GCP – Mandiant M-Trends 2025: 3 key insights for public sector agencies

The cyber defense and threat landscape demands continuous adaptation, as threat actors continue to refine their tactics to breach defenses. While some adversaries are using increasingly sophisticated approaches with custom malware, zero-day exploits, and advanced evasion techniques, it’s crucial to remember that not all successful attacks are complex or sophisticated. Many successful attacks exploit basic vulnerabilities, like stolen credentials via infostealers – now the second-highest initial infection vector – or unprotected data repositories.

In order to arm government agencies with the insights needed to combat this multifaceted threat landscape, we’ve just released the 16th edition of our annual report Mandiant M-Trends 2025. By digging deeper into the key trends, data, insights and analysis from the frontlines of our incident response engagements, we aim to help public sector organizations stay ahead of all types of attacks and arm them with critical insights around the latest cyber threats.

Here are three top findings from our annual M-Trends 2025 report and what they mean for public sector agencies.

Malicious exploits top the list

For the fifth consecutive year, exploits – malicious code targeting specific known vulnerabilities in software and networks – continue to be the most frequent source of attacks, or initial infection vector, accounting for one-third of security intrusions. Among Mandiant incident response investigations, the report details the year’s four most targeted vulnerabilities, affecting vendors like Palo Alto Networks, Ivanti, and Fortinet.

Given public sector agencies handle vast amounts of sensitive citizen data and critical infrastructure, this underscores the necessity for stringent cybersecurity hygiene, rapid patching protocols, and continuous threat intelligence to prevent severe operational disruptions and maintain public trust.

Increasing malware families and threat groups

According to the report, in 2024 Mandiant began tracking 632 net new malware families, bringing the total number of tracked malware families to over 5,500 unique families. Also tabulated were 737 newly tracked “threat groups” – clusters of consistent attacks, adding to a total of over 4,500 currently tracked groups which may indicate organized cybercrime campaigns – including financial theft and state-sponsored espionage – targeting both the public and private sectors.

For public sector agencies, this proliferation of new malware families demands enhanced vigilance, adaptive defense strategies, and intelligence-driven cybersecurity investments to safeguard critical government operations and sensitive citizen data from sophisticated attacks.

New York City Cyber Command, a centralized organization charged with protecting city systems that deliver critical services that New Yorkers rely on, leverages a highly secure, resilient, and scalable cloud infrastructure powered by Google Cloud, that helps its cybersecurity experts detect and mitigate an estimated 90 billion cyberthreats every week. By applying Google’s Zero Trust framework to secure the smartphones and other devices used by police officers and by leveraging Google Threat Intelligence, they are able to get the right information to the right teams at the right time in order to detect and respond to threats faster.

Ransomware on the rise

This year’s M-Trends 2025 report dives deeper into the global scope and consequences of ransomware – with ransomware-related events accounting for over one-fifth (21%) of all Mandiant incident response investigations in 2024. The most commonly observed initial infection vector for ransomware-related intrusions, when the vector could be identified, was brute-force attacks, followed by stolen credentials and exploits. This increasing risk facing organizations of all kinds – including public sector agencies – necessitates the investment in resilient cybersecurity infrastructure, comprehensive employee training, and the adoption of defense tools.

Covered California leverages Assured Workloads and Google Security Operations (SecOps) to proactively scan all log information, signatures and threats in the landscape to eliminate security blind spots and proactively safeguard against attacks. In this framework, all solution network traffic is private and encrypted at all times. Together, these solutions help Covered California achieve its goals to reduce costs for residents and increase the number of Californians with access to healthcare, while also improving the employee and customer journey.

Arming public sector agencies in readiness and response

With this latest M-trends 2025 report, we aim to equip security professionals across public sector agencies with frontline insights into the latest evolving cyberattacks as well as practical and actionable learnings for better organizational security. Read the full M-Trends 2025 report here, and subscribe to our Google Public Sector Newsletter to stay informed and stay ahead with the latest updates, announcements, events and more.