AhnLab

  • Privacy & Security
  • EULA
  • Contact Us
  • Terms of Use
  • Sitemap

Subscribe to Our Newsletter

Stay informed with AhnLab’s latest threat intelligence
and security insights delivered monthly to your inbox.

Country
AhnLab V3 Engine VersionOES :
Update Engine Now →
  • Visit our LinkedIn Profile
  • Visit our Twitter page
  • Visit our YouTube channel
  • © AhnLab, Inc. All rights reserved.
  • ASEC
  • MyCompany(ELS)
  • AhnLab Document Center
skip navigation
  • 메뉴
  • 본문
  • 하단 정보(링크)
  • Products
    • AhnLab PLUS Platform
    • AhnLab Endpoint PLUS
      • Anti-Malware
      • EPP
      • Sandbox (ATD)
      • EDR
      • SMB Security
      • Mobile Security
    • AhnLab Network PLUS
      • NGFW
      • IPS
      • DDoS Mitigation
      • Sandbox (ATD)
      • Threat Management
    • AhnLab Cloud PLUS
      • CWPP
      • Cloud NGFW
      • Cloud IPS
      • Cloud Threat Management
    • AhnLab Connect PLUS
      • XDR
      • Threat Intelligence
      • SOAR
    • AhnLab CPS PLUS
      • CPS Protection Management
      • OT Endpoint Protection
      • OT IDS
      • OT Portable AV
      • OT Firewall
      • OT Data Diode
      • OT Network Sandbox
      • IT Endpoint Protection
      • IT Anti-Malware
      • CPS Threat Intelligence
    • AhnLab AI PLUS
    • All Products and Services
  • Services
    • AhnLab Service PLUS
      • MDR
      • MSS
      • Professional Service
      • Security Consulting
      • Digital Forensics
      • Cloud Managed Service
      • Global Partners
    • All Products and Services
  • Solution
    • Ransomware Protection
    • Hybrid Cloud Security
    • Zero Trust
    • CPS Protection
    • SOC Modernization
    • TDR
    • DDoS Mitigation
  • Support
    • Technical Support
    • Threat Inquiry
    • Online Support
      • Q&A
    • Notice
    • Download
    • AhnLab Document Center
  • Content Center
    • Content Center
      • Cybersecurity 101
    • ASEC
      • Threat Descriptions
      • Threat Actor Naming
      • ASEC Security Advisory
      • ASEC Blog
    • Highlights
      • MITRE ATT&CK Eval Round 7
      • AhnLab 30th Anniversary
      • Frost Radar CPS Security Leader
  • Partners
  • Company
    • About Us
    • Strategic Materials
my page
Sign InSign Up
언어 선택

No recent searches

    • Contact Us
    • My Company
    • Security Map
Article
Unified Security ◦ Threat Analysis ◦ Security Insight03-24-2026

Fully Equipped, Yet Still Breached: Inside Major Incidents of 2025

2025: The Year of “Digital Disasters”

2025 saw a record-high number of reported cyber breach incidents. At Dubai-based cryptocurrency exchange Bybit, approximately $1.5 billion worth of assets were stolen in a single incident. Japan's Asahi Group was infected with ransomware, bringing 30 factories to a simultaneous halt. In Korea, a single telecommunications company suffered the leak of 26.96 million USIM records, and a major retailer leaked personal data of 33.7 million customers—equivalent to approximately two-thirds of South Korea's population. Breach incidents reported to KISA (Korea Internet & Security Agency) alone reached 2,383 cases, a 26% increase year-over-year and the highest ever recorded. It was a year that could rightly be called a "digital disaster."


Yet amid this disaster, one common finding emerged across all incidents. The affected organizations already had security solutions fully in place. So why were they still unable to prevent the breaches? This article examines the causes and countermeasures through major breach cases in 2025.



Major Changes in the 2025 Threat Landscape

1. Ransomware Ecosystem Fragmentation

In 2025, the ransomware ecosystem saw the collapse of the existing order centered around large groups, into a fragmented landscape. As major ransomware groups such as LockBit were disrupted by international law enforcement operations, small and mid-sized RaaS (Ransomware-as-a-Service) groups quickly moved in to fill the void. The threat did not diminish — rather, the landscape shifted to one with a far greater number of competing groups

This structural shift made threat detection more challenging. Attack patterns from major ransomware groups had been analyzed over long periods, allowing defense expertise to accumulate. But newly emerging variants from smaller groups increased the complexity of threat analysis. At the same time, ransomware tactics became increasingly aggressive. The ‘triple extortion’ model — encrypting files, threatening to leak stolen data, and launching DDoS attacks simultaneously — became increasingly common, intensifying pressure on victim organizations.

The most active ransomware groups of 2025 were as follows.

 

Figure 1. Major Ransomware Groups and Impact in 2025


1. Akira (622 cases)

Akira ranked first in ransomware activity in 2025. Incidents increased 120% compared to the prior year, with attacks expanding primarily against small and medium-sized businesses and the service sector by exploiting vulnerabilities in legacy Cisco VPN devices.


2. Qilin (589 cases)

Qilin recorded its highest-ever activity volume, operating a white-label RaaS model that paid approximately 80% of profits to attack executors. It even offered a 'Call Lawyer' service that analyzed the legal liabilities arising from data publication to support extortion strategies. The group is presumed to be a former Soviet or Russia-based organization, as its ransomware is designed not to execute on systems configured in Russian.


3. LockBit (315 cases)

LockBit was significantly disrupted by international law enforcement operations, with activity dropping 45% compared to the prior year. Despite losing affiliates due to reputational damage, the group remained a significant threat actor, continuing to target multiple sectors including manufacturing.


4. Play (245 cases)

Play used proprietary intrusion tools and maintained a closed operational model. The group primarily targeted the public sector and transportation industry.



2. Surge in Linux-Targeted Attacks

Another defining characteristic of the 2025 cyber threat landscape was the rise in attacks targeting Linux environments. Linux serves as the backbone of enterprise servers, cloud infrastructure, and container environments. It has often been deprioritized in security planning due to the perception that it is relatively safer than Windows — and attackers exploited exactly this gap.

In fact, in 2025, total detected attacks surged 78% compared to the prior year, with the increase in Linux-targeted attacks being particularly pronounced. Linux environments, where security monitoring tends to be less rigorous, provided favorable conditions for long-term persistence following initial compromise.



3. Increasing Sophistication of APT Attacks

In 2025, APT attacks demonstrated more stealthy and long-term intrusion patterns. A prime example is Salt Typhoon. This group, believed to be backed by China, infiltrated the networks of all nine major U.S. telecommunications companies and took control of CALEA (Communications Assistance for Law Enforcement Act) systems used by law enforcement for wiretapping. A legitimate backdoor intended for investigative purposes was instead exploited as an attack vector. The group remained undetected for over a year, eavesdropping on communications of government officials and key figures. It has also been reported that communications related to U.S. presidential election figures were included among the targets.


Volt Typhoon, also believed to be China-backed, infiltrated critical infrastructure in the United States, including power and water systems, quietly preparing a “digital pre-positioning” strategy to disrupt key infrastructure in the event of geopolitical conflict. These two cases, which prioritize stealthy infiltration and long-term persistence over immediate impact, demonstrate that national critical infrastructure—such as telecommunications and energy—has become a primary target of APT attacks.



Security Solutions Were in Place. Yet the Breaches Still Happened — Why?

Most organizations impacted by major cyber incidents in 2025 were not negligent in their security posture or investment. The majority had invested substantial resources in a variety of security measures over many years and already had multi-layered defense architectures in place. According to Gartner, organizations operate an average of 45 security solutions, with some deploying more than 130. Yet the damage from breach incidents in 2025 reached an all-time high. They had more than enough security solutions — so why couldn't they stop the attacks? The core of the problem was not a lack of security solutions, but the absence of 'integrated security operations.'

Three structural root causes were consistently observed across the major incidents of 2025.

 

Figure 2. Key Structural Causes of Major Cyber Incidents in 2025



Cause 1. Increasing Complexity in Security Operations

As the number of security solutions grew, tool overload itself became a new risk. Solutions introduced for compliance purposes across different domains accumulated without integration, and many remained on outdated versions from the time of initial deployment. The excessive alerts and false positives generated by each solution exceeded the management capacity of security teams, and critical threat signals were buried in the noise. This phenomenon of siloed security solutions accumulating without coordination — known as Tool Sprawl — significantly increased the complexity of security operations.



Cause 2. Lack of Visibility and Context

In fragmented, multi-tool security environments, achieving comprehensive visibility and establishing event correlation across data sources presents a significant challenge. Logs generated by each solution accumulate in individual silos without being connected to one another, making it difficult to trace the flow of how an attacker infiltrated and through what path they moved laterally. As a result, detection blind spots emerged, and Shadow IT assets provided an environment where APT threats could remain dormant for extended periods.



Cause 3. Fragmented Security Operations

The siloed separation of IT operations and security teams frequently resulted in ambiguous roles and responsibilities (R&R) at the time of incident response. Without clear ownership, critical response windows were missed amid a flood of unprioritized alerts. Manual response processes and lack of coordination between teams further extended the mean time to respond (MTTR).



Security Depends on Connectivity and Integration

The lesson of 2025 is clear: security effectiveness is not determined by the number of tools, but by the quality of connectivity and operations. In response, AhnLab introduces a three-stage security framework built on connectivity and integration.

 

Figure 3. AhnLab's Three-Stage Unified Security Response Framework


Stage 1. Proactive Defense: ZTNA

Traditional perimeter security was designed on the premise that the internal network can be trusted. However, this architecture — where breaching the perimeter exposes the entire interior — is no longer viable. ZTNA minimizes the attack surface by controlling access based on identity rather than IP, under the principle of 'never trust, always verify.'


AhnLab's firewall solution AhnLab XTG is designed around three core ZTNA principles. First, least privilege access blocks unauthorized access and bypass connections. Second, microsegmentation prevents lateral movement within the network. Third, continuous authentication detects anomalous behavior in real time during active sessions. Even a Salt Typhoon-type attack that remained dormant inside the network for over a year would have been blocked at the lateral movement stage following perimeter breach, had ZTNA been in place.


Stage 2. Detection and Response: EDR

If ZTNA minimizes the risk of initial compromise, EDR is the stage that detects and responds to attacker activity after infiltration. Traditional signature-based antivirus solutions show limitations against living-off-the-land techniques, fileless attacks, and new or variant threats.


AhnLab EDR addresses these limitations through behavior-based detection. It identifies malicious activities such as abnormal process execution and privilege escalation in real time, and enables rapid understanding of the attack entry point and propagation flow through attack chain visualization. In the event of a ransomware infection, the rollback feature allows recovery of files to their pre-encryption state. Even ransomware such as Akira and Qilin, which employ AV evasion techniques, could have been blocked at the encryption stage by EDR’s behavior-based detection engine. 


Stage 3. Unified Operations: XDR

If ZTNA blocks initial compromise and EDR detects threats, the final stage is to connect all of this data to manage threats across the entire organization in a unified manner. No matter how capable individual solutions are, an organization remains vulnerable if they are not connected to one another. XDR is what enables this connection and integration.


AhnLab XDR consolidates data generated across security solutions into a single platform and analyzes correlations between events to visualize the full attack chain. Behaviors that appear normal in isolation reveal hidden threats when placed in full context. Identified risks are automatically prioritized by severity, and repetitive response tasks are handled by playbooks. As a result, security teams can move beyond processing routine alerts and focus on the threats that truly matter.



The Lesson of 2025: Security Is About Speed, Not Perfection

Security expert Bruce Schneier said in 2000: "Security is not a product, but a process." 

It may have sounded theoretical at the time, but in 2025, it became reality. In the past, deploying security products alone was enough to block a significant number of threats. Today, blocking 100% of attacks is nearly impossible.


But the scale of damage is inversely proportional to response speed (MTTR). The difference in damage between an organization that detected an intrusion within days and one that took months to realize it is incomparable. The recovery cost between an organization that isolated a ransomware infection immediately and one that responded only after it had spread enterprise-wide can differ by as much as tens of times.


Ultimately, security effectiveness depends not on perfect defense, but on how quickly threats are detected and responded to. And what determines that speed is not the performance of individual solutions, but a connected, integrated operations framework. 2025 was the year that proved it.


→ Learn More About AhnLab PLUS Unified Security Platform


List

Related Content

Article

The Evolution of AI-Powered Hacking Tools

The Evolution of AI-Powered Hacking Tools

Article

The Hidden Threat Behind Fake CAPTCHAs and Installation Guides: Why ClickFix Is Dangerous

The Hidden Threat Behind Fake CAPTCHAs and Installation Guides: Why ClickFix Is Dangerous

Article

AI Transformation and the New Front Line of Cybersecurity: Why the Endpoint Matters More Than Ever

AI Transformation and the New Front Line of Cybersecurity: Why the Endpoint Matters More Than Ever

Article

AI-Powered Defense Against Insider Threats: AhnLab XDR

AI-Powered Defense Against Insider Threats: AhnLab XDR