Now in 2H 2025, the cybersecurity landscape is not just active; it’s industry-specialized and precision-targeted. Sophisticated threat actors no longer take a “spray-and-pray” approach.
Instead, they study your sector, exploit your business model, and even train their malware to mimic your workflows.
Chief Information Security and Strategy Officer, Concentric.ai.
To outpace attackers, CISOs must understand who is targeting their industry, how they’re doing it, and why – and then convert that knowledge into action through a robust threat intelligence program (TIP).
Without threat intelligence, your defenses are based on guesswork. Threat actors know your industry, your environment, and your users. Your defenses should know them too.
The Essential Threat Intelligence Program (TIP)
A mature threat intelligence capability isn’t just about collecting feeds—it’s about translating threat data into actionable defenses. With a modern program, you can:
– Identify threat actors and tactics, techniques, and procedures (TTPs) targeting your industry with high fidelity.
– Use frameworks like MITRE ATT&CK to reduce risk.
– Enhance detection and response via security information and event management (SIEM), security orchestration, automation, and response (SOAR), and endpoint detection and response (EDR).
– Customize awareness training to real attack scenarios.
– Provide executive-ready reports that inform decisions.
To unlock the value of threat intelligence, integrate it into your security fabric. For example:
Detection engineering – Map TTPs to MITRE, build detections, and enrich SIEM/extended detection and response (XDR) with relevant actor indicators of compromise (IoCs).
Automated response (SOAR) – Tag alerts by actor and sector and trigger playbooks aligned to threat profiles.
Vulnerability management – Prioritize patches tied to active threats.
Security awareness – Simulate actor-based phishing (e.g., QR-phishing from TA577) and train teams against deepfake voice attacks.
CISOs should include threat intelligence updates to the board and executive team with their program’s regularly scheduled updates.
They should include industry threat trends and peer incidents, actor motives and evolving techniques, and risk outcomes and funding needs.
These insights frame cybersecurity as strategic and business-aligned—not just reactive.
Threat actors by industry
Each industry faces specialized threats. Here is summary of some of the top threat actors, techniques, and trends by sector.
Threat Actors in Healthcare
Threat actors include Scattered Spider (UNC3944), Black Basta, RansomHub, and NoEscape. TTPs comprise SIM-swapping to bypass multi-factor authentication (MFA), compromise of cloud and SaaS-based platforms, lateral movement via Remote Desktop Protocol (RDP) and unmanaged endpoints, and abuse of third-party vendor access.
Actors impacting healthcare are (1) using social engineering like fake job offers to impersonate insiders or vendors; (2) bypassing MFA via help desk and recovery process abuse; and (3) leveraging advanced lateral movement, such as Living Off the Land Binaries (LOLBins), Windows Management Instrumentation (WMI), and PsExec, to persist across segmented networks.
The FBI has warned that Scattered Spider actors are targeting healthcare help desk software and bypassing two-factor authentication (2FA) via support call impersonation. Lifewire reports MFA bypass is becoming a common entry point across ransomware campaigns in healthcare.
Financial Services – Actors include APT38 (Lazarus), TA577, and Storm 1811. TTPs comprise Deepfake-enabled voice fraud, QR-phishing targeting mobile banking apps, deployment of rogue investment and payment apps, and abuse of third-party payment processors.
Threat actors in financial services
In financial services, threat actors are (1) using deepfake voice scams to authorize fraudulent transfers; (2) launching QR-code phishing to steal financial credentials; and (3) spreading fake apps to harvest data and deploy malware—exploiting gaps in training, mobile security, and vendor risk.
The FBI has recently highlighted the rise of deepfake voice fraud schemes, resulting in multi-million-dollar wire fraud losses at financial institutions.
Cybersecurity firms report a surge in QR-code phishing campaigns impersonating major banks, leading to credential compromise and account takeovers. Industry alerts have noted the emergence of rogue mobile apps masquerading as legitimate fintech tools, which increases exposure to credential theft and mobile malware infections.
Threat actors in manufacturing & OT
Threat actors here include Volt Typhoon, Sandworm, LockBit 3.0, and Muddled Libra Scattered Spider. TTPs comprise Living-off-the-land techniques using WMI and PsExec, credential harvesting, ICS (industrial control systems) protocol manipulation, and exploitation of legacy and OT-specific protocols.
In this vertical, Volt Typhoon targets hybrid information technology (IT)/operational technology (OT) environments, exploiting weak segmentation and identity controls to maintain long-term access and enable future disruption. Multiple government agencies confirm that Volt Typhoon has been pre-positioning on IT networks to pivot into OT for potential sabotage (CISA Advisory).
Analysts report Volt Typhoon maintained covert access to a small U.S. utility’s OT network for nearly a year, demonstrating sophisticated persistence and stealth. Sandworm’s continued targeting of industrial control systems highlights the increasing risk to manufacturing and critical infrastructure sectors.
Threat actors in retail & eCommerce
Actors here include Magecart Group 6, Storm‑0539 (aka ATLAS LION), and LAPSUS$. TTPs comprise checkout hijacking via browser plugins and JS skimmers, account takeover through credential or session theft, and insider-assisted attacks for direct system access.
Retail threat actors are exploiting compromised employee credentials and phishing campaigns—often via QR and SMS— to inject payment card skimmers, hijack checkout flows, and create fraudulent gift cards.
Increasingly, these operations combine AI-powered phishing and insider recruitment tactics to bypass MFA, stealthily compromise POS systems, and harvest customer payment data over prolonged periods. Magecart skimmers steal payment cards from ecommerce sites and are causing resurgence in JS-based checkout methods.
Microsoft observes Storm-0539 spear phishing and smishing campaigns targeting gift card workflows at U.S. retailers, enabling MFA bypass via AI-aided phishing pages (Microsoft). CISA alerts and case studies reveal that LAPSUS$ is recruiting insiders and abusing valid accounts for non-ransom data extortion across retail entities (CISA).
Threat actors in technology & SaaS
Actors here include Midnight Blizzard (APT29), UNC5537, and UNC3886. TTPs comprise OAuth token exfiltration, CI/CD supply chain poisoning (e.g., GitHub Actions), and DLL sideloading.
Technology & SaaS APTs are targeting cloud-native pipelines, exploiting OAuth tokens and continuous integration (CI)/continuous delivery/deployment (CD) workflows, while using dynamic link library (DLL) sideloading for stealthy persistence and escalation.
APT29 continues to leverage OAuth token theft for deep infiltration of cloud services and SaaS environments (Microsoft). Recent supply chain attacks have focused on GitHub Actions workflows, poisoning build pipelines to insert backdoors (CISA Alert). UNC5537 and UNC3886 have been observed using DLL sideloading to bypass application whitelisting and execute malware under the guise of legitimate software (CrowdStrike).
Energy & Critical Infrastructure – Actors include Volt Typhoon, ChamelGang, Xenotime, and DarkTortilla. TTPs comprise firmware implants, watering-hole attacks on vendor portals, and field engineer credential theft.
Threat actors targeting critical infrastructure use firmware implants, vendor watering-hole attacks, and stolen field engineer credentials—exploiting supply chain and identity weaknesses. Volt Typhoon continues to leverage OAuth token theft for deep infiltration of cloud services and SaaS environments (CISA).
Xenotime is noted for deploying malware targeting industrial control systems, leveraging stolen credentials from field personnel to escalate access (Dragos).
Final Word: Don’t Just Secure—Counter the Adversary
Without threat intelligence, your defenses are guesses. Threat actors know your industry, your software, and your systems. Your defenses should know them too and you should be communicating this info to your board or executive team.
Organizations should build their cybersecurity programs around their adversaries—not assumptions. Threat actors are hyper-focused by industry, so building a centralized threat intelligence engine that feeds detection, response, and training is critical.
Finally, teams should use news-backed intelligence for reporting urgency, and conduct quarterly executive briefings.
Check out our list of the best identity management solutions.
Add Comment