.
As you read, consider not just what's happening, but what's next and how your organization can prepare to meet the challenges of an increasingly complex threat environment.
SAM RUBIN
SVP of Consulting and Threat Intelligence at Unit 42
2. Emerging Threats and Trends
In 2025, organizations face a complex mix of threats from financially driven cybercriminals, well-resourced nation-states, insider schemes and ideologically motivated hacktivists. While extortion attacks remain dominant among criminal groups, sophisticated nation-state adversaries target critical infrastructure, supply chains and key industries. Insider risks intensify as contractors and employees with privileged access can bypass external defenses, and hacktivists exploit social media networks to coordinate large-scale disruptions.
Against this backdrop, Unit 42 has identified five key trends where we see the most significant and immediate impact on organizations: intentionally disruptive extortion attacks, software supply chain and cloud exploitation, the increasing speed of attacks, North Korean insider threats and AI-assisted threats.
Trend 1. Disrupting Business Operations: The Third Wave of Extortion Attacks
As defenses improve, backups become more common and successful as cyber hygiene matures. Attackers have been forced to innovate their approaches to ensure they can command consistent — and higher — payments.
Extortion attacks evolved over the past decade: from encryption, to exfiltration and multi-extortion techniques, to intentional disruption. Though ransomware remains a headline threat, attackers have shifted from solely encrypting data to more disruptive tactics like harassing stakeholders and threatening critical operations resulting in long periods of downtime.
In 2024, 86% of incidents that Unit 42 responded to had some sort of impact-related loss. This includes:
- Outright business disruption
- Asset and fraud-related losses
- Brand and market damage as a result of publicized attacks
- Increased operating costs, legal and regulatory costs, and more
We can define the evolution of extortion attacks in terms of three waves.
Wave 1: In the Beginning, There Was Encryption
The rise of cryptocurrency enabled larger-scale crime with smaller-scale risk to the criminal. Threat actors quickly adopted ransomware as a profitable attack method, locking up critical files, holding them for ransom and demanding a cryptocurrency payment to unlock them. Cryptocurrency has since become a critical enabler of ransomware attacks:
- Reducing the attacker's risk of being identified
- Lowering the barrier to entry for cybercriminals
- Helping the attacker evade law enforcement and international sanctions
In those early ransomware cases, the playbook was simple. Get in, encrypt the files and get out. Unit 42 investigations from this period rarely uncovered signs of data exfiltration.
Attackers are now more sophisticated, often combining encryption with data theft and double extortion threats, but encryption itself is still a go-to tactic. In fact, Unit 42's latest incident response data shows that encryption remains the most common tactic used in extortion cases, holding relatively steady over the past 4 years.
Over time, as organizations have improved their data backup practices, encryption as the sole extortion tactic has become less effective. Backups have helped more organizations recover faster — nearly half (49.5%) of impacted victims were able to restore from backup in 2024. As seen in Figure 1, this is about five times as many as in 2022, when only 11% of victims were able to restore from backup.
Figure 1: The percentage of victims who successfully restored encrypted files from backup rose 360% between 2022-2024.
However, these defensive measures do little to counter the risk of attackers publishing or selling stolen data.
Wave 2: Upping the Ante With Data Exfiltration
As focusing solely on encryption became less effective, attackers pivoted to a new extortion tactic: data exfiltration and subsequent harassment. In addition to using exfiltrated data to pressure victims through blackmail and harassment, financially motivated actors gained additional revenue streams, such as auctioning data on dark-web marketplaces.
Attackers threatened to leak sensitive information publicly, often hosting leak sites touting their alleged victims. Some bombarded employees and customers with malicious messages.
However, while data theft remains a popular tactic, its effectiveness has started to decline for several reasons. Data breach fatigue has made dark web leaks less impactful in pressuring victims to pay.
According to the Identity Theft Resource Center's 2023 Data Breach Report, 353 million victims had their data leaked in 2023 alone. Additionally, while attackers do keep their promises more often than not, organizations are increasingly concerned about the times when they don't.
In fact, in fewer than two thirds of cases with data theft in 2024 did attackers provide any proof of data deletion (only 58%). In some cases, Unit 42 became aware that despite providing such alleged “proof,” the threat actor had retained at least some of the data. While two thirds of the time is still most of the time, that's far from the level of certainty most would expect when paying an (often exorbitant) fee for something.
Public leak site data supports this trend. After a 50% increase in leak site victims from 2022-2023, the number rose by only 2% in 2024. This may indicate that threat actors are finding leak site extortion less effective in compelling payments.
Extortion tactics rely on instilling fear and keeping the victim's full attention. To achieve this, threat actors will continue to evolve their methods to remain at the forefront of disruption.
This doesn't mean that attackers are abandoning exfiltration. As seen in Table 1, threat actors continue to steal data more than half the time, and their use of harassment is steadily rising. However, threat actors are piling on additional tactics to ensure they get their payouts.
| Extortion Tactic | 2021 | 2022 | 2023 | 2024 |
|---|---|---|---|---|
| Encryption | 96% | 90% | 89% | 92% |
| Data Theft | 53% | 59% | 53% | 60% |
| Harassment | 5% | 9% | 8% | 13% |
Table 1: Prevalence of extortion tactics in extortion-related cases.
Deliberate disruption is the next phase in the evolution of financially motivated attacks as threat actors continue to turn up the volume to get their victims' attention.
Wave 3: Intentional Operational Disruption
Attackers are increasing the pressure by focusing on a third tactic: intentional disruption. In 2024, 86% of incidents that Unit 42 responded to involved some sort of loss that disrupted the business either operationally, reputationally or otherwise.
Unit 42 observed attackers combining encryption techniques with data theft and then going even further with other tactics to visibly disrupt organizations. They damaged victims' brand reputation or harassed their customers and partners. Attackers also deleted virtual machines and destroyed data (section 5.1 offers a full breakdown of MITRE ATT&CK Techniques attackers used for this type of impact).
We have seen attackers disrupt victims who have deep partner networks that they rely on to conduct business. When an organization has to lock down parts of its network to contain the threat actor and remediate the attack before resuming operations, their partners are forced to disconnect. Once back online, the recertification process creates further disruption as partners reconnect to the network.
Sophisticated attackers have targeted enterprises leveraging these tactics — including in healthcare, hospitality, manufacturing and critical infrastructure — with the goal of causing widespread disruption not only to the business but their partners and customers as well.
As businesses grapple with extended downtime, strain on partner and customer relationships and bottom-line impacts, threat actors are taking advantage and demanding increased payments. Businesses looking to get their systems back online and minimize the financial impact (which can stretch to the millions and sometimes even billions) are being extorted for higher payments. The median initial extortion demand increased nearly 80% to $1.25 million in 2024 from $695,000 in 2023.
We also examined demands in terms of how much a threat actor perceives an organization can pay. (We based this on what the threat actor would find by searching for public sources of information about an organization.) The median initial demand in 2024 is 2% of the victim organization's perceived annual revenue. Half of the initial demands fell between half a percent (0.5%) and 5% of the victim's perceived annual revenue. On the high end, we have seen attackers attempt to extort amounts that are more than a victim organization's perceived annual revenue.
However, whereas demands have increased, Unit 42 continues to find success when negotiating the ultimate payment (for clients who pay). As a result, the median ransom payment has risen only $30,000 to $267,500 in 2024. When organizations pay, the median amount is less than 1% of their perceived revenue (0.6%). The median percent reduction negotiated by Unit 42 is therefore more than a 50% decrease from the initial demand.
Countermeasures: Remaining Resilient in the Face of Increasing Disruption
An important factor to consider when facing disruption-minded threat actors is operational resilience: Can you continue to function if critical systems go down or sensitive data is locked out of reach? Which business operations are essential to maintain? What are your disaster recovery and backup strategies? Are critical partners prepared to shift to new systems in the face of an attack?
The best way to find out is through regular testing and incident simulations, which validate your technical controls, train your response teams, and gauge your capacity to maintain essential services. By focusing on resilience, you not only mitigate the immediate financial impact of an attack, but also protect your long-term reputation and stakeholder trust — key assets in an increasingly volatile cyber landscape.
Extortion attacks and all that comes with them — encryption, data theft, harassment and intentional disruption — are no passing trend. Cybersecurity strategies must continuously evolve to counter the shifting technical tactics of attackers — while also recognizing that threat actors will continuously adapt to overcome stronger defenses.
Trend 2. Increasing Impact in Software Supply Chain and Cloud Attacks
As organizations increasingly rely on cloud resources for both operations and the storage of valuable data, incidents related to the cloud or SaaS applications are some of the most impactful we see.
A little less than one third of cases (29%) in 2024 were cloud-related. This means that our investigation involved collecting logs and images from a cloud environment or touched on externally hosted assets such as SaaS applications.
Those cases don't necessarily represent the situations in which threat actors are doing damage to cloud assets. We see this in about one in five cases in 2024 (21%), where threat actors adversely impacted cloud environments or assets.
Trend 3. Speed: Attacks are Getting Faster, Giving Defenders Less Time to Respond
Unit 42 has observed a notable acceleration in cyberattacks as threat actors increasingly adopt automation, ransomware-as-a-service (RaaS) models and generative AI (GenAI) to streamline their campaigns. These tools allow attackers to rapidly identify vulnerabilities, craft convincing social engineering lures and ultimately execute attacks at scale, faster.
The speed of attacks forces global organizations to reassess their response capabilities and prioritize early detection. In many cases, just a few hours can determine whether an attacker succeeds in completing their mission, including data theft, encryption or operational disruption. As attackers continue to refine their methods and accelerate their timelines, the need for proactive security measures and rapid incident response is critical.
One of the ways Unit 42 gauges attack speed is by measuring time to exfiltration — how quickly an attacker exfiltrates stolen data following initial compromise.
In 2024, the median time to exfiltration in attacks that Unit 42 responded to was about two days. This time frame is notable because organizations often take several days to detect and remediate a compromise.
Examining the subset of cases where exfiltration happened most quickly, the speed of exfiltration is even more concerning.
-
In a quarter of cases, the time from compromise to exfiltration was less than five hours.
This is three times faster than in 2021, when for the first quartile of cases, exfiltration took place in less than 15 hours.
For a large proportion of incidents, attackers are even faster.
- In one in five cases (19%), the time from compromise to exfiltration was less than one hour.
In three recent cases that Unit 42 responded to, we observed attacker speed in action:
RansomHub (tracked by Unit 42 as Spoiled Scorpius) accessed a municipal government's network through a VPN that lacked multi-factor authentication. Within seven hours of gaining a foothold, the threat actor exfiltrated 500 GB of data from the network.
A threat actor brute-forced a VPN account to gain access to a university. After identifying a system without XDR protection, they deployed ransomware and exfiltrated data within 18 hours.
Muddled Libra (also known as Scattered Spider) successfully social-engineered a service provider's helpdesk to gain access to a privileged access manager (PAM) account. Using this access, they retrieved stored credentials and compromised a domain-privileged account — all within just 40 minutes. With domain access secured, the threat actor breached a password management vault and added a compromised account to the client's cloud environment, escalating permissions to enable data exfiltration.
Defenders have less time than ever to identify, respond to and contain an attack. In some cases, they have less than an hour to respond.
However, we are making progress in reducing dwell time, which is measured as the number of days an attacker is present in a victim environment before an organization discovers or detects the attacker. Dwell time in 2024 decreased 46% to 7 days from 13 days in 2023. This continues a trend of decreasing dwell time that we have observed since 2021, when dwell time was 26.5 days.
Countermeasures: Defending Against Faster Attacks
To improve your defense against ever faster attacks, consider the following tactics:
- Measure detection and response times: Tracking and driving continuous improvement in mean time to detect (MTTD) and mean time to respond (MTTR) means your SOC is getting faster.
- Leverage AI-driven analytics: Centralize data sources and identify anomalies in real time, surfacing critical alerts faster than manual methods.
- Use automated playbooks: Predefine containment actions to isolate compromised endpoints or lock down user accounts within minutes.
- Test continuously: Conduct regular tabletop and red-team exercises to ensure your SecOps team can pivot seamlessly from detection to response.
- Prioritize high-risk assets: Focus swift-response capabilities on your most critical systems, where downtime or data loss would be most damaging.
By integrating real-time visibility, AI insights and automated workflows, you can outpace even the fastest-moving adversaries.
Trend 4. The Rise of Insider Threats:
North Korea's Insider Threat Spree
Insider threats pose some of the most elusive risks for any organization, as they exploit the privileged access and trusted relationships that businesses depend on to operate. The ability to sidestep many external defenses makes these threats exceptionally challenging to detect.
North Korean nation-state threat groups have recently engaged in even more disruptive insider threat attacks by placing operatives in technical positions in international organizations. The campaign we track as Wagemole (also known as “IT Workers”) has transformed engineering roles themselves into another attack surface. This generates hundreds of millions of USD and other hard currencies for the North Korean regime in the process.
North Korean threat actors exploit traditional hiring processes with stolen or synthetic identities backed by detailed technical portfolios. These portfolios can include legitimate references obtained through identity manipulation and previous real work histories that pass basic verification.
About 5% of our incident response cases in 2024 related to insider threats, and the number of those tied to North Korea tripled compared to the previous year. While greater awareness of the threat may have led to more clients looking for it, it is significant that these threat actors continue to operate.
No sector is immune from this threat. In 2024, these actors expanded their reach to include financial services, media, retail, logistics, entertainment, telecommunications, IT services and government defense contractors. Large technology companies remained primary targets.
These campaigns typically target organizations utilizing contract-based technical roles. Staffing firms become unwitting facilitators for North Korean IT worker schemes due to:
- Abbreviated verification processes to meet rapid staffing demands
- Limited identity verification mechanisms
- Poor visibility into subcontracted workforce providers
- Pressure to quickly fill positions in a competitive market
While North Korean operatives have successfully obtained full-time positions, the contract workforce remains their most utilized vector of infiltration.
The technical sophistication of these operatives has evolved. Where they once relied heavily on commercial remote management tools, they've recently shifted toward more subtle approaches.
Most concerning is the increasing use of hardware-based KVM-over-IP solutions — small devices that connect directly to target systems' video and USB ports, providing remote control capabilities that can bypass most endpoint monitoring tools. These devices are attached to the computers that the target organization themselves provided to further the threat actors' aims.
Visual Studio Code tunneling features, originally designed for legitimate remote development, now serve as covert channels for maintaining access.
The nature of these operations presents detection challenges because many operatives possess genuine technical skills. Their access appears legitimate because it is. They perform their assigned work while simultaneously serving their true objectives.
Once embedded within a company, in addition to illegally collecting salaries that help support the regime, these insiders engage in a range of malicious activities:
-
Data exfiltration: Systematic exfiltration of sensitive business data and internal documentation — using security policies, vulnerability reports and interviewing guides to better evade detection while targeting client data, source code and intellectual property.
-
Unauthorized tool deployment: Introducing remote management and other unauthorized tools to maintain access or prepare for further exploitation.
-
Altering source code: With access to a source code repository, the threat actor may insert backdoor code, potentially enabling unauthorized system access across broader organizations or tampering with financial transactions.
-
Extortion: In some cases, operatives leverage stolen data to demand ransoms, threatening to leak proprietary information. In some cases, they followed through on these threats.
-
Fake referrals: Threat actors may refer their associates to the organization, leading to the hiring of additional fake IT workers. In some cases, the referred hires are merely clones of the original referrer, using different fake identities to pose as multiple individuals.
The North Korean IT worker scheme has shifted from simply collecting revenue to a more evasive insider threat strategy, targeting a wide range of organizations globally. The regime's strategic investment in these operations is a long-term commitment to this approach.
Defending against this threat requires a shift in how organizations approach both workforce management and security.
Addressing insider threats requires more than just technical controls. It demands a culture of security awareness and active monitoring of user activities, particularly among individuals with elevated privileges.
Measures such as implementing least privilege policies and acting on the results of thorough background checks can help minimize the potential for abuse. Additionally, organizations should pay close attention to behavioral indicators, such as unusual data transfers or last-minute system access by employees nearing their departure date. As part of this, it's important to have the ability to put together indicators from various data sources. A behavior may seem innocuous on its own but, in combination with other signals, may indicate the need for an investigation.
Ultimately, trust must be balanced with verification. A single insider incident can undermine years of organizational progress, threaten intellectual property and inflict reputational harm. By fortifying internal processes, monitoring privileged access and emphasizing security at every level, businesses can significantly reduce the likelihood of a damaging insider event.
Trend 5. The Emergence of AI-assisted Attacks
Although still in early stages, malicious use of GenAI is already transforming the cyberthreat landscape. Attackers use AI-driven methods to enable more convincing phishing campaigns, automate malware development and accelerate progression through the attack chain, making cyberattacks both harder to detect and faster to execute. While adversarial GenAI use is more evolutionary than revolutionary at this point, make no mistake: GenAI is already transforming offensive attack capabilities.
GenAI tools, particularly LLMs, are being harnessed by both nation-state APTs and financially motivated cybercriminals to streamline and amplify attacks. These technologies automate complex tasks that previously required significant manual effort, accelerating the entire attack lifecycle.
For example, LLMs can craft highly convincing phishing emails that mimic legitimate corporate communications with unprecedented accuracy, increasing the success rate of phishing campaigns and making them harder to detect with traditional signature-based defenses. Malicious groups are already selling tools that can make convincing deepfakes (these range from free offerings to “enterprise plans” that offer deepfakes for as little as $249/month).
In malware development, LLMs assist in generating and obfuscating malicious code, enabling attackers to create polymorphic malware that can evade standard detection mechanisms. By automating the creation of exploit scripts and refining malware payloads, adversarial AI lowers the technical barriers for less-skilled threat actors, broadening the pool of potential attackers. Additionally, AI-driven tools enhance the capability to identify and exploit vulnerabilities.
One of the most profound impacts of AI-assisted attacks is the increase in the speed and efficiency of cyberattacks. Tasks that traditionally took days or weeks can now be completed in minutes.
To test this, Unit 42 researchers simulated a ransomware attack integrating GenAI at each stage of the attack. Figure 3 below demonstrates the speed of an attack before the use of GenAI — as benchmarked by the median time actually observed in our IR investigations — compared with the time when using GenAI.
With AI
Without AI
Figure 3: Speed differences in a simulated attack, before and after using AI-assisted techniques.
Our testing took the time to exfiltration from the median of two days down to 25 minutes — about 100 times faster. While these are lab-based results, it's easy to see how this rapid progression from reconnaissance to exploitation significantly shortens the “time-to-impact,” making it challenging for organizations to respond in time to mitigate the damage.
These tactics can help you defend against AI-assisted attacks:
-
Deploy AI-driven detection to spot malicious patterns at machine speed, correlating data from multiple sources.
-
Train staff to recognize AI-generated phishing, deepfakes and targeted social engineering attempts.
-
Incorporate adversarial simulations using AI-based tactics in tabletop exercises to prepare for rapid, large-scale attacks.
-
Develop automated workflows so your SOC can contain threats before they pivot or exfiltrate data.
3. How Threat Actors Succeed: Common Effective Tactics, Techniques and Procedures
Threat actors continue to increase the speed, scale and sophistication of their attacks. This enables them to do widespread damage in a short time, making it difficult for organizations to detect their activity and mitigate it efficiently.
In our case data, we noted two key trends:
Threat actors frequently attack organizations on multiple fronts.
When we looked into how threat actors pursued their objectives, they pivoted from social engineering to attacking endpoints, cloud resources and others, as shown in Table 2.
| Fronts of Attack | Percentage of Cases |
|---|---|
| Endpoints | 72% |
| Human | 65% |
| Identity | 63% |
| Network | 58% |
| 28% | |
| Cloud | 27% |
| Application | 21% |
| SecOps | 14% |
| Database | 1% |
Table 2: Fronts of attack where we saw threat actors operating.
In 84% of incidents, threat actors attacked their intended victim across multiple fronts (70% of the time, across three or more). In some incidents we responded to, threat actors attacked across as many as eight fronts.
The growing complexity of attacks demands a unified view across all data sources. In 85% of cases, Unit 42 incident responders had to access multiple types of data sources to complete their investigation. Defenders should prepare to access and efficiently process information from these various sources across an organization.
The browser is a key conduit for threats.
Nearly half of the security incidents we investigated (44%) involved malicious activity launched or facilitated through employees' browsers. This included phishing, abuse of URL redirects and malware downloads, each exploiting the browser session without adequate detection or blocking.
The user's interaction with malicious links, domains or files, combined with insufficient security controls led to compromise. Organizations must improve visibility and implement robust controls at the browser level to detect, block and respond to these threats before they spread.
The sections that follow cover our observations about intrusion, as well as insights about common attack techniques that we've gleaned from Unit 42 case data.
3.1. Intrusion: Growing Social Engineering, Both Widespread and Targeted
In 2024, phishing reclaimed its spot as the most common initial access vector in Unit 42 cases, accounting for about a quarter of our incidents (23%), as shown in Figure 4.
Figure 4: Initial access vectors observed in incidents Unit 42 responded to over the years. Other social engineering includes SEO poisoning, malvertising, smishing, MFA bombing and compromising the help desk. Other initial access vectors include abuse of trusted relationships or tools, as well as insider threats.
The initial access vectors alone don't tell the whole story. Different initial access vectors often corresponded to different threat actor profiles and objectives. For example, when threat actors gained access through phishing, the associated incident type was most often business email compromise (76% of cases), followed distantly by extortion, specifically ransomware (nearly 9%).
Nation-state actors, which account for a small but impactful percentage of incidents, favor software/API vulnerabilities as the initial access vector.
Defenders should be aware of how commonly threat actors use previously compromised credentials, which they often purchase from initial access brokers. Searches of the deep and dark web can often reveal previously compromised credentials.
Some less common initial access vectors can lead to significant compromises. For example, Unit 42 continues to observe the cybercrime group Muddled Libra gaining access to organizations by social engineering the help desk. However, other threat actors are also leveraging the technique, such as a financially motivated actor based in Nigeria.
Actors using this type of technique perpetuate fraud without the use of malware, armed with forged identity documents or VoIP phone numbers geo-located in the city where their intended victims are based. The percentage of targeted attacks in our data has risen from 6% of incidents in 2022 to 13% in 2024.
Countermeasures: Defending Against Social Engineering Attacks
Defenders should continue to use defense-in-depth strategies to prepare for common initial access vectors and minimize the impact of threat actors who do gain access to systems.
Security training is a must to help prepare employees to resist social engineering attacks. Training should go beyond phishing and spear phishing. Training should also include:
- Strategies for improving physical security (such as preventing badge tailgating)
- Best practices against device loss
- What to do if devices are stolen or left unattended
- Insider threat indicators
- Red flags to be aware of in help desk calls
- Signs of deepfakes
3.2. Attack Technique Insights From Unit 42 Case Data
Based on the tactics and techniques we observed the most sophisticated attackers using in 2024, our threat intelligence analysts identified three key insights for defenders:
- Any sort of access can help attackers. Even if a threat group seems focused on other targets, it's still important to be prepared to defend your organization against them.
- Advanced threat actors don't always use complex attacks. If a simpler approach will work, they will use it.
- Despite the prevalence of extortion, not all threat actors announce their presence. Nation-state threat actors, for example, often specialize in remaining in a compromised network quietly, especially through “living off the land” techniques.
The following sections go into more detail about techniques used by nation-state threat groups and other motivated actors.
Organizations often deprioritize defending against specific actors, believing those groups are focused on other targets. However, many actors have repeatedly shown us that persistent groups tend to impact many organizations along the path to achieving their final objectives.
Throughout 2024, Unit 42 has tracked many organizations breached by nation-state actors. These actors aren't always directly satisfying espionage objectives. Sometimes, they are commandeering devices to support their future activity ( T1584 - Compromise Infrastructure).
For example, Insidious Taurus, aka Volt Typhoon, has been known to abuse these opportunistically compromised devices (often internet-facing network routers and internet-of-things assets) to create botnets that proxy command and control network traffic delivered to or from additional victims.
Actors have also been observed targeting and compromising technology vendors to collect specific sensitive customer information or even to exploit interconnected access to downstream victims (T1199 - Trusted Relationship).
Your network may still be at risk of compromise by threat actors, even if you are not their direct target.
The term “advanced persistent threat” has created an illusion that all these adversaries' activities will be novel and complex. In reality, even well-resourced actors often take the path of least resistance. This includes exploiting known (and even old) vulnerabilities (T1190 - Exploit Public-Facing Application), simply abusing legitimate remote access features (T1133 - External Remote Services), or stealing information using popular existing online services (T1567 - Exfiltration Over Web Service).
We see systemic issues and mistakes commonly repeated across networks, such as misconfigurations and exposed internet-facing devices. This lowers the barrier for malicious actors.
The majority of incidents involved financially motivated threat actors, many of whom move quickly and announce their presence for the purpose of extortion. However, we also see incidents in which adversaries avoid triggering alerts and make an effort to evade defensive mechanisms, for purposes such as espionage.
Attackers sometimes further exploit the complexity of networks by hiding within the “noise” of expected user activity. They abuse otherwise legitimate features of a compromised environment, an approach known as “living off the land.” The success attackers can garner with this approach highlights the often unmanageable challenge for defenders to categorize benign versus malicious activity.
As a very common real-world example, can you immediately tell the difference between administrators or an APT when observing the following actions?
- Executed commands
- System configuration changes
- Logins
- Network traffic
| Technique | 2024 Trends |
|---|---|
| T1078 - Valid Accounts |
This was one of the top techniques observed as an Initial Access vector, which represents more than 40% of the kinds of grouped techniques observed in association with this tactic. It is likely enabled by weaknesses in identity and access management and attack surface management (ASM) such as:
|
| T1059 - Command and Scripting Interpreter |
This was the top Execution technique (more than 61% of cases associated with the Execution tactic abuse PowerShell in this way, for example). Other commonly abused system utilities include other native Windows, Unix, network devices and application-specific shells to perform various tasks. |
| T1021 - Remote Services |
Abuse of these services was overwhelmingly the most observed technique for Lateral Movement (of the kinds of grouped techniques observed in association with this tactic, over 86% involved remote services). This further extends the trend highlighting reuse of legitimate credentials. Instead of more traditional uses of these credentials, here we see them used to authenticate through internal network protocols such as RDP (over 48% of cases), SMB (over 27% of cases), and SSH (over 9% of cases). |
Table 3: Most prominent living off the land techniques from Unit 42 IR cases.
In addition to living off the land, we have observed a number of actors — particularly involved with ransomware — attempting to use EDR disabling tools to “modify the land” as part of their operations. Nearly 30% of the kinds of grouped techniques observed associated with Defense Evasion involved T1562 - Impair Defenses. This includes sub-techniques such as:
While there are many tricks, we are seeing more breaches involving threat actors abusing bring your own vulnerable driver (BYOVD) trade craft. They use this technique to gain the required permissions to bypass then even attack EDR and other defensive protections installed on a compromised host. Related techniques include:
Countermeasures: Defending Against Common Effective TTPs
Defenders should maintain a clear understanding of the organization's internal and external attack surface. Periodically evaluate what data or devices are accessible or exposed on the public-facing internet, and minimize dangerous remote access settings and misconfigurations. Remove systems running on operating systems that are no longer supported with regular security updates, and be aware of vulnerabilities for your systems, including older ones — especially those with published PoC code.
Maintain an actionable baseline of your environment, including accounts, software/applications, and other activity that is approved for use. Implement robust logging and take advantage of analytic tools that can help quickly make connections between multiple data sources to detect unusual behavioral patterns.
4. Recommendations for Defenders
This section takes a closer look at systemic issues most frequently exploited by attackers and the targeted strategies to counter them. By proactively addressing these factors, organizations can significantly reduce cyber risk, strengthen resilience, and maintain a decisive edge against current and emerging threats.
4.1. Common Contributing Factors
Common contributing factors are systemic issues that enable threat actors to succeed time and again. By addressing these issues proactively, organizations reduce both the likelihood and impact of cyberattacks.
Drawing from thousands of incidents, we've identified three main enablers: complexity, gaps in visibility and excessive trust. These factors enable initial access, allow threats to escalate unchecked and amplify overall damage. Confronting them head-on will significantly strengthen defenses and improve resilience.
Today's IT and security environments often resemble a patchwork of legacy applications, bolt-on infrastructure, and incomplete transformation initiatives. This leads many organizations to rely on 50 or more disparate security tools. Acquired piecemeal to address individual threats, these tools typically lack integration, creating data silos and preventing teams from maintaining a unified view of their environments.
In 75% of incidents we investigated, critical evidence of the initial intrusion was present in the logs. Yet, due to complex, disjointed systems, that information wasn't readily accessible or effectively operationalized, allowing attackers to exploit the gaps undetected.
At the same time, multiple data sources are essential to detect and respond effectively. About 85% of incidents required correlating data from multiple sources to fully understand the scope and impact. Nearly half (46%) required correlating data from four or more sources. When these systems don't communicate — or the telemetry is incomplete — essential clues remain buried until it's too late.
Case in Point:
In one ransomware attack, the endpoint detection and response (EDR) system captured lateral movement, while the initial compromise was buried in unmonitored network logs. This fractured visibility delayed detection for an extended period of time, granting attackers ample time to exfiltrate data
and deploy ransomware payloads.
Enterprise-wide visibility is the backbone of effective security operations, yet gaps remain common. Cloud services, in particular, present a significant challenge. Unit 42 found that organizations spin up an average of 300 new cloud services each month. Without proper runtime visibility, SecOps teams are unaware of both exposures and attack. Unmanaged and unmonitored assets — whether they're endpoints, applications or shadow IT — provide attackers with easy entry points into an organization's environment.
In fact, issues with security tools and management were a contributing factor in nearly 40% of cases. These gaps allowed attackers to establish a foothold, move laterally and escalate privileges without being detected.
Case in Point:
In one incident, Muddled Libra used a privileged user account to elevate permissions in the client's AWS environment, granting it permissions for data exfiltration. Because the cloud service was not integrated with the organization's SOC or SIEM, the suspicious activity initially went
undetected.
Overly permissive access is a dangerous liability. In the incidents we respond to, attackers consistently exploit overly permissive accounts and inadequate access controls to escalate their attacks.
In fact, in 41% of incidents, there was at least one contributing factor related to issues with identity and access management, including overly permissioned accounts and roles. This leads to lateral movement, access to sensitive information and applications, and ultimately enables attackers to succeed.
Here too, cloud environments are especially vulnerable: Unit 42 researchers found that in nearly half of cloud-related incidents, there was at least one contributing factor related to issues with identity and access management, including overly permissioned accounts and roles.
In many cases, attackers gained far more access than they should have given the types of roles they compromised. Once initial access is gained — through phishing, credential theft or exploiting vulnerabilities — this excessive trust allows attackers to rapidly escalate privileges, exfiltrate data and disrupt operations.
Case in Point:
In the case of an IT services company, attackers exploited overly permissive admin accounts to move laterally and escalate privileges after brute-forcing a VPN without multi-factor authentication. This excessive trust allowed the attackers to deploy ransomware across 700 ESXI servers,
ultimately disrupting the company's main business operations and impacting over 9,000 systems.
4.2. Recommendations for Defenders
By tackling complexity, gaps in visibility and excessive trust, organizations can materially reduce the risk and impact of cyberattacks. This not only avoids extended downtime and expensive breach remediation but also preserves operational continuity and stakeholder confidence. The following recommendations include strategies to address these systemic issues head-on.
5. Appendix: MITRE ATT&CK® Techniques by Tactic, Investigation Types and Other Case Data
5.1 Overview of Observed MITRE ATT&CK Techniques by Tactic
The following series of charts (Figures 5-16) show the MITRE ATT&CK® techniques we observed in association with specific tactics. Note that the percentages shown represent the prevalence of each technique when compared across the other kinds of techniques identified for each respective tactic. These percentages don't represent how often the techniques showed up in cases.
- Initial Access
- Discovery
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Collection
- Command and Control
- Exfiltration
- Impact
Figure 5: Relative Prevalence of Techniques Observed in Association With the Initial Access Tactic
5.2. Data by Region and Industry
The most common type of investigation we performed in 2024 was network intrusion (roughly 25% of cases). Seeing so much of this investigation type is good news, since we use this classification when intrusion into the network is the only malicious activity we observe. We believe that the rise in this investigation type means that, in at least some cases, clients are calling us earlier in the attack chain, which can lead to stopping attackers before they have a chance to succeed at their other objectives.
While defenders in all industries and regions share many of the same concerns, we saw some variation by region and industry.
In North America, business email compromise was a close second to network intrusion (19% of cases versus 23%). In EMEA, if all extortion types are considered (with and without encryption), extortion slightly surpasses network intrusion in our data (31% of cases versus 30%).
It is clear how significant a concern extortion is when looking at our industry data. In the high technology industry, extortion with and without encryption was also the top investigation type (22%). This is also the case in manufacturing, the industry most commonly represented on ransomware groups' dark web leak sites (25%).
Business email compromise remains a substantial threat, particularly for financial services (25% of cases), professional and legal services (23%), and wholesale and retail (21%).
Aside from the substantial proportion of cases that involve or impact organizations' cloud services, we see a small but growing trend of cases primarily focused on cloud control plane or dataplane compromises. This includes 4% of cases overall, but it's higher in industries such as high technology and professional and legal services (9% of cases for both). These specifically cloud-focused attacks have the potential for significant impact. In the case of attacks on the cloud control plane, attackers can gain access to an organization's entire cloud infrastructure. Attacks on the dataplane have the potential to harvest a large amount of sensitive data, given the type and scope of data typically stored in the cloud.
Investigation Type by Region
- North America
- Europe, the Middle East and Africa
Figure 17: Investigation Type by Region - North America
Investigation Type by Industry
Figures 19-24 below show a breakdown of the top investigation types associated with the six industries most represented in our incident response data.
- High Technology
- Professional & Legal Services
- Manufacturing
- Wholesale & Retail
- Financial Services
- Healthcare
Figure 19: Investigation Type by Industry - High Technology
6. Data and Methodology
We sourced data for this report from more than 500 cases Unit 42 responded to between October 2023-December 2024, as well as from other case data going back as far as 2021.
Our clients range from small organizations with fewer than 50 personnel to Fortune 500 and Global 2000 companies and government organizations with more than 100,000 employees.
The affected organizations were headquartered in 38 unique countries. About 80% of the targeted organizations in these cases were located in the U.S. Cases related to organizations based in Europe, the Middle East and Asia-Pacific form the other 20% of the work. Attacks frequently have impact beyond the locations where organizations are headquartered.
We combine this case data with insights from our threat research, which is based on product telemetry as well as on observations of dark web leak sites and other open-source data.
Incident responders have also shared their observations of key trends based on working directly with clients.
Several factors may impact the nature of our data, including a trend toward working with larger organizations with more mature security postures. We have also chosen to emphasize cases that we believe reveal emerging trends, which for some topics means focusing on smaller segments of the dataset.
For some topics, we chose to filter our data to remove factors that could skew our results. For example, we offered our incident response services to help our customers investigate potential impacts of CVE-2024-3400, which caused that vulnerability to be overrepresented in our dataset. In places, we corrected the data to remove this overrepresentation.
Our guiding principle throughout has been to provide the reader with insights into the present and future threat landscape, enabling improved defense.