10 Major Cyberattacks And Data Breaches In 2025

Data theft, ransomware and AI-powered attacks drove major disruption, even as nation-state attacks from China and North Korea surged during 2025.

Biggest Cyberattacks And Breaches

A common thread running through many of the biggest cyberattacks and data breaches in 2025 was a lack of visibility by organizations into their own IT systems—a weakness that attackers exploited again and again. The year began ominously with the disclosure that China-linked attacks targeting telecommunications firms were significantly wider than previously understood. The attacks from a group commonly tracked as Salt Typhoon and Operator Panda (by Microsoft and CrowdStrike, respectively) were just the first sign that 2025 was unlikely to be an easier year for cyber defense than the challenging years prior.

In the case of the China-linked attacks against telcos, these are “some of the best defended systems in the world—and [attackers] were able to operate undetected,” said Adam Meyers, senior vice president for counter adversary operations at CrowdStrike. From this incident and countless others during 2025, “I’d say we have a clear issue with technical visibility that we need to get on top of,” Meyers told CRN.

The continued intensification of nation-state attacks from countries including China and North Korea was another, related theme of the cyber threat landscape in 2025. When it comes to China, for instance, adversaries increasingly targeted unmanaged devices that organizations lack visibility into—helping to fuel the wave of network device vulnerabilities that have been exploited over the past year, according to Meyers.

Meanwhile, financially motivated cybercriminals were behind many of the other biggest attacks of the year, such as the ransomware attack that led to massive disruption at IT distribution giant Ingram Micro and the widespread data-theft attacks from Salesforce systems, which were enabled by a breach of the Salesloft Drift application.

Additionally, toward the end of the year, the cybersecurity industry grappled with another troubling sign of things to come, as Anthropic disclosed an AI-powered attack that it says was almost entirely an autonomous operation.

What follows are the key details on 10 major cyberattacks and data breaches in 2025.

‘Salt Typhoon’ Telco Attacks Widen

In January, three more U.S. telecommunications providers impacted in the attacks by the China-linked espionage group tracked as Salt Typhoon were disclosed, according to the Wall Street Journal. In addition to the monthslong compromise of major carriers including Verizon and AT&T, the Salt Typhoon hacks also affected Charter Communications, Windstream and Consolidated Communications, the Journal reported. That same month, Verizon said it had “contained” the Salt Typhoon attack, and the Federal Communications Commission (FCC) issued an order requiring U.S. telcos to immediately implement stronger cybersecurity measures. The spate of recent attacks by “state-sponsored cyber actors from the People’s Republic of China” prompted the action, according to the FCC. Some U.S. government officials also saw their communications compromised in connection with the attacks, which were described as the worst telecom hack in U.S. history by Sen. Mark R. Warner.

Ivanti VPN Attacks

Ivanti disclosed in January that a critical-severity, zero-day vulnerability impacting its widely used Connect Secure VPN has seen exploitation in attacks. The vulnerability, which can be exploited in order to remotely execute code without authentication, impacted customers including Nominet, a U.K.-based domain registry provider. “The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely,” Nominet said in the email to customers. Exploitation of the critical vulnerability in Ivanti Connect Secure began at least as far back as December 2024, researchers at Mandiant wrote in a post Jan. 9. Malware used during the attacks shows possible links to a China-based threat actor, the Mandiant researchers disclosed.

SonicWall SMA Attacks

SonicWall said in January that exploitation of a “critical” zero-day vulnerability in the Secure Mobile Access (SMA) 1000 Appliance Management Console and Central Management Console had been reported by Microsoft threat researchers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) later confirmed exploitation of the SMA 1000 vulnerability. The vulnerability can be exploited by a malicious actor to remotely execute code without authentication, according to SonicWall. Then in mid-July, the Google Threat Intelligence Group disclosed that a cybercriminal group tracked as UNC6148 had been observed exploiting SonicWall SMA 100 appliances, likely using known vulnerabilities. Attacks targeting the systems continued to impact SonicWall customers until the end of the year, with the company disclosing exploitation of a new, zero-day SMA1000 vulnerability in December.

United Natural Foods Attack

In June, a cyberattack that struck food distributor United Natural Foods led to shortages at retailers including Whole Foods. In a regulatory filing, United Natural Foods said that it “became aware of unauthorized activity on certain” IT systems on June 5. The company’s containment measures, including taking systems offline, “temporarily impacted the company’s ability to fulfill and distribute customer orders,” United Natural Foods said in the filing. “The incident has caused, and is expected to continue to cause, temporary disruptions to the company’s business operations.” United Natural Foods has been described as the primary distributor for Whole Foods.

Ingram Micro Ransomware Attack

Following media reports on July 4 indicating that IT distribution giant Ingram Micro was experiencing an outage, the company confirmed that it had been impacted by a ransomware attack and was working on restoring its systems. The attack led Ingram Micro to take key systems offline, all of which impacted the company’s online ordering systems for nearly a week. On July 10, the company said it had restored all business operations around the globe. The SafePay ransomware organization was responsible for the attack, according to a BleepingComputer report. SafePay’s unusual approach to cyberattacks — shunning the prevalent ransomware-as-a-service model — makes the hacker group more formidable to defend against, security experts have told CRN.

Microsoft SharePoint Attacks

In July, a wave of widespread cyberattacks struck customers that use on-premises Microsoft SharePoint servers through exploitation of zero-day vulnerabilities in the systems. More than 400 systems were compromised in the “ToolShell” attacks, according to researchers at Eye Security. Reports indicated that the victims included U.S. agencies and the Department of Energy confirmed it was “minimally impacted” in the attacks. Researchers at Google Cloud-owned Mandiant and Microsoft have pointed to at least some of the attacks originating from China-based threat actors. Microsoft researchers said they observed exploitation activity from a pair of Chinese nation-state threat groups, tracked as Linen Typhoon and Violet Typhoon, as well as from a China-linked threat actor that is tracked as Storm-2603. “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” Microsoft researchers wrote in the post.

Salesloft Drift Attacks

In September, numerous companies disclosed they were impacted in the breach of a third-party Salesforce application, Salesloft Drift. The companies posted advisories reporting that customer data stored in their Salesforce CRM instance was compromised, in connection with the breach of Salesloft-owned Drift. The victims included a number of cybersecurity vendors such as Palo Alto Networks, Zscaler, Cloudflare, Proofpoint, Tenable, Tanium, Rubrik, Cato Networks, CyberArk and BeyondTrust. The attacks involved stolen authentication tokens for Salesloft-owned workflow automation app Drift, which threat actors used to steal data from Salesforce CRM systems.

China-Linked Attacks Accelerate

Surging attacks originating from China have been behind many of the rising threats impacting organizations, including a spike in cloud attacks. Cloud intrusions surged by 136 percent during the first half of 2025 compared to all of 2024, and China-linked attackers are believed to be behind 40 percent of the increase in cloud threats, according to CrowdStrike’s 2025 Threat Hunting Report. In the case of attacks targeting the telecommunications industry, the report found a 130-percent increase in such attacks from nation-state threat actors, driven by dramatically increased operations from China-nexus groups. Along with the Microsoft SharePoint attacks in July, major campaigns tied to China-based attackers in 2025 included a wave of espionage attacks targeting VMware vSphere systems, which was disclosed in December. The attacks—utilizing a sophisticated backdoor known as “Brickstorm”—led to “multiple intrusions” against U.S. customers of Broadcom-owned VMware throughout the course of 2025, according to CrowdStrike’s Counter Adversary Operations team.

North Korea Infiltrations Ramp Up

Throughout 2025, individuals working on behalf of North Korea increasingly sought to dupe U.S. companies into hiring them—through a scheme made possible by laptop farms and false identities—mainly as a way of generating revenue for the heavily sanctioned country. Recently, North Korea has even begun “purchasing” identities from willing participants in the U.S. as part of the scheme, according to Amazon Chief Security Officer Steve Schmidt.

Among other tactics used in the efforts, the North Korea-linked threat actor tracked as Famous Chollima has fabricated resumes with GenAI and conducted interviews using deepfakes for its campaign of gaining fraudulent employment for North Korean workers. Famous Chollima infiltrated more than 320 companies in 12 months, a 220-percent spike, with the help of AI, according to CrowdStrike’s 2025 Threat Hunting Report released in August.

Anthropic Reports ‘AI-Orchestrated’ Attack

In November, Anthropic disclosed what it called “the first reported AI-orchestrated cyber espionage campaign.” The China-linked attack involved a manipulation of an Anthropic coding tool, Claude Code, according to a report posed by the company. The manipulation enabled the attackers to perform AI-powered “reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations largely autonomously,” Anthropic said. In all, the company estimates that “the AI executed approximately 80 to 90 percent of all tactical work independently, with humans serving in strategic supervisory roles.” Anthropic believes the campaign targeted about 30 organizations, and its investigation “validated a handful of successful intrusions,” the company said—though further specifics were not provided on the impacts to customers from the operation.