Home » Cybersecurity » 2025 CrowdStrike Global Threat Report: Cybercriminals Are Shifting Tactics – Are You Ready?

2025 CrowdStrike Global Threat Report: Cybercriminals Are Shifting Tactics – Are You Ready?

by John D. Boyle on February 27, 2025

CrowdStrike (Nasdaq: CRWD) today announced the findings of the 2025 CrowdStrike Global Threat Report, revealing a dramatic shift in cyber adversary tactics, with attackers leveraging stolen identity credentials, AI-generated social engineering, and hands-on keyboard intrusions to bypass traditional security measures. The report details a surge in identity-based attacks, the growing exploitation of cloud environments and an increase in nation-state cyber activity, particularly from China, which has intensified its targeting of critical industries such as finance, media and manufacturing. Now in its 11th annual edition, CrowdStrike’s definitive threat intelligence report provides an in-depth look at cybercriminal and nation-state adversary behavior.

Key Findings in the 2025 Report

The global cyber threat landscape has evolved rapidly, with adversaries becoming faster, stealthier and more sophisticated. A surge in Chinese cyber activity, the rise of hands-on keyboard attacks, and the widespread use of generative AI to enhance phishing and social engineering tactics have forced security teams to rethink their defense strategies.

According to CrowdStrike’s latest threat report, China’s cyber operations escalated significantly, with a 150% increase in attacks across all sectors in 2024 compared to the previous year. Certain industries, including financial services, media and manufacturing, saw spikes of 200-300%, marking a shift in China’s cyber strategy. CrowdStrike also identified seven new China-nexus adversaries, further contributing to the surge in espionage and cyber operations.

After years of investment, China’s offensive cyber capabilities are now on par with other world powers, transitioning from indiscriminate smash-and-grab tactics to long-term persistent access and highly specialized targeting. The report highlights a growing emphasis on stealth, with adversaries leveraging compromised routers in the U.S. to disguise their activity and bypass traditional defenses.

Identity-Based Attacks on the Rise

One of the most notable trends in the past year has been the shift from malware-based attacks to hands-on keyboard intrusions, where attackers directly manipulate compromised systems. In 79% of observed cases, adversaries used stolen credentials to impersonate legitimate users, bypassing endpoint detection tools altogether.

“Bringing malware into an enterprise today is like trying to sneak a water bottle past airport security,” said Adam Meyers, head of counter adversary operations at CrowdStrike. “They’ll stop you. But if you just log in like a normal user, you blend in.”

This trend has led to an increase in social engineering attacks, particularly targeting IT help desks. Attackers often impersonate employees to request password resets or pose as IT support staff to trick employees into revealing credentials. A staggering 442% increase in voice phishing (vishing) attacks underscores the growing role of generative AI in fueling social engineering campaigns.

To combat this, organizations are urged to adopt stricter identity verification measures, including requiring video verification for password resets, a step that, while inconvenient, could prevent many impersonation-based attacks.

Generative AI Supercharges Phishing and Deepfake Scams

Artificial intelligence has become a game-changer for both attackers and defenders. While security firms use AI to automate threat detection and response, adversaries have weaponized generative AI to create more convincing phishing emails, social engineering scripts and deepfake content.

According to CrowdStrike, AI-generated phishing emails have a 54% success rate, compared to 12% for human-written ones. Attackers are also using deepfake technology for business email compromise (BEC) scams, including a high-profile $25.6 million fraudulent wire transfer that leveraged deepfake video.

North Korean threat actors have gone a step further, using AI-generated profiles and deepfake interviews to secure employment in U.S. tech firms, allowing them insider access to sensitive corporate data. Insider threats from DPRK-nexus adversaries, such as FAMOUS CHOLLIMA, were behind 304 incidents in 2024, with 40% involving insider operations.

Cloud and SaaS Under Siege

Cloud environments and software-as-a-service (SaaS) platforms have become primary targets for cyberattacks, with 26% YoY growth in cloud intrusions. China, North Korea and cybercriminal groups have increased their focus on cloud infrastructure, using stolen single sign-on (SSO) credentials to enable widespread compromise. Attackers are also exploiting unsecured cloud databases and chaining multiple low-severity vulnerabilities to gain high-level access.

To mitigate these risks, organizations are advised to treat cloud security as critical infrastructure and implement stronger multi-factor authentication (MFA), preferably using hardware-based security keys rather than SMS codes, which are increasingly vulnerable to interception.

China’s Specialization and Future Threats

The CrowdStrike report highlights China’s move toward specialized cyber operations, with different teams focusing on specific industries and technologies. In the telecommunications sector, for example, Chinese hackers have mastered protocol manipulation techniques that allow them to exfiltrate data undetected.

This specialization signals a broader shift: China is no longer just stealing intellectual property; it is embedding itself into critical industries, ensuring it has persistent, long-term access to key global infrastructure.

Despite these challenges, security experts believe that adversary-driven defense strategies — focused on understanding attacker motivations, techniques and priorities — will be key to staying ahead of emerging threats.

“In the past, the focus was on blocking malware and patching high-severity vulnerabilities,” Meyers said. “But adversaries have evolved. If we don’t approach security with the same level of intelligence, we’ll always be one step behind.”

Actionable Steps for Organizations

To combat these evolving threats, CrowdStrike advises security professionals to prioritize the following measures:

Strengthen Identity Security – Implement advanced MFA, monitor API and session key access, and adopt zero-trust principles.
Secure SaaS Environments – Treat SaaS applications with the same security rigor as on-prem infrastructure.
Monitor for Social Engineering – Train employees to recognize and resist social engineering tactics.
Know Your Adversary – Leverage threat intelligence to understand and anticipate attack strategies.
Improve Visibility – Invest in solutions that provide holistic cross-domain visibility and endpoint monitoring.

With adversaries constantly adapting, organizations must remain proactive by securing identities, addressing SaaS vulnerabilities and leveraging advanced threat intelligence to understand and mitigate risks in real-time. Cybersecurity is a continuous battle, and staying ahead requires a strategic, informed,and comprehensive approach.