Most Active Threat Actors by Industry: Who Is Targeting Your Sector Right Now?

Introduction

Threat actors are individuals or groups who deliberately target digital systems, networks, and devices to cause harm, whether for financial gain, geopolitical leverage, or ideological reasons. They exploit vulnerabilities across the digital ecosystem to carry out attacks, including phishing, ransomware, data theft, and destructive cyber operations.

The scale of the problem is growing fast. Global cybercrime losses are projected to exceed $15 trillion annually by 2029, and in 2024 alone, the FBI received over 859,000 cybercrime complaints, a 33% year-on-year increase. Active ransomware groups doubled between 2023 and 2024, and nearly 50% of attacks now conclude within seven days.

Understanding who is behind these attacks, and who they're targeting, is no longer optional. Below, CYJAX profiles four of the most active threat actors your sector should know about right now

‍

IntelBroker

IntelBroker is a prolific initial access broker and database seller operating primarily on BreachForums, active since late 2022. The actor targets large, profitable organisations across the United States and Europe, with a particular focus on the technology, healthcare, financial, military, and manufacturing sectors. IntelBroker is also associated with the development of Endurance ransomware, distributed under a Malware-as-a-Service model.

Sectors at risk: Technology · Healthcare · Financial Services · Defence · Manufacturing

APT44 (Sandworm)

APT44, commonly known as Sandworm, is a Russian state-sponsored threat group attributed to GRU Unit 74455, active since approximately 2009. The group is best known for its disruptive attacks on critical infrastructure, including Ukraine's power grid, and has significantly escalated operations since Russia's 2022 invasion. APT44 maintains a broad and evolving toolkit, including custom malware, destructive wipers, and Living off the Land (LotL) techniques.

Sectors at risk: Government · Energy · Defence · Transport · Media

Volt Typhoon

Volt Typhoon is a Chinese state-sponsored APT group active since around 2021, focused on cyberespionage and believed to be pre-positioning within critical infrastructure networks for potential future disruption. The group heavily favours LotL techniques to avoid detection, making it exceptionally difficult to identify and remove. Targeting is heavily weighted toward the US, Taiwan, and European allies — closely tracking China's geopolitical priorities.

Sectors at risk: Energy · Telecoms · Government · Manufacturing · Military

APT45

APT45 is a North Korean state-sponsored threat group active since approximately 2009, operating with a dual mandate: traditional espionage and financially motivated attacks. The group targets government, defence, energy, and financial organisations across the US, South Korea, India, and wider Europe. Notable incidents include the targeting of India's Kundankulam Nuclear Power Plant. Some researchers link APT45 to the broader Lazarus Group cluster.

Sectors at risk: Government · Defence · Financial Services · Energy · Critical Infrastructure

‍

Stay Ahead with CYJAX

The actors above are just a snapshot. CYJAX monitors hundreds of threat groups continuously, across the open, deep, and dark web, translating intelligence into action your security team can use.

Want to know who's targeting your sector? Book a CYJAX demo and see real-time threat intelligence built around your industry.

‍