Malicious actors continue to exploit our connected digital ecosystem, disrupting organizations across all sectors. Some of the most significant evolutions in the cyber threat landscape stem from artificial intelligence ("AI")-enhanced intrusions and a surge in nation-state activity tied to rising geopolitical tensions. When cyber incidents do occur, organizations must manage not only the immediate demands of incident response, but the prolonged aftermath -- including ongoing engagement with law enforcement, regulatory bodies, and affected customers or stakeholders.
In this Legal Update, we highlight key trends shaping the cybersecurity landscape and offer practical recommendations to help mitigate the associated risks.
Over the past year, an estimated 16% of reported cyber incidents involved attackers leveraging AI tools, such as image and language generation models, to carry out sophisticated social engineering attacks. Generative AI ("GenAI") has increased the effectiveness of these attacks by making them more convincing and enabling automation of intrusion tools.
Threat actors are using GenAI in various ways to gain unauthorized access to a target organization's systems, including the following examples:
2. Ransomware
Ransomware remains a major threat to organizations across all sectors. Recent industry reports show a 12% year-over-year increase in ransomware-related breaches, with attackers adopting more aggressive extortion techniques and using more sophisticated tools. Threat actors now combine data encryption with more disruptive tactics, such as harassing employees and threatening critical operations, resulting in prolonged downtime and higher recovery costs. Notable ransomware groups include:
In response to the ongoing ransomware threat, companies appear to be shifting their approach. According to a recent industry report, approximately 63% of surveyed organizations declined to pay a ransom in the past year, an increase from 59% in 2024.
3. Nation State Threats in the Geopolitical Landscape
Nation-state threat actors have intensified their operations, targeting telecommunications, critical infrastructure, and strategic third-party service providers. These campaigns commonly employ cyber espionage and sophisticated deception tactics to steal user credentials and gain unauthorized access.
For example, China-based threat actor groups have dramatically increased their activities over the past year, with certain targeted industries suffering a 200% to 300% surge in attacks compared to the previous year. Two high-profile intrusions captured attention across the globe: Salt Typhoon and Volt Typhoon. The Salt Typhoon campaign successfully infiltrated major telecommunications networks in a wide-reaching cyber espionage operation. Meanwhile, Volt Typhoon involved the prepositioning of malicious code within critical infrastructure systems, raising serious concerns about the potential for escalation into physical harms or disruption.
In addition to technical instructions, threat actors affiliated with nation-states have also exploited social engineering tactics such as pretexting and recruitment fraud to obtain privileged access. For example, North Korea-affiliated threat actors infiltrated US companies by fabricating documentation and creating highly convincing candidate profiles to secure employment in IT support roles -- positions they leveraged to harvest user credentials or execute fraudulent financial transactions.
Additionally, Iran-linked actors have been notable for their use of GenAI tools over the past year. In July 2025, an Iran-associated threat actor group reportedly amplified leaked information through AI chatbots following a hack-and-leak campaign targeting sensitive data of journalists. This emerging use of AI tools to magnify the impact of cyberattacks adds a new layer of complexity to incident response efforts.
4. Third-Party Attacks
A third-party attack occurs when a threat actor compromises a supply-chain partner, vendor, or software provider, and leverages that access to gain a foothold in the target organization's network. These attacks often cascade across interconnected systems, impacting multiple downstream entities and customers who rely on the compromised software or services.
Recent threat-intelligence reporting data highlights a rise in financially motivated cybercrime involving the use of computers or networks to target software providers as the initial entry point into broader corporate ecosystems. By breaching third-party vendors, threat actors can bypass traditional perimeter defenses and gain privileged access to sensitive business environments.
These threat actors frequently exploit hosted environments, such as cloud platforms and SaaS ecosystems, by moving laterally across customer instances, harvesting credentials, and exfiltrating proprietary data at scale. This tactic allows for a widespread impact, particularly when vendors serve multiple clients across industries.
Third-party supply chain compromises have become one of the most costly and persistent cyber threat vectors. According to recent data, these breaches incur an average cost of $4.91 million and take longer to identify and contain than any other form of cyber intrusion. The complexity of vendor relationships and the extended dwell times can contribute to delayed response times and increased exposure for affected organizations.
Recommendations
Maintaining a comprehensive, risk-based cybersecurity program remains the most effective defense against today's evolving cyber threats. As cyber threat activity grows more sophisticated and attacks become more frequent, organizations can take proactive steps to mitigate the risks outlined above. Although organizations vary in policy and technical maturity, organizations should strive for continuous improvement across all recommended areas.
Be Prepared for High-Stakes and Fast-moving Incidents: Organizations should consider:
Keep Policies and Procedures Up to Date and Top of Mind: Policies should reflect current threats and be accessible to key stakeholders. Organizations should consider:
Take Steps to Mitigate Against Third-Party Risks: To reduce the risk of attacks through third-parties, organizations should review vendor due diligence and contractual safeguards to ensure the terms remain robust. The National Institute of Standards and Technology ("NIST") emphasizes that supply chain risk should be treated as an enterprise-wide concern and integrated into existing governance, acquisition, and risk-management processes. NIST's guidance outlines a comprehensive approach, including steps such as requiring vendor attestation of its secure software development practices and conducting criticality analyses to identify systems and components whose compromise would pose the greatest operational or mission impact.
The National Security Agency, separately and jointly with the Cybersecurity and Infrastructure Security Agency, published a series of best practices for cloud security and third-party risk. Key recommendations include:
Ensure that Infosec Has a Solid Process for Vulnerability Management: Given that vulnerability alerts and patches are issued frequently, businesses must promptly identify and remediate vulnerabilities before threat actors are able to exploit them. In addition, organizations should consider:
Engage with Industry Groups and Stay Informed on Regulatory and Law Enforcement Updates: The Cybersecurity Information Sharing Act of 2015 expired at the end of its effective period in September, without reauthorization by Congress, introducing legal uncertainty around cybersecurity information sharing. Despite this, timely and coordinated information sharing remains vital to strengthening an organization's security posture. Organizations should consider:
* * * * *
These examples highlight key trends and challenges that organizations have faced this year. While it is impossible to eliminate cyber risk entirely, prioritizing incident response readiness and regulatory compliance helps build technical resilience and positions organizations in a much more secure position from a legal perspective when they become a target of cyberattacks.