Fewer Attacks, Greater Threats: The New Playbook Targeting Governments in 2025

By Brian Brown · July 30, 2025

The public sector is always under significant threat from nefarious actors seeking to undermine the systems that we collectively rely on for safety, security and our daily lives. As a former CISO in the healthcare sector, I witnessed firsthand the effects of cyberthreat activity on public infrastructure and the downstream implications to public goods and services. Staying on top of the changing landscape is a challenge for every cyber defender - even more so for those who serve the public sector.

In our latest Mind of the CISO survey public sector respondents felt even more strongly than other sectors such as manufacturing, financial, or healthcare that strategy and budget are being strongly influenced by geopolitical tensions and nation state threats. Public sector respondents reported that:

• 90% of their organizations’ cybersecurity strategy is influenced by geopolitical tensions
• 94% of their cybersecurity budget is influenced by the volume of nation state threats

These responses clearly show that CISOs in the public sector are highly cognizant of the macro trends that affect their cybersecurity reality. At the same time 44% of the participants in our survey indicated that they struggle to keep pace with the evolving threat landscape. So what changed over the course of the first half of 2025? Let’s take a look at the data from the Trellix Advanced Research Center (ARC) team.

Threat actor activity observed in 1H 2025

As tracked by our ARC team of researchers, Trellix global telemetry indicates a rapidly changing profile from Q1 to Q2 of this year, with a number of notable elements:

Changes in attack volume and sophistication:

• Significant decrease in overall attack volume from Q1 to Q2
• Shift from high-volume to more sophisticated, targeted attacks
• Emergence of more diverse and balanced attack methods

Changes in infrastructure targets:

In Q1, threat actors focused on email security systems and federal-level targets.

In Q2, threat actors expanded their targets to include:

• Municipal infrastructure
• Government GitLab instances
• Cloud infrastructure
• Supply chain components

These indicators display a tactical evolution of threat actors from Q1 to Q2 with a significant shift from mass attacks to precise targeting. Additionally, the ARC team recognized an increase in sophistication in supply chain attacks, a growing focus on development infrastructure (GitLab) and enhanced emphasis on municipal and state-level targets.

Threat actors also changed their access methods to include more insider recruitment (particularly in tax and migration services), with increased supply chain compromises, zero-day exploitation, and GitLab instance compromises.

Most active threat actor groups targeting public sector in 1H 2025

Who were the threat actors that emerged most prominently in Q1 and Q2? The first half of 2025 saw a diversification of threat actors, who represented a mix of state-sponsored and financially motivated groups using more organized access-as-a-service offerings and increased coordination in targeting efforts.

The 7 top threat actors targeting government entities in Q1 and Q2 2025 include:

• APT29
• APT36
• Mustang Panda
• Lazarus
• APT28
• Andariel
• Kimsuky

Critical concerns for public sector

Public sector security architects, SOC analysts and CISOs should note a distinct shift in attacker targets between the first and second quarters of the year. Threat actors expanded their scope significantly:

• In Q1, attackers primarily went after email systems, tax authority data, and financial systems.
• By Q2, their scope widened to include government databases, software development platforms, and critical municipal service infrastructure.

These activities highlight the need to review architectures, defensive technologies, and techniques. Public sector security leaders should also shift reporting to illuminate the expansion of attack surfaces due to decentralization, increasing interconnectivity risks, greater possibility for contractor/third-party vulnerabilities, and ever-present budget constraints that are common in the public sector.

How public sector security leaders can respond to changing attack vectors and techniques

In light of the data from the first half of 2025, we recommend that cybersecurity professionals in the public sector take the following measures to respond to changing attack vectors and techniques.

First, focus on strategic measures that bring together teams and programs to achieve common security defense outcomes such as:

• Develop or enhance supply chain security programs
• Enhance municipal/state-level security capabilities
• Establish cross-department security coordination

Second, enhance risk mitigation procedures to minimize upfront effort and exposure while focusing on critical assets:

• Perform regular security assessments of third-party providers
• Increase monitoring of critical infrastructure and databases
• Implement or enhance of zero-trust architecture

The bottom line

This analysis reveals a significant shift in the threat landscape targeting the public sector, with actors moving from high-volume, less sophisticated attacks to more targeted, sophisticated operations. The expansion of targeting to include state and municipal levels, along with the increased focus on development infrastructure, suggests a maturing threat landscape requiring enhanced security measures across all government levels.

Additional resources and next steps

• Register for the Operational Threat Intelligence Virtual Summit
• Subscribe to the ARC Newsletter
• Trellix Government Solutions Resources