According to the global report by Kaspersky Security Services ‘Anatomy of a Cyber World’, the government sector has emerged as the most targeted sector for the second consecutive year, accounting for 19% of all high-severity incidents in 2025. The industrial sector closely followed at 17%, while the IT sector rose to third place with 15%, displacing finance from the top three targeted industries.
The ‘Anatomy of a Cyber World’ is a comprehensive global report drawing on incident statistics from Kaspersky Managed Detection and Response, Kaspersky Incident Response, Kaspersky Compromise Assessment and Kaspersky SOC Consulting. This report sheds light on the most prevalent attacker tactics, techniques and tools, as well as the characteristics of detected incidents and their distribution across regions and industry sectors.
Building on these findings, the report reveals that the government bodies continued to be the most targeted sector in 2025. A deeper examination of the root causes of attacks within this sector uncovers that Advanced Persistent Threats (APTs) were the most common, accounting for 33.3% of incidents. This trend highlights the increasing sophistication of adversaries who persistently evolve their tactics to bypass automated protection. Additionally 18,9% of government organizations experienced social engineering attacks, underscoring that employees remain a critical entry point for cyber threats.
This dual vulnerability, from both advanced persistent attackers and social engineering campaigns, underscores the need to strengthen not only technology but also organizational resilience. Implementing measures such as role-based access control and limiting privileges can significantly reduce the impact of compromised accounts, particularly in large, distributed government environments.
The industrial sector presents a different but equally concerning profile. Threats in industrial environments are distributed with striking uniformity: APT-driven incidents constitute 17.8%, malware 14.9% and social engineering 13.9%. This pattern suggests that industrial organizations attract a broad range of adversaries with different capabilities and objectives, rather than being primarily targeted by a single type of threat actor. Notably, confirmed cyber exercises like red teaming accounts for 22.8% of incidents in the sector, the highest share among the top three industries, reflecting growing investment in proactive security validation among industrial organizations.
In contrast, the IT sector shows a markedly different pattern. With 41% of incidents attributed to human-driven APT attacks, the highest rate across all sectors, IT organizations are clearly a priority target for sophisticated threat actors seeking to exploit trusted relationships and scale their impact through supply chains. APT traces, which are artifacts from previous advanced persistent threat activity, were identified in an additional 17% of cases, while social engineering accounted for 11%. In contrast, red teaming represents only 9% of IT incidents, suggesting that proactive security testing remains underutilized relative to the sector’s actual threat exposure.
Interestingly, the finance sector was displaced from the top three targeted industries. According to the report, red teaming accounts for 36.1% of incidents, reflecting a mature, compliance-driven approach to proactive defense, while confirmed APT activity remains comparatively low at 11.5%. This pattern indicates that sustained investment in security assessment can effectively enhance a company’s ability to identify vulnerabilities early, avoiding costly breaches and reducing the risk of significant damage to reputation and operations.
"Government, industrial and IT organizations consistently attract sophisticated adversaries because of the strategic value of what they hold, operate and connect to geopolitical intelligence, critical infrastructure and global supply chains respectively. The 2025 data confirms that these attacks are not opportunistic: they are targeted and often aimed at establishing persistent access. Each of these sectors needs to operate on the assumption that determined attackers will find a way in, and focus their defenses on early detection, rapid containment and minimizing the window of exposure. So, proactive threat hunting, continuous monitoring and regular compromise assessments are no longer optional for organizations of any size across these industries," comments Sergey Soldatov, Head of Security Operations at Kaspersky.
To strengthen protection against human-driven attacks, Kaspersky recommends the following:
- Augment your existing security controls with human-led detection from Kaspersky Managed Detection and Response (MDR) and receive comprehensive and detailed analysis of security incidents with Kaspersky Incident Response. These services offer 24/7 monitoring and cover the entire incident management cycle – from threat identification to continuous protection and remediation.
- Align your internal processes and technologies with today’s evolving threat landscape through Kaspersky SOC Consulting. This service helps you build an in-house SOC from scratch, assess the maturity of an existing SOC or enhance specific capabilities such as detection and response procedures.
- Use centralized and automated solutions such as Kaspersky Next XDR Expert to enable comprehensive protection of all your assets. By aggregating and correlating data from multiple sources in one place and using machine-learning technologies, this solution provides effective threat detection and fast automated response.
To learn more about attacker tactics and techniques, the characteristics of detected incidents and their distribution across regions and industry sectors, read the full report.
