The U.S. Department of Homeland Security (DHS) highlighted in its 2025 Homeland Threat Assessment (HTA) that domestic and foreign adversaries are almost certain to continue posing threats to the integrity of the nation’s critical infrastructure over the next year. This is partly because they believe that targeting these sectors could have widespread effects on U.S. industries and the standard of living. There is particular concern regarding the credible threat from nation-state cyber actors to U.S. critical infrastructure.
The People’s Republic of China (PRC), Russia, and Iran are expected to remain the most pressing foreign threats to the U.S. critical infrastructure. Nation-states, criminal hacktivists, and financially motivated criminals will likely hone their techniques to disrupt U.S. services or to conduct espionage focused on gaining access to U.S. networks and critical infrastructure entities. The DHS assesses that domestic and foreign violent extremists will continue to call for physical attacks on critical infrastructure in furtherance of their ideological goals and, in response to international conflicts and crises.
“The Homeland Security Assessment provides an important overview of the dynamic and evolving threat landscape, illustrating just how varied and challenging the threats we confront are,” Alejandro N. Mayorkas, Secretary of Homeland Security, said in a media statement. “It is because of the remarkable DHS workforce, and our close collaboration with our federal, state, local, tribal, territorial, and private sector partners, that we are able to meet the challenges and keep the American people safe and secure.”
The DHS threat assessment evaluates that the threat landscape includes sophisticated nation-state cyber actors, criminal hacktivists conducting nuisance-level attacks, and financially motivated cyber criminals pursuing profits. Adversarial state cyber actors are expected to seek access to U.S. critical infrastructure networks. PRC state-sponsored actors might exploit this access for cyber attacks during conflicts or heightened tensions, potentially disrupting critical functions, including government continuity.
Also, cyber actors opposing U.S. support to international partners have sporadically attacked U.S. infrastructure, with ongoing conflicts in Ukraine and Gaza spurring ideologically motivated hacktivists and state-affiliated actors targeting U.S. infrastructure.
The DHS document noted that PRC state-sponsored cyber actors have pre-positioned cyber exploitation and attack capabilities for disruptive or destructive cyber attacks against U.S. critical infrastructure in the event of a major crisis or conflict with the nation. “One PRC state-sponsored cyber campaign, publicly known as Volt Typhoon, gained access to the IT environments of multiple critical infrastructure organizations over the last several years and continues to target U.S. critical infrastructure. These compromises have been primarily lifeline sectors, including the communications, energy, transportation, and water and wastewater sectors, in the Homeland and U.S. territories.”
The Cybersecurity and Infrastructure Security Agency and other government agencies assess that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to operational technology (OT) assets to disrupt functions. Volt Typhoon’s use of victims’ legitimate built-in network administration tools allows it to evade detection by blending in with normal network traffic—known as ‘living off the land’—which hampers detection and attribution of their activities.
The DHS threat assessment identified that the Iranian government and other cyber actors sympathetic to Tehran’s interests will continue to target U.S. critical infrastructure, among other targets, in retaliation for U.S. support to Israel during the Gaza conflict. Iran will use various opportunistic tactics, including exploiting publicly known software and hardware vulnerabilities, social engineering techniques, and publicly available cybersecurity tools. After HAMAS’s October 2023 attack on Israel, dozens of pro-Iran criminal hacktivist groups conducted primarily low-level cyber attacks—such as distributed denial-of-service attacks—against Israeli, Palestinian, and US networks and websites.
Last November, Iranian IRGC-affiliated cyber actors—ostensibly posing as a criminal hacktivist group—used default credentials to successfully compromise and deface Israeli-manufactured OT devices used by U.S. critical infrastructure sector entities.
The homeland security assessment identified that Russian state-sponsored cyber actors continue to seek ways to improve their sophisticated ability to stealthily execute cyber operations and identify new vulnerabilities they could leverage against a variety of critical infrastructure targets. In late 2023, these actors gained access to a large IT firm’s internal emails, including those of its cybersecurity teams, which could provide them with unique insights for future campaigns and make it more difficult for victims to detect their activity. In January this year, pro-Russia criminal hacktivists disrupted multiple U.S. municipality water distribution systems, demonstrating criminal hacktivist intent and capability to disrupt U.S. critical infrastructure entities.
“Financially motivated cyber criminals and state-affiliated actors will continue to employ ransomware and other schemes that will disrupt targeted U.S. critical infrastructure entities and impose significant financial costs on their victims,” according to the DHS assessment. “Financially motivated cyber criminals, similar to other malicious cyber threat actors, consistently evolve and adapt to take advantage of software vulnerabilities, poor network security configurations, and social engineering tactics to gain systems access. Ransomware actors likely will continue to opportunistically target victims they believe will provide the largest payouts.”
Ransomware actors in 2023—the most recent annual data available—attacked entities in most U.S. critical infrastructure sectors in their efforts to financially extort victims; we expect the healthcare and public health (HPH), critical manufacturing, IT, financial services, and government services and facilities sectors to remain the most affected targets.
The HPH sector, for example, experienced an 18 percent increase in reported ransomware attacks in calendar year 2023. In FY 2024, ransomware attacks against this sector caused local- and national-level disruptions to patient care and services. In late calendar year 2023, a ransomware attack on the IT network of a large national hospital provider caused disruptions to subsidiary healthcare providers in multiple states. A 2024 ransomware attack against the U.S.’s largest payment exchange platform for prescription drugs led to nationwide disruptions to pharmacy and hospital services for at least two weeks and cost over $20 million in ransom payments.
Furthermore, North Korean cyber actors almost certainly will continue to target U.S. financial entities, including individuals, venture capital firms, exchanges, and especially cryptocurrency-related users and entities, to finance Pyongyang’s strategic priorities and weapons programs and to reduce the impact of international sanctions. These actors have stolen hundreds of millions of dollars in cryptocurrency over the last several years.
Apart from the adversaries targeting U.S. critical infrastructure for destructive and disruptive attacks, they also target the entities that make up critical infrastructure sectors for foreign intelligence collection. Adversarial nation-states continue to use cyber tactics to access and steal sensitive information from U.S. networks, including those of entities that are part of critical infrastructure, for broader espionage purposes to advance their military, diplomatic, and economic goals.
The DHS threat assessment report disclosed that PRC state-sponsored cyber activity continues to represent the largest and most dynamic espionage threat to the U.S. The PRC’s pre-positioning efforts on U.S. critical infrastructure probably also provide its cyber actors with broad access and insight into sensitive and proprietary data across an array of U.S. critical infrastructure networks. PRC cyber actors, including a group associated with the Ministry of State Security, also exploit known vulnerabilities and publicly available tools, which complicates the detection and attribution of their espionage activities.
Russian government-affiliated cyber actors will continue to seek access to U.S. federal, state, and local government and private sector networks for espionage purposes. These cyber actors persistently prioritize compromising U.S. entities in the software supply chain to improve their capabilities and decrease victims’ ability to protect against and detect such activity.
Moreover, compromises of U.S. firms within key elements of U.S. software supply chains can be used as springboards for access to other U.S. entities, which store data that Russia can use to advance its cyber espionage goals. For example, in late 2023, Russian Foreign Intelligence Service actors compromised a software development platform that would have enabled them to affect software supply chain operations.
North Korea has virtually deployed thousands of highly skilled IT workers to work around the world, earning revenue to alleviate the impact of financial sanctions and to fund regime priorities. These IT workers deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities, and falsified or forged documentation to apply for jobs at U.S. and foreign companies. North Korea’s malicious cyber program could use these workers’ activities to gain privileged access to U.S. systems and proprietary information and bolster North Korea’s economic, diplomatic, and military modernization efforts.
The DHS threat assessment said it continues to observe UAS activity over sensitive critical infrastructure sites, which could interfere with regular facility operations, disrupt emergency response or authorized flight operations, and provide intelligence to malign actors. “Many unauthorized UAS belong to unknown operators, challenging our ability to characterize whether the intent is benign or malicious. We currently have no information suggesting violent extremists are using drones in attack planning, but in some instances, DVEs and FTOs have considered using UAS to conduct intelligence collection, to drop explosives and other items on US critical infrastructure for disruption purposes, and to endanger takeoffs and landings at airports via the mere presence of UAS,” it added.
Members of the International Counter Ransomware Initiative (CRI) gathered this week in Washington, D.C. for their fourth meeting. They reinforced their commitments to resilience, cooperation, and disruption through the Policy Pillar, Diplomacy and Capacity Building Pillar, and the International Counter Ransomware Task Force (ICRTF). Additionally, the Initiative introduced a new Public-Private Sector Advisory Panel, led by Canada, creating a reliable network of private sector partners for CRI members to collaborate with in response to ransomware attacks.