Cyber threats in 2024 continued to evolve, driven by an expanding enterprise attack surface, resilient cybercriminal networks, and state-sponsored actors exploiting advanced technologies.

The latest annual threat report from Insikt Group offers a comprehensive analysis of last year’s major cyber incidents, the shifting tactics of threat actors, and what businesses must be prepared for in 2025.

Among the most significant findings: the rapid adoption of SaaS applications has exacerbated identity-related security breaches, the ransomware gangs have become more fragmented despite major law enforcement crackdowns, and adversarial nations have increasingly leveraged generative AI to spread influence campaigns.

As cybersecurity executives digest these insights, it’s clear that traditional security approaches are being tested like never before.

SaaS Growth Fuels Credential-Based Attacks

One of the most impactful trends in 2024 was the increasing exploitation of stolen credentials due to the rapid growth of software-as-a-service (SaaS) applications.

The report found that the average enterprise now employs 371 SaaS products, a 39.4% increase from 2021. This growth has significantly expanded the attack surface, providing cybercriminals with more opportunities to exploit credential-based vulnerabilities.

Two major cyber incidents in 2024, the ALPHV and RansomHub ransomware attack on Change Healthcare and the UNC5537 breach of Snowflake, highlighted how attackers leveraged valid credentials to infiltrate corporate networks. In both cases, a lack of multi-factor authentication (MFA) played a critical role in enabling unauthorized access.

The Change Healthcare breach, for example, resulted in a $22 million ransom payment, with attackers exploiting a misconfigured Citrix gateway.

Another concerning trend was the rise of infostealer malware, which targeted personal and small-to-medium business devices. Many of the stolen credentials used in the Snowflake breach originated from infections dating as far back as 2020, demonstrating how long-term credential exposure continues to be a major security risk.

Ransomware Groups Adapt Despite Crackdowns

Law enforcement agencies disrupted major ransomware operations in 2024, yet cybercriminals demonstrated remarkable resilience.

Groups like LockBit and ALPHV were targeted in high-profile takedowns, resulting in arrests and the seizure of their infrastructure. However, despite these efforts, ransomware activity remained steady throughout the year.

Notably, the ransomware ecosystem became more fragmented, with new groups emerging to fill the void left by dismantled organizations. The report recorded 62 new ransomware variants between June and August alone.

Healthcare and manufacturing remained the most targeted industries due to their low tolerance for operational disruptions. The Ascension healthcare ransomware attack forced hospitals to divert ambulances and shut down pharmacies, demonstrating how cybercriminals continue to exploit the high stakes in these sectors.

Recorded Future 2024 Annual Report by Insikt Group

State-Sponsored Threats Escalate

Geopolitical tensions in 2024 drove a surge in state-sponsored cyber activity, with China, Russia, and Iran leveraging generative AI to enhance influence operations.

As over 2 billion voters across 70+ countries participated in elections, adversaries deployed AI-generated misinformation campaigns to manipulate public opinion. China and Russia, in particular, used deepfake videos and AI-enhanced social media personas to promote divisive narratives and undermine trust in democratic institutions.

Beyond digital influence, state-backed cyber actors also escalated attacks on critical infrastructure, targeting water treatment facilities, telecommunications networks, and power grids.

The report highlighted the Volt Typhoon campaign, in which Chinese threat actors infiltrated U.S. critical infrastructure networks as part of long-term strategic positioning. Meanwhile, Russian-linked groups engaged in sabotage efforts across Europe, with incidents ranging from railroad disruptions to attacks on military supply chains.

One of the most alarming revelations was the Salt Typhoon telecom breach, where Chinese hackers gained access to U.S. telecommunications metadata and wiretap systems. This attack provided intelligence agencies with access to sensitive communications data.

2025 Cybersecurity Predictions

The report forecasts that AI-driven cyber threats will continue to evolve, posing new challenges for defenders. Among the key predictions:

• AI-Powered Impersonation Will Drive New Attacks: The report predicts that threat actors will likely exploit AI-generated deepfake technology to bypass security controls and execute social engineering attacks at scale.

• MacOS and Mobile Attacks Will Surge: With more organizations adopting Mac and mobile-first workflows, these platforms are expected to become a bigger target for malware and ransomware.

• A Major Crypto Fraud Incident Will Shake the Market: The report anticipates a market-destabilizing cryptocurrency scam, fueled by the sector’s rapid growth and increasing regulatory uncertainty.

• Chinese Cyber Activity Will Expand: Additional disclosures of Chinese pre-positioning on critical infrastructure networks are expected, with new sectors beyond energy and telecommunications coming into focus.

The Wrap

The Insikt Group’s latest report paints a clear picture that cyber threats are not just persisting, they are evolving at an alarming pace.

One of the most significant takeaways is the urgent need for more effective identity security measures. As the widespread exploitation of SaaS credentials in attacks like those on Change Healthcare and Snowflake showed, even the most well-resourced enterprises can fall victim to relatively simple but devastating breaches.

Looking ahead to 2025, business and security leaders are beginning to view cybersecurity as a fundamental pillar of operational resilience. With adversaries leveraging AI, expanding attack surfaces, and geopolitical tensions adding new challenges, a reactive approach is no longer enough.