Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Apr 04 2025
Security

Government Must Secure Identities as Social Engineering Attacks Increase

CrowdStrike’s new Global Threat Report finds voice phishing is up, China and North Korea are making their way into the cloud, and more.

Social engineering attacks are on the rise. This means state and local agencies should invest in user awareness training, and endpoint detection and response tools, then focus on securing identities and establishing cross-domain visibility.

Voice phishing attacks in particular rose 442% between the first and second half of 2024, in part because EDR has led more threat actors to abandon traditional cyberattacks (such as deploying malware via malicious documents) in favor of targeting help desks, according to CrowdStrike’s 2025 Global Threat Report.

China’s cyberactivity increased an average of 150% year over year across all sectors, and 200% to 300% in the financial services, media and manufacturing sectors. Decades of investment have led to the nation-state developing fully functional offensive cyber capabilities on par with that of other world powers and driven by the goal of becoming the global hegemon.

“As we see the geopolitical landscape shifting, we see China becoming more belligerent toward Taiwan,” said Adam Meyers, senior vice president and head of counter adversary operations at CrowdStrike, during a report briefing in late February. “This is going to come to a head in the next 12 to 24 months.”

Click the banner below to learn how to shore up your IAM and cyber resilience.

 

The Rise of Social Engineering Attacks

China has adopted an operational relay base model that relies on botnets of infected routers in the U.S. That’s because attacks “coming from inside the house” are easier to pass off as normal network activity.

Salt Typhoon, a Chinese advanced persistent threat actor, has become adept at targeting U.S. telecommunications companies, Meyers said.

Hands-on-keyboard attacks, where the threat actor forgoes scripted commands in favor of manually handling the operation, accounted for 79% of all cyberattacks in 2024, according to the report.

RELATED: State and local officials urge lawmakers to renew key cybersecurity grant program.

Attackers using this method log in to a network with compromised user credentials and then move across the network via an application or browser. They often obtain these credentials by impersonating the user and calling the help desk for a password reset or, conversely, flooding a user with spam, then impersonating the help desk to send that person a link bypassing multifactor authentication.

Adam Meyers
Not only are these adversaries using different techniques, different capabilities, they’re also doing it faster.”

Adam Meyers Senior Vice President and Head of Counter Adversary Operations, CrowdStrike

Generative artificial intelligence is making it easier to harvest credentials. Phishing emails written by generative AI had a click-through rate of 54%, compared with 12% for those written manually, per the report.

In one instance, a company made a $25.6 million wire transfer in response to an emailed deepfake video. Companies are also unwittingly hiring North Korean attackers who create fake LinkedIn profiles with generative AI, then use deepfake videos during their interviews while answering questions via generative AI.

“Not only are these adversaries using different techniques, different capabilities, they’re also doing it faster,” Meyers said.

The average breakout time — the time it takes an adversary to move laterally within a network — was 48 minutes in 2024, down from 62 minutes the year before. The fastest breakout recorded was just 51 seconds, according to the report.

Some threat actors, known as access brokers, gain access to a target and then sell it to the highest bidder. This activity jumped 50% in 2024, per the report.

LEARN MORE: Identity and access management’s role is evolving in the era of AI.

Don’t Underestimate Cloud-Conscious Adversaries

CrowdStrike further found a 26% increase in cloud intrusions, and abuse of valid accounts has become the primary method attackers use to access the cloud, accounting for 35% of cloud incidents in the first half of 2024. This signals that adversaries are improving their ability to target and operate in such environments.

Once inside the cloud, adversaries are targeting generative AI models — one reason China and North Korea are increasing their cloud collections, Meyers said.

Salt Typhoon often accesses the cloud by finding vulnerabilities in edge-facing devices.

“You can gain access to an older VPN concentrator or network router and then pivot from there, deeper into the environment,” Meyers said. “And because those things don’t run modern security tools, they’re softer targets.”

Organizations need to prioritize what they patch based on intelligence assessments of what adversaries are exploiting, especially as threat actors increasingly chain vulnerabilities together, he said.

Plenty of adversaries do their homework, scouring public research, disclosures and blogs for new exploits targeting small parts of identities.

“If you're not looking across all of those domains, then you’re going to miss all of these attacks,” Meyers said.

Kindamorphic/Getty Images