Cyber-criminals are shifting their priorities, as the high tech sector emerges as the most targeted industry of 2025, knocking finance out of the top spot, according to research from Mandiant.
The Google Cloud Threat researchers released their latest cyber trends report, based on 500,000 hours of incident investigations, looking at the tactics, techniques, and procedure cyber-criminals are using to breach barriers, exploit data, and destabilise defenses.
Cyber adversaries are shifting their tactics, Median found, with increased specialisation.
Researchers found that cyber-criminals are now collaborating, with some threat actors using low-impact techniques to gain initial access to systems before handing this off to secondary groups, which then go on to execute high-impact attacks.
Despite the hand off, the median time between an initial access event and the hand-off to a secondary group was just 22 seconds in 2025, with initial access partners increasingly pre-staging a secondary group’s malware during the initial breach, allowing secondary groups to act even faster.
This is reflected in the most common infection vectors, with ransomware operations now relying on prior compromise 30% of the time. Prior compromise was the third-most prevalent initial infection vector (10%) for intrusions overall.
Exploits, however, was the most common initial infection vector, with 32% of all intrusions.
Advances in voice phishing, however, is making that tactic more attractive to attacks, accounting for 11% of all initial attack vectors. Email phishing, once a staple, dropped to just 6% of intrusions in 2025.
Further, global median dwell time is on the rise, according to the research, up to 14 days from 11 last year. Sophistication in detection evasion is likely contributing to this, with some cyber espionage groups capable of long, undetected stints.
Still, organisations are improving, wth organisations being the first to detect evidence of malicious activity 52% of the time, up from 43% of the time in 2024.
Once ransomware groups are able to gain access to data and exfiltrate it, they continue to transform their tactics. Ransomware groups are now actively destroying their victims ability to recover data as they routinely target backup infrastructure, management planes, and identity services.
The researchers also identified a split between cyber-criminals and espionage groups, as cyber-criminals opt for speed, and espionage groups aim for persistence.
Exploitation is routinely occurring before a patch is released as the mean time to exploit vulnerabilities sunk to -7 days, as persistent groups leverage zero-days and deploy custom malware directly onto network appliances to bypass standard system reboots and defense efforts.
Recommended reading
When it comes to AI, researchers find that threat actors consistently use the emerging tech to accelerate attacks, but Mandiant researchers “do not consider 2025 to be the year where breaches were the direct result of AI. From our view on the frontlines, the vast majority of successful intrusions still stem from fundamental human and systemic failures.”
And this seems to be working. Instead of replacing tactics with AI, cyber-criminals are leveraging the tech to increase efficiency and efficacy – maybe enterprises should take note on their own AI deployments?
