Cyber intrusions have become an unfortunate reality for organisations across all sectors. In the rapidly evolving currents of cyber security, the constant threat of the unexpected can be hard to ignore. In taking stock of the year that was, understanding the direction many of the trends have taken, we can begin to head off much of this uncertainty, preparing resilience to the changing winds of the threat landscape.
2024 was a year of emboldened cyber threat actor activity. The reality of cyber criminal threats remained ever-present, with a record number of ransomware victims reported in a year also marked by heightened law enforcement efforts. While a swell of less sophisticated threats arose on the back of increasing availability of code and tooling in open source, established threat actors maintained their focus and further operationalised their approaches, setting a course for a more challenging future.
And in 2024, resurgence of mis- and disinformation on a global scale found purchase in a year of elections.
Our report “Cyber Threats 2024: A Year in Retrospect” examines the threat actors, trends, and motivations that captured the cyber threat landscape last year. It includes an overview of the factors influencing an overall increase in threat actor activity across all motivations, the evolving tools, techniques, and procedures (TTPs) of the world’s most sophisticated intrusion sets, and the impact wider geopolitics had on targeting during the year.
Dive into our report for knowledge that can help you navigate the shifting tides of cyber threats in 2025 and beyond.
Threat actors vary in motivation and sophistication, tailoring operations and opportunistic attacks in different sectors. Following is a view of sector-specific motivations summarized by PwC Threat Intelligence from 2024 case studies and in-house analytics.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The aerospace and defence sector, considered critical national infrastructure in most countries, has been persistently targeted by threat actors for sensitive data concerning military operations, plans, and capabilities. Further, technological innovation (such as the adoption of AI), increased interconnectivity, and the continued growth of defence contracting and spending have expanded this sector’s attack surface, including for cyber crime. We observed threat actors targeting entities around the world, highly likely in response to geopolitical tensions and conflicts, with certain conflicts spreading and others not abating.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The asset and wealth management (AWM) sector plays a vital role in managing the world’s financial capital, dealing in significant transactions across many industries – with levels of wealth garnering much attention from threat actors of multiple motivations, particularly cyber criminals. The significant funds managed by the AWM sector, including in cryptocurrency, are likely to attract attempts at high-value fraud, such as through business email compromise (BEC), as well as ransomware attacks. As the sector innovates and leans into emerging technologies, including those powering fintech, the attack surface impacting AWM organisations will continue to expand.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The automotive sector continues to evolve with tech transformation and innovation permeating organisations and increasing competition for consumer demands. Operational technology (OT) environments and manufacturers have emerged as a particularly lucrative target for financially motivated threat actors, including those conducting ransomware attacks. As companies continue to invest in electric, artificial intelligence (AI), and autonomous vehicle technologies, espionage motivated threat actors will increasingly target this sector for intellectual property theft and surveillance operations.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
Financially motivated threat actors, particularly those engaging in ransomware and BEC attacks, have capitalised on opportunities to target organisations in the construction sector, which maintains sensitive information, including the application of emerging technologies, financial and business information, infrastructure plans, and project schematics. Construction projects with links to government or other public interest entities, including critical national infrastructure or other strategic projects, make this sector attractive for espionage motivated threat actors as well, including those seeking to pre-position for future possible malicious activity, including sabotage attacks, or to address intelligence requirements.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The education sector continues to digitise its operations as academic institutions require a constant flow of digital communication and readily accessible information, typically achieved through large networks with thousands of connected devices across users, including administration, researchers, and students. With an ever-expanding attack surface and a philosophy of openness and ease of access, this sector has increasingly faced targeted and opportunistic cyber attacks. Espionage motivated threat actors target education organisations for access to sensitive data about academics and research projects, and financially motivated threat actors impacted school systems and operations, particularly through ransomware attacks.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The energy sector continues to evolve its operational technology (OT) and invest in renewable energy sources, driving innovation, investments, and the adoption of new technologies around the world, whilst cyber attacks targeting this sector are often aligned with evolving geopolitical tensions and intelligence requirements. Espionage motivated threat actors have taken an interest in the intellectual property and security implications of energy issues and technologies, whilst some threat actors have resorted to sabotage attacks and hacktivism to disrupt operations. Financially motivated threat actors and ransomware attacks remain a major concern to energy sector organisations around the world.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The financial services sector continues to face challenges from financially motivated threat actors seeking to steal customer credentials and conduct attacks, such as ransomware and business email compromise (BEC), to extort and steal from institutions. These attacks are growing in sophistication and prevalence due to threat actor adoption of AI to generate deepfakes and phishing lures. Threat actors of other motivations continue to target financial services organisations as the sector increasingly innovates, digitises its operations, and embraces fintech.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The food and agriculture sector has faced more advanced cyber threats, as well as an increasing number of ransomware threat actors specifically, as organisations continue to integrate historically isolated operational technology (OT) environments into increasingly connected systems and pursue technological innovation. Traditional information technology (IT) systems are also critical to business operations, as food and agriculture organisations routinely intersect with other sectors for manufacturing, retail, and distribution operations. Cyber incidents involving food and agricultural organisations have broad-ranging effects across other sectors, exacerbating supply chain, pricing, sustainability, and food safety and security challenges.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
Government sector entities, ranging from federal agencies to local levels and municipalities, continue to be a prime target for a range of threat actors seeking to fulfil intelligence requirements, respond to geopolitical shifts, and launch attacks alongside geopolitical tensions and conflict. We observed threat actors targeting entities around the world, highly likely in response to geopolitical tensions and conflicts, with certain conflicts spreading and others not abating. Threat actors also used AI to generate content for information operations targeting a range of government entities and political parties around the world.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The healthcare sector plays a vital role in society and is often focused on cutting edge innovation, which propagates across new equipment and treatments, making the attack surface increasingly populated with Internet of Things (IoT) devices and other emerging technologies. This sector is also impacted by rigorous regulatory standards and handles highly sensitive personal data, which is of interest to a range of threat actors. Ransomware attacks were significant in 2024 for their disruptions to healthcare operations.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The hospitality and leisure sector has experienced significant growth in recent years as travel continues to expand around the world and organisations increasingly embrace digitisation and technological innovation. Espionage motivated threat actors have targeted the sector for sensitive information and intelligence collection, whilst financially motivated threat actors have conducted attacks against the sector to disrupt operations and extort companies for data theft, service degradation, and harming brand reputations.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The legal sector continues to face a variety of cyber threats, in part due to its increasing reliance on technology, but also due to the inherent nature of dealing with sensitive legal information for a wide range of third parties. As the legal sector has transitioned to digital platforms for storing, managing, and transmitting confidential data, it has become more vulnerable to various cyber risks. Much of those risks are defined by likely threat scenarios which include compromising client confidentiality, jeopardising case integrity, stealing intellectual property, and incurring financial losses or reputational damages from data extortion attempts by cyber threats.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The manufacturing sector continues to face an increasing number of cyber attacks, particularly by ransomware threat actors and other cyber criminals employing schemes such as business email compromise (BEC), as organisations continue to integrate historically isolated operational technology (OT) environments into increasingly connected systems. Further, this sector underpins a wide tranche of other industries, and incidents involving manufacturing organisations have broad ranging effects across other sectors, exacerbating supply chain challenges and industries reliant upon manufacturing operations.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The media and entertainment sector faces a unique threat landscape consisting of a range of threat actors targeting reporters, artists, content creators, publishers, distributors, production studios and staff, consumers, and others. Espionage motivated threat actors in particular have targeted media and entertainment organisations and individuals, such as investigative journalists and entertainment studios, for intelligence collection against corporate networks as well as through the deployment of commercial spyware against mobile devices. Media and entertainment organisations have also been targeted by cyber criminals as well as hacktivism and sabotage motivated threat actors, particularly in the context of heightened geopolitical tensions seen around the world. Intellectual property and sensitive communications and data associated with media and entertainment organisations have been targeted by threat actors of multiple motivations. With technological developments, such as Generative AI (GenAI), threat actors are exploiting these tools to generate malicious content for information operations and other attacks (such as deepfakes for cyber criminal schemes) targeting or exploiting media and entertainment sector entities.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
Pharmaceuticals and life sciences organisations experience particular security challenges due to the nature of the sector, such as research into lifesaving treatments, the production of medications, patented methods and data, cutting edge innovation, and intellectual property. The application of emerging technologies (such as artificial intelligence) and this sector's growing reliance on third-party suppliers, increased digitisation, and a shift toward hybrid and multi-cloud environments, mean its cyber attack surface will also continue to expand. A range of threat actors have targeted this sector for intelligence collection, as well as for financial motivations through ransomware and extortion.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The professional services sector continues to integrate new technologies, such as cloud solutions and GenAI, as threat actors increasingly employ supply chain attacks, social engineering, and other tactics to circumvent identity and privileged access management and gain access to victim networks directly or through third parties. Certain industries within this sector face stricter requirements and regulations for data privacy and protection, making this sector a lucrative target for financially motivated threat actors. With vast amounts of commercially confidential data traversing professional services networks, espionage motivated threat actors have targeted these organisations for intelligence and intellectual property theft.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The resources and mining sector remains critical to a number of industries, particularly manufacturing and key technologies such as semiconductors, and is of interest to a range of threat actors. The attack surface continues to expand for this sector as systems are increasingly interconnected and operational technology (OT) bridges historically isolated systems. Espionage motivated threat actors have targeted the sector for intelligence collection and informing investments and trade concerning critical minerals. Financially motivated threat actors have targeted organisations in this sector as part of wider opportunistic campaigns that have had an outsized impact on manufacturing entities and their operations connected to resources and mining.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
Numerous threat actors, varying in sophistication and motivation, have targeted the retail sector to gather customer data, including financial information, and cyber criminals continue to use credential stuffing attacks and account takeovers (ATO) for fraud and theft. E-commerce remains a highly competitive space, requiring retailers to innovate and deploy new technologies at speed. To stay competitive, many retailers have developed and patented their own software and technologies. This type of intellectual property, as well as the data (including advertising data) gathered from customers, can be the target of espionage motivated threat actors to facilitate intellectual property theft or fingerprint users and their digital footprints and behaviours.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The technology sector remains a high value target for both financially and espionage motivated threat actors, as organisations within this sector drive cutting edge innovation (including advancements in GenAI) and maintain sensitive user data and intellectual property. Whilst sensitive data is targeted for a number of motivations, intellectual property is valuable to those seeking to replicate products and services in a competitive market, or attempting to exploit common vulnerabilities in emerging technologies, such as those powering the growth of mobile applications. The technology sector also powers many industries and intersecting organisations, making it a strategic target for threat actors attempting to compromise supply chains and gain access to technology clientele and downstream environments. With more organisations adopting various technologies, such as cloud services and infrastructure, and more companies developing these solutions, the attack surface of the technology sector is expanding. Threat actors from all motivations are increasingly targeting the sector to compromise supply chains, target high value organisations and individuals, scale their access operations, and exploit AI tools.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The telecommunications sector includes companies involved with the long-distance transmission of information across various media, enabling communication services such as telephony and the internet. As such, the sector includes organisations providing broadband and mobile services through a physical medium which includes cables, telephone wires, satellites, and mobile networks such as the latest fifth-generation (5G) networks. Financially motivated attacks against this sector continue to be prevalent in the form of ransomware and data extortion attacks. Considered a key component of critical infrastructure, this sector is also a high value target for espionage motivated threat actors due its unique, intelligence-rich data and telemetry, which can provide attackers with copious amounts of data and enable surveillance operations.
Source: PwC Threat Intelligence, based on threat actors tracked and their activities.
The transport and logistics sector continues to be a crucial component of the global supply chain and economy. Industries and organisations within this sector leverage operational technology (OT) and industrial control systems (ICS), leading to a broader attack surface across environments and increasing the potential for higher impact incidents to occur. Financially motivated threat actors have sought to compromise and monetize customer information or disrupt operations impacting client deliveries, such as rail and cargo transport. Other threat actors have capitalised on geopolitical tensions and conflict in their targeting and attacks against this sector.
Global Threat Intelligence Lead Partner, PwC United Kingdom
Tel: +44 (0)7725 707360