When Mandiant releases its M-Trends report, the industry pays attention. The 2025 edition, presented at the SecureWorld Critical Infrastructure Virtual Conference on August 28th, sheds light on the tactics, techniques, and campaigns that shaped the past year—and the implications for defenders tasked with protecting IT and OT systems.
In the report, Mandiant drew insights from 450,000-plus hours of incident response engagements across 73 countries. The data reveal a cyber threat landscape where attackers exploit every available opportunity:
-
Exploits were the #1 initial intrusion vector, accounting for 33% of intrusions—consistent with prior years.
-
Stolen credentials (16%) surpassed email phishing (14%) as the second most common entry point, fueled by infostealer malware and underground credential markets.
-
Median dwell time—the number of days attackers remain undetected—rose slightly to 11 days (up from 10 in 2023), though still far below the 205 days seen a decade ago.
-
57% of organizations first learned of a breach from external sources, including law enforcement and adversaries themselves (via ransom notes).
The report was detailed during the opening keynote of the SecureWorld Critical Infrastructure virtual conference co-presented by Chris Plesiuk and James Young, senior consultants at Mandiant, part of Google Cloud. For those who missed the live event, it is available on-demand through November 28. It's free and earns attendees 6 CPE credits. Use the link above to register and see the full agenda.
According to the report, the financial sector was the most targeted industry, representing 17.4% of incidents, followed by business services, high tech, government, and healthcare.
For operators of critical infrastructure, the findings are especially concerning:
-
Energy, transportation, and utilities all ranked among the top targeted sectors.
-
Mandiant highlighted Russian APT44 (Sandworm) and North Korean APT45 as persistent threats to infrastructure, both leveraging zero-day exploits and ransomware for disruption.
This aligns with the keynote theme at SecureWorld: attackers are finding success at the IT/OT boundary, where legacy systems meet modern connectivity.
Ransomware accounted for 21% of all incidents, with brute-force attacks (VPN and RDP password spraying) serving as the most common entry vector.
Two groups dominated the ransomware landscape in 2024:
-
RANSOMHUB, which overtook LockBit as the most prolific data leak site (DLS)
-
REDBIKE (aka Akira), equally widespread and responsible for intrusions across Windows and ESXi environments
Notably, 56.5% of ransomware intrusions were detected within one week, highlighting attackers' incentive to monetize quickly through extortion.
Cloud attacks surged, with email phishing (39%) and stolen credentials (35%) as leading causes. Two notable threat actors emerged:
-
UNC5537, linked to the Snowflake customer data theft campaign
-
UNC3944, notorious for social engineering service desks to reset MFA, then abusing SSO to spin up new cloud VMs
Other growing risks include:
-
North Korean IT worker insider threats (5% of compromises)
-
Unsecured data repositories, increasingly exploited due to poor hygiene
-
Web3 and cryptocurrency threats, tied to blockchain adoption
In the SecureWorld keynote, Young discussed myths versus reality when it comes to OT security.
The myth is that OT systems are secure because they are not connected directly to the internet; the reality is that Google dorks, Shodan, and scanning large ranges all show OT equipment exposed. Another myth is that an IT/OT firewall is enough to protect OT; the reality is "what's the latest critical vulnerability on a firewall?"
In the presentation, Plesiuk talked about "the seven deadly sins" that we commonly see in OT environments. "So we just looked at the adversary's playbook—how they get from a simple phish to a physical blackout," he said. "The scary part is their success doesn't rely on some exotic, billion-dollar zero-day exploit. It relies on a pattern of fundamental failures that we see time and time again at the IT/OT bucket."
"We've distilled these recurring failures into what we call the seven deadly sins of IT/OT integration," Plesiuk continued. "We call them sins for a reason. Like their counterparts, they're often born from taking shortcuts, choosing the path of convenience or inertia over the path of diligence. They're tempting in the short term, but they lead to disastrous consequences."
Here are the seven deadly sins of IT/OT integration, per Young and Plesiuk:
-
Flawed firewall rules: Overly permissive or poorly configured firewalls that fail to properly segment networks
-
Insecure jump hosts: Unhardened or poorly managed jump hosts providing an easy pathway for attackers
-
Shared credentials: The use of the same credentials across both IT and OT environments
-
Unmonitored protocol usage: Lack of visibility and control over the communication protocols used at the IT/OT boundary
-
Weak authentication & access control: Inadequate authentication methods and lax access controls within OT networks
-
Lack of network segmentation: Flat network architectures that allow for easy lateral movement once an attacker gains a foothold
-
Outdated and unpatched systems: The prevalence of legacy systems in OT environments with known, unpatched vulnerabilities
Per usual, the report offers key takeaways for cybersecurity leaders:
-
Prioritize edge security: With vulnerabilities in VPNs, firewalls, and endpoint management servers topping the exploited list, security teams must treat perimeter devices as critical assets for patching and monitoring.
-
Elevate SaaS and cloud governance: As the Snowflake and SSO campaigns show, attackers are abusing cloud identity and trust relationships at scale.
-
Treat insider threats as nation-state vectors: The use of disguised North Korean IT workers to gain privileged access elevates insider risk from nuisance to geopolitical weapon.
-
Prepare for IT/OT boundary breaches: Critical infrastructure operators must harden the interfaces between operational systems and IT, with segmentation, anomaly detection, and zero-trust enforcement.
The M-Trends 2025 report confirms what many defenders already sense: adversaries are faster, more opportunistic, and increasingly targeting the weakest trust boundaries—whether at the IT/OT edge, in the cloud, or inside vendor supply chains.
As highlighted in the SecureWorld keynote by Mandiant senior consultants Chris Plesiuk and James Young, the trust model itself is under siege. To defend critical infrastructure, cybersecurity leaders must embrace rigorous visibility, cross-domain monitoring, and resilience planning—or risk being the next statistic in Mandiant's 2026 report.
