Russian and Iranian threat activity rises: The security industry attributes only some of the newly discovered exploits to known attacker groups, and only some of those groups have known countries of origin. As a result, statistics on the origin of attacks are not perfect.During the first half of 2025, 181 of CVEs added to the KEV database by VulnCheck were reported as being attributed to 92 known threat actors based on industry reports. Of those groups, only 56 had a country of origin attributed to them.”If we look at the threat actors by attributed country, we quickly see that the usual suspects, China (20), Russia (11), North Korea (9), and Iran (6), have the largest number of active threat actor groups,” the VulnCheck researchers concluded. “These countries are known for their cyber espionage and cyber activities, often being referred to as the four horsemen.”Despite China still leading in the number of individual groups that exploit KEVs, their cumulative KEV attributions during 2025 decreased compared to 2024 based on VulnCheck’s data. Meanwhile, activity from Russian groups has increased. And while North Korea’s KEV attributions also dropped compared to last year, Iran’s has risen. These shifts, however, can be influenced by the timing of industry reports.For example, the 2025 increase in Iranian attribution seems to be tied to a June report from security firm Tenable, which attributed 29 KEVs to Iranian threat actors. Similarly the spike in North Korean KEV attribution in 2024 could be tied to a joint report released by government agencies from the US, UK, and South Korea, in which 44 new KEVs were attributed to a North Korean state-sponsored group tracked as Silent Chollima or Andariel.”The spike in Russian attribution isn’t tied to specific reports and attribution is broadly distributed across sources, which re-emphasizes Russia continues to be a major force behind threat activity and vulnerability exploitation,” VulnCheck said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4031603/32-of-exploited-vulnerabilities-are-now-zero-days-or-1-days.html
