ANSSI does not downplay the full picture. While ransomware incidents have edged down slightly—128 cases handled in 2025 compared with 141 the year before—the National Agency for Information Systems Security (ANSSI) remains careful not to interpret this as a sign of a lull.
The threat is reconfiguring rather than retreating: there is a growing use of unencrypted data exfiltration, exploited for blackmail or sold on dark markets. Pressure on victims remains intense, even when systems aren’t blocked.
The 2025 edition of its “Panorama of the Cyber Threat” confirms a long-standing trend: state actors, notably North Korean and Chinese groups, are now adopting cybercriminal tools for purely lucrative purposes. The traditional dichotomy between state espionage and organized cybercrime is fading, making attribution of attacks and the corresponding institutional response far more complex.
Espionage, sabotage : les États toujours à la manœuvre
On the strategic espionage front, groups reputedly tied to Russia—Callisto, Laundry Bear—and to China—Salt Typhoon, APT31—continue a sustained effort to compromise diplomatic networks and critical infrastructure in the telecommunications and energy sectors. It’s a covert yet persistent background activity aimed at long-term objectives.
Sabotage, meanwhile, takes more visible forms. In late 2025, coordinated operations targeted Poland’s electrical infrastructure. Hacktivist groups have also attacked smaller industrial facilities (renewable energy, water networks) to generate high-profile media impact. The aim is no longer solely to paralyze, but also to create a shock effect in public opinion.
The technical arsenal is diversifying and industrializing
Tactically, 2025 confirms several structural evolutions. Attackers increasingly rely on legitimate tools to obfuscate their tracks: remote-access software like AnyDesk or TeamViewer, cloud storage services such as Google Drive or MEGA. By blending into normal enterprise traffic, they considerably complicate detection.
Generative artificial intelligence is emerging as a threat accelerator. It enhances the quality and credibility of phishing attempts, enables large-scale creation of malicious sites that look legitimate, and gradually integrates into organizational operational flows to exploit vulnerabilities.
Social engineering, for its part, is becoming more refined. SIM-swapping, MFA fatigue—the practice of overwhelming a user with authentication requests until they approve out of fatigue—or the so-called “Clickfix,” which nudges the victim to execute a malicious command themselves, are on the rise.
These methods rely on human fallibility rather than technical vulnerabilities, making them particularly hard to counter with tools alone.
The attack surface is expanding: edge, cloud, mobile
Edge devices—firewalls, VPNs, proxies—remain favored entry points. In 2025, vulnerabilities affecting major solutions such as Ivanti, Fortinet, Citrix, or Microsoft SharePoint were heavily exploited. These critical nodes, directly exposed on the Internet, are prime targets for attackers seeking initial footholds.
The digital supply chain is also in the crosshairs: compromising a service provider or a cloud host allows attackers to reach a large number of end customers at once.
Many incidents in 2025 involved the encryption of cloud-hosted resources, illustrating the vulnerability of shared, multi-tenant environments.
Finally, mobile endpoints are not spared. Spyware like Pegasus or Triangulation, exploiting zero-click flaws in popular apps such as WhatsApp, continue to target both personal and corporate devices.
The four most exposed sectors
Education and research lead the victimized sectors with 34% of incidents handled, followed by ministries and local authorities (24%), health (10%), and telecommunications (9%). These sectors are often characterized by limited cybersecurity resources, heterogeneous IT systems, and a high exposure of sensitive data.
