Governments are facing an unprecedented surge in cyber attacks due to increased activity of nation-state groups, AI-powered tooling, and vulnerabilities hidden in sprawling supply chains, among other factors. 

The impact is not limited to government agencies, but by any organization connected to these agencies or systems, servicing critical infrastructure, or simply handling sensitive data. In IO’s State of Information Security Report 2025, 88% of cybersecurity and information security leaders surveyed at UK and US organizations said they’re worried about state-sponsored cyber attacks.

From ransomware locking down emergency alert systems to AI-generated deepfakes impersonating military officials, recent cyber attacks show that federal agencies and contractors around the world are struggling to keep pace with the sophistication and frequency of today’s cybersecurity threats.

This article breaks down the most significant government cyber attacks so far this year, the trends behind them, and what public-sector organizations and their vendors can do to reduce risk and improve resilience.

Recent government cyber attacks

Below are five of the most notable government cyber attacks so far this year and what organizations can learn from them. 

These examples illustrate how wide-ranging and disruptive government-related incidents have become—whether government agencies are hit directly, compromised through suppliers, or forced to respond to major private-sector breaches that affect national security or public welfare.

1. US Congressional Budget Office cyber incident

Date: November 2025

Impact: Cyber incident on the US Congressional Budget Office prompts new security measures and warnings of potential targeted phishing attacks

On November 6, 2025, the US Congressional Budget Office (CBO) said it had identified a security incident and took immediate action to contain the breach, including implementing new security controls and additional monitoring. Officials in the Senate Sergeant at Arms office also notified multiple congressional offices of the cyber incident, warning them that email communication between the CBO and Senate offices may have been exposed to hackers and that the compromised data could be used to craft highly targeted phishing emails.

The Washington Post initially reported the breach against the nonpartisan agency tasked with providing economic and budgetary information to Congress may have been perpetrated by a suspected foreign actor. The CBO did not confirm this nor did it say whether government data was potentially disclosed to malicious actors.

Key learning

This incident took place during the government shutdown, which began on October 1 and ended on November 13. Researchers at the Media Trust observed a spike of activity on the very first day of shutdown and estimated that it would spark an 85% increase in US government cyber attacks that month. Meaning, federal agencies would experience more than 555 million cyber attacks by the end of October, with the Department of Veterans Affairs (VA) and the Department of Justice (DOJ) bearing the brunt of them.

Ilona Cohen, former general counsel for the US Office of Management and Budget (OMB), emphasized that the most serious consequences of this surge in attacks won't come in the form of immediate breaches, but longer-term consequences such as paused projects, delayed modernization of legacy systems, and vulnerabilities going unaddressed.

As US federal agencies continue to face cyber attacks that are unprecedented in number and impact, they are increasingly enforcing strong cybersecurity standards across their supply chains:

• Most recently, the VA announced that it is considering expanding its cloud environment to include additional FedRAMP High Authorized CSPs.
• The DOJ continues to ramp up enforcement of cybersecurity requirements in government contracts under the False Claims Act.
• As of November 10, 2025, the Department of Defense is now enforcing CMMC requirements contractually across the Defense Industrial Base (DIB).
• The FAR CUI rule, which would extend requirements for protecting CUI to all federal contractors, is scheduled for finalization by the end of the year.

Contractors and subcontractors that already meet these requirements and can demonstrate they’re capable of safeguarding sensitive information will be better positioned to maintain eligibility for new and existing contracts.

Looking to strengthen your security before an incident like this puts your data or contracts at risk? Download our Federal Compliance Checklist to start putting the right controls and processes in place.

2. Ransomware attack affecting dozens of US local governments

Date: November 2025

Impact: Ransomware attack disrupts local emergency alert system across US

Allegedly starting on November 1, the Inc Ransom ransomware group gained access to the OnSolve CodeRED platform and deployed file-encrypting ransomware on November 10. As a result, the CodeRED system experienced operational disruptions, leaving cities, counties, and law enforcement in many US states unable to send emergency notifications about public safety events such as floods, gas leaks, chemical spills, fires, missing persons, and bomb threats.

It also resulted in a data breach of CodeRED users, including names, email addresses, physical addresses, phone numbers, and user profile passwords associated with a legacy platform, which Inc Ransom claimed it has put up for sale. 

Due to the impact of the cybersecurity incident, some customers—including Colorado law enforcement agencies—are reportedly attempting to cancel CodeRED contracts.

Key learning

This incident highlights how ransomware attacks on government contractors can have devastating impacts on critical infrastructure and pose significant risks to public safety. As a result, these contractors often suffer severe consequences, including reputational harm, costly outages and downtime, and lost contracts and revenue. 

Having strong cybersecurity controls like disaster recovery processes and plans in place can reduce these risks, which is why compliance with frameworks such as CMMC and FedRAMP is increasingly being enforced through federal contracts and procurement processes. 

3. Cyber attack on South Korea retail giant Coupang

Date: November 2025

Impact: Data breach of South Korea's largest online retailer affects 65% of country’s population

South Korea's largest online retailer, Coupang, announced a data breach affecting 33.7 million customer accounts on November 29, 2025. On-site inspections by the Ministry of Science and ICT verified that threat actors leveraged authentication flaws in the company’s systems to illicitly extract customer data from the more than 30 million customer accounts—indicating that the attackers exploited server vulnerabilities to bypass standard login protocols. 

Currently, the Chairperson of the Personal Information Protection Commission (PIPC) is focused on determining if Coupang neglected its mandatory security obligations, such as proper access control and encryption, which may lead to fines or other sanctions for non-compliance.

While this attack wasn’t directly on the government, the South Korean government did declare an emergency as a result of the data breach since it affected approximately 65% of the country’s population. The government-run Korea Internet & Security Agency also issued a public advisory for those affected by the breach, warning them about phishing scams.

Key learning

The attack on Coupang is the latest in a string of cybersecurity incidents in South Korea affecting credit card companies, telecoms, tech startups, and government agencies this year. The often slow and uncoordinated responses of government ministries and agencies has revealed persistent challenges and gaps in the country’s cyber defenses. 

For example, Brian Pak, the chief executive of Seoul-based cybersecurity firm Theori, said a major issue is that the government continues to treat cybersecurity as a crisis management issue rather than as critical national infrastructure, which has also exacerbated the issue of a severe shortage of skilled cybersecurity experts. 

South Korea is a warning cry to all countries being increasingly targeted by hackers and nation-state groups: cybersecurity must be prioritized as a national security imperative in order to improve the resilience of its digital infrastructure and develop its cyber workforce.

4. Phishing attack campaign targeting the Russian government

Date: Early 2025

Impact: Sophisticated phishing campaign targets government officials and organizations primarily in Russia

The threat actor known as Tomiris has been attributed to cyber attacks targeting foreign ministries, intergovernmental organizations, and government entities in Russia as well as some other countries in Central Asia beginning in early 2025. 

According to analysis by Kaspersky, this latest campaign of spear-phishing emails highlights an evolution in Tomiris’s tactics. The threat actor is increasingly using implants that leverage public services such as Telegram and Discord as command-and-control (C2) servers, likely with the goal of blending malicious traffic with legitimate service activity to better evade detection by security tools. These implants discovered by Kaspersky were also developed in multiple programming languages to enhance operational flexibility and evade detection. 

This shift in tactics underscores the threat actor's continued focus on stealth, long-term persistence, and the strategic targeting of government and intergovernmental organizations, according to Kaspersky.

Key learning

In IBM’s Cost of a Data Breach Report 2025, phishing was the initial attack vector in 16% of all data breaches and the third costliest vector, costing an average of $4.8 million per attack. 

As threat actors continue to evolve their tactics, government agencies globally must remain vigilant against this costly type of social engineering attack and prioritize phishing awareness training and simulated phishing campaigns in their employee training programs to reduce the threat to diplomatic infrastructure. 

5. AI deepfake cyber attacks on South Korean government

Date: July 2025

Impact: Spear-phishing attack targets a South Korean defense-related organization using AI deepfake images

A hacking group allegedly linked to North Korea carried out a cyber attack on South Korean organizations, including a defense-related institution, using AI-generated deepfake images. 

According to a recent report by South Korean security institute Genians Security Center (GSC), the state-affiliated hacking group attempted a spear-phishing attack on a military-related organization in July using fake South Korean military agency ID card images created with ChatGPT. 

Image source: Genians Security Center’s Threat Intelligence Blog

These images were designed to make the emails appear more legitimate and convince victims to click the malicious link in the email, which was disguised as correspondence about ID issuance for military-affiliated officials. The sender’s email address was also designed to closely mimic the official domain of a South Korean military institution to enhance the effectiveness of the social engineering attack. 

While the goal was to compromise target systems with malware, no data breach has been reported publicly.

Key learning

State-sponsored groups and other malicious users are increasingly leveraging generative AI to make social engineering attacks more convincing and increase the chance of engagement. 

In June 2025, OpenAI published a report on how hacking groups have been using its large language model (LLM) and generative AI systems to help in their offensive operations, including social engineering, cyber espionage, deceptive employment schemes, cover influence operations, and scams. 

Organizations must proactively prepare for this possibility of AI misuse by improving AI governance and maintaining continuous security monitoring across their operations and business processes. Adopting an AI framework like NIST AI RMF or ISO 42001 is one of the best ways to establish robust AI governance and implement security best practices.

How to prevent government cyber attacks

The rise in government cyber attacks and threats demands a more proactive approach to cybersecurity that’s driven by intelligence and aligned with compliance requirements. 

Below are four proven strategies to prevent government cyber attacks that are rooted in both private-sector security best practices and the regulatory frameworks shaping public-sector cybersecurity requirements.

1. Comply with government cybersecurity regulations

Meeting mandatory or recommended cybersecurity requirements is one of the most effective ways to strengthen government cybersecurity. This may include:

• FedRAMP for US federal cloud services
• CMMC for the Defense Industrial Base (DIB) 
• TISAX for the automotive sector
• The EU AI Act for AI providers and deployers that are part of the EU market
• The NIS2 Directive for operators of critical infrastructure and essential services in the EU

These frameworks are designed to ensure a consistent baseline of security across the entire government supply chain, including strong access controls, incident response planning, continuous monitoring, and much more.

Compliance not only prevents lost contracts or delays and legal liability with laws like the False Claims Act—it also improves the private and public sector’s collective ability to protect sensitive information from unauthorized access or compromise and national security as a whole. 

2. Implement secure-by-design principles

Government systems are especially vulnerable when security is added after deployment rather than built in from the start. 

Secure by design is an initiative created by the US Cybersecurity and Infrastructure Agency (CISA) along with other government agencies inside and outside the US to help reduce the attack surface and prevent exploitation of systemic weaknesses by making security a fundamental consideration from the start rather than layered on top.

It calls on technology providers to adhere to cybersecurity best practices across the software development life cycle, including:

• Enforcing least-privilege access
• Building authentication and authorization directly into systems
• Conducting continuous code scanning and threat modeling
• Using cryptographic controls by default
• Following NIST secure software development guidance

This shift from reactive cybersecurity to proactive prevention is increasingly embraced by governments worldwide—although they’re taking different approaches. For example, while the United States pursues a pledge-based model for implementing secure by design principles, Australia mandates secure-by-default principles for certain products, like smart devices, through legislation.

3. Enhance cybersecurity information sharing between the public and private sectors

No single agency or contractor sees the full threat landscape. Improving information sharing—voluntarily and through expanded authorities—gives defenders earlier warning about:

• Active nation-state campaigns
• Zero-day exploit trends
• Targeted phishing operations
• APT infrastructure and behavior patterns
• Sector-specific vulnerabilities

Improved visibility reduces blind spots and helps organizations respond faster and more collaboratively. Recognizing that cyber resilience is a shared mission, many governments are now strengthening public-private threat intelligence partnerships and launching initiatives. For example, this year, the European Union Agency for Cybersecurity developed the European Vulnerability Database in cooperation with different EU and international organisations to help both private and public sector stakeholders across the EU market improve vulnerability management.

How Secureframe can help prevent government cyber attacks

Improving government cybersecurity and resilience requires a multi-pronged approach that combines automation, clear documentation, ongoing assessments, and real-time visibility and data.

Secureframe helps federal agencies, contractors, and critical infrastructure providers simplify and strengthen their security and compliance programs in several key ways:

• Automated compliance with federal frameworks: Secureframe accelerates readiness with mandatory and voluntary federal frameworks, including CMMC, FedRAMP 20x, NIST 800-53, NIST 800-171, and NIST RMF by automating key compliance tasks, including evidence collection, control mapping, documentation generation and management, continuous control monitoring, and more.
• Automated continuous monitoring and remediation: Secureframe continuously monitors your infrastructure, applications, and vendor ecosystem to detect misconfigurations and vulnerabilities in real time and streamlines remediation of these issues with easy task management and step-by-step guidance or infrastructure-as-code fixes generated by Comply AI—before they escalate into security incidents or audit failures.
• Secure cloud configuration: For federal agencies looking to expand their cloud environment or contractors supporting federal workloads, Secureframe automatically provisions secure federal cloud environments, including Azure Government, GCC High, Google Workspace, Intune, and AWS GovCloud.
• Asset, vendor, and risk management: Secureframe integrates with your infrastructure to automatically discover in-scope assets and link them to framework requirements. You can also inventory and track vendors—especially those storing or transmitting sensitive information like CUI or providing security functions—to ensure they meet contractual requirements. And you can assess, manage, and remediate risk to those assets and vendors using Secureframe’s automation and AI workflows. 

Private- and public-sector organizations like the energy startup ElectricFish and defense contractor Adyton use Secureframe to modernize their security programs, meet increasing and evolving compliance requirements, and become more resilient against the sophisticated cyber threats targeting governments and businesses worldwide.

Talk to an expert to learn how Secureframe can help you achieve these goals.