It’s the wrap-up time for 2025, including the top cyber incidents of the year. This year, we witnessed record-breaking attacks and economic consequences we have never seen before — from the £1.9 billion hit to the UK economy to the 29.7 Tbps DDoS attack. We saw major compromises of supply chains, critical cloud infrastructure, and core browser technology.
Here are 10 of the most notable cybersecurity incidents of 2025, categorized into supply chain attacks, cloud services disruption, volumetric attacks, zero-day attacks, and government breaches.
IMAGE: UNSPLASH
Supply Chain Attacks
1. Jaguar Land Rover (JLR) Cyberattack
The incident: In late August, Jaguar Land Rover experienced a breach that halted its operations and production across multiple factories and corporate offices for weeks (limited production only resumed in October). The ripple effects were immediate and severe, and it was not just JLR that suffered.
Analysts estimated that the incident caused a £1.9 billion economic hit to the UK, with more than 5,000 suppliers affected and hundreds of staff laid off. Parts deliveries failed, and production lines had to shut down in what is now known as the costliest cyberattack in British history.
How it happened: The cyber incident was first detected when an employee reported anomalous activity on a peripheral network, leading to the discovery of an unauthorized intrusion.
While JLR has not released a full technical report, security researchers and leaked information from the attackers revealed that the breach was caused by well-established tactics, notably social engineering (i.e., a vishing [voice phishing] campaign conducted weeks earlier) and credential abuse.
2. Collins Aerospace Cyberattack
The incident: In September, a cyberattack targeted Collins Aerospace and caused disruption to European air travel. Collins provides check-in solutions for the aviation industry, so the breach affected the check-in and boarding systems used by multiple major European airports. For days, passengers faced long lines, flight delays, and cancellations. Airlines had to resort to manual check-in procedures, which slowed operations to a crawl.
How it happened: The incident has been attributed to a HardBit ransomware attack — with the threat actor expecting the impact to be severe because Collins Aerospace is a key vendor in the aviation supply chain. The attack targeted the check-in/boarding system, encrypted data, and locked the workstations used by airline staff.
Cloud Services Disruption
3. Amazon Web Services (AWS) Global Outage
The incident: On October 20, 2025, a massive AWS outage disrupted thousands of services that depend on it. The failure centered on the Virginia-based US-EAST-1 data center region, which is a critical hub for cloud infrastructure.
Industry experts estimated financial losses to have reached up to $75 million per hour, with hundreds of businesses that rely on these cloud services for daily operations going offline and unable to process transactions. Millions of end-users were unable to access major platforms, such as:
- Amazon Alexa
- Duolingo
- Canva
- Fortnite
- Snapchat
- Vodafone
- Zoom
How it happened: The outage was not due to a malicious attack but a Domain Name System (DNS) configuration error. An automated update triggered a dormant bug in the automated DNS management, causing a cascading failure of network devices. The system became unable to process API calls or route traffic correctly within the region.
4. Cloudflare Multi-Service Outages
The incident: The internet experienced two significant disruptions caused by Cloudflare in 2025. On November 18, 2025, major services such as X, ChatGPT, Spotify, and a host of mobile applications became inaccessible for several hours. This event was followed by another service disruption on December 5, 2025, when Cloudflare experienced a 26-minute service disruption.
Millions of websites rely on Cloudflare for security and performance. When it went down, so did many of the world’s popular services, including Spotify, ChatGPT, and Fortnite. The outage affected APIs that power mobile apps and backend systems for countless businesses.
How it happened: Cloudflare attributed the November 18 outage to a routine database permissions change, which unexpectedly caused the system that generates the configuration file for the bot management service to return duplicate entries. The resulting configuration file exceeded a hard-coded size limit in the core proxy software, which subsequently triggered a crash across Cloudflare’s global fleet.
The December outage, by contrast, was caused by a flawed firewall rule deployment. The engineering team pushed a change to the global network intended to mitigate a critical vulnerability (CVE-2025-55182). However, the rule contained a logic error that caused the firewall to consume excessive CPU resources across the entire fleet. This effectively created a self-inflicted denial-of-service (DoS) condition.
Volumetric Attacks
5. Aisuru Botnet DDoS Attacks
The incident: The Aisuru botnet launched some of the largest attacks ever recorded in 2025. One campaign peaked at a record-breaking 29.7 Terabits per second (Tbps) with a packet rate of 14.1 billion packets per second (Bpps). These numbers were previously thought to be impossible.
The attacks stressed the global internet infrastructure to its breaking point, with Internet Service Providers (ISPs) and backbone carriers struggling to scrub the sheer volume of malicious traffic. The Aisuru botnet did not just target a single victim. It caused collateral damage that slowed down internet speeds for entire regions.
How it happened: The Aisuru botnet leveraged millions of compromised IoT devices and home routers. It utilized UDP carpet bombing, a method that targets a wide range of destination ports simultaneously rather than a single IP address.
The malware masks its signature to bypass static filters by randomizing packet attributes. This made traditional scrubbing centers struggle to distinguish attack traffic from legitimate requests.
6. Cloudflare-Mitigated DDoS attack
The incident: Cloudflare blocked a massive multi-vector DDoS attack targeting an unnamed hosting provider in May. The 7.3 Tbps attack delivered 37.4 TB of traffic in only 45 seconds.
The attack originated from over 122,145 source IP addresses across 5,433 Autonomous Systems (AS) and 161 countries, primarily using UDP floods, but also incorporating reflection attacks. This set a new volume record for Cloudflare’s platform at the time.
How it happened: The attack traffic was primarily generated by compromised IoT devices, consistent with known Mirai-variant botnets. A UDP flood bombarded the target’s single IP address across an average of 21,925 destination ports per second.
Zero-Day Attacks
7. Microsoft SharePoint Zero-Day Compromise
The incident: An attack exploiting a vulnerability in Microsoft SharePoint servers happened in July and was allegedly carried out by one or more State-sponsored espionage groups. The attackers used a zero-day exploit to breach around 100 organizations in the finance, government, and industrial sectors, mainly in the U.S. and Germany.
The goal was not destruction but deep infiltration. Attackers gained persistent access to sensitive document repositories and internal communications. They remained undetected for weeks and exfiltrated terabytes of confidential data.
How it happened: The attackers exploited two vulnerabilities (CVE-2025-53770 and CVE-2025-53771) that stemmed from bypassing two other vulnerabilities: the spoofing vulnerability CVE-2025-49706 and the remote code execution vulnerability CVE-2025-49704 in on-premises SharePoint servers. The latter two were fixed by Microsoft, but apparently, the threat actors were able to bypass them.
This allowed them to send specially crafted web requests to the server and execute arbitrary commands with the SharePoint application’s privileges. As a result, they were able to drop web shells and harvest credentials from memory to move laterally across the network.
8. Chrome Zero-Day Exploitations
The incident: In early December, Google issued a security advisory for billions of Chrome users worldwide, confirming that there is another actively exploited zero-day vulnerability of the year, adding to other zero-day vulnerabilities exploited in attacks:
- CVE-2025-13223
- CVE-2025-10585
- CVE-2025-6558
- CVE-2025-4664
- CVE-2025-5419
- CVE-2025-2783
All these vulnerabilities were exploited in attacks in 2025, before fixes were made available.
How it happened: The newly fixed zero-day vulnerability, which does not have a CVE ID as of the time of writing these lines, was a buffer overflow that specifically affected the Metal renderer on Mac and Windows systems.
Attackers exploited this flaw by creating malicious web pages that tricked the library into improperly sizing a data buffer. This allowed them to escape the browser’s security protection and run unauthorized code on the victim’s computer.
Government Breaches
9. Paraguay Government Ransomware Incident
The incident: The hacker group known as Brigada Cyber PMC struck the Paraguayan government in June, claiming to have breached the networks of several government agencies. They say they have encrypted critical databases and demanded a ransom of US$7.4 million to restore access.
The incident was a national-level crisis, with the personally identifiable information (PII) of 7. 4 million citizens stolen and posted for sale.
How it happened: The Government of Paraguay did not offer detailed information about how the attack happened, but cybersecurity analysts say that the threat actor’s tactics mirrored those of Lockbit 3.0, particularly the release of a torrent file alongside ZIP files containing the stolen PII. There is also a possibility that the compromise actually started in 2024.
10. St. Paul, Minnesota Municipal Cyberattack
The incident: The city of St. Paul, Minnesota, declared a state of emergency in July 2025 following a severe cyberattack. The breach disabled multiple city systems and shut down payment portals, public Wi-Fi networks, and internal communication tools.
The disruption was so severe that the National Guard was called in to assist with cyber defense and recovery efforts. City residents could not pay water bills or access online permits. Police and fire departments had to rely on backup radio systems for dispatch.
How it happened: The mayor disclosed that the attack was carried out by a sophisticated, money-driven organization known for stealing and selling sensitive information, which had been previously flagged in a CISA advisory.
The city confirmed that the group demanded a ransom, which the officials refused to pay. Following this refusal, the group claimed to have posted 43 gigabytes of stolen data online, most of which was from a shared network drive.
How To Be Better Prepared In 2026
1. Strengthen Visibility with Network Security Monitoring (NSM)
Network Security Monitoring (NSM) provides the deep insight required to detect early intrusion signals long before they escalate into catastrophic breaches. Security teams need to move past simple signature matching. Focus on monitoring for behavioral anomalies like abnormal data traffic patterns, lateral movement across servers, or Command and Control (C2) beaconing.
NSM is effective because it catches the action of the attacker, not just the tool they use. If a database server starts sending gigabytes of data to an unfamiliar external IP, NSM flags it immediately. This allows your team to intervene during the initial staging phase of a ransomware deployment or data exfiltration.
2. Apply Strict Zero-Trust Principles
2025 proved yet again that once an organization’s external defenses are breached, attackers can move through internal networks silently and quickly. Organizations must move towards zero trust maturity, implementing strict controls such as:
- Continuously verify every connection. Treat all users and devices, whether inside or outside your network, as untrusted until proven otherwise.
- Enforce least privilege access across the organization. A compromised laptop in the corporate network should not grant access to critical industrial systems.
- Segment critical systems. Isolate operational technology (OT), such as the systems in JLR’s factories and the critical airport infrastructure at Collins Aerospace, from the general corporate IT network.
Combined, these strategies help limit the blast radius. They confine attackers to their initial point of entry, providing security teams time to detect and mitigate the threat before it turns into a business-crippling incident.
3. Maintain Aggressive Patching And Attack Surface Management
Threat actors are exploiting vulnerabilities within hours of disclosure. Organizations must implement an aggressive patching schedule that prioritizes critical vulnerabilities in public-facing assets.
However, you can’t patch what you don’t see, so you need to continuously discover and map your digital footprint and look out for exposed servers, forgotten cloud services, and shadow IT assets.
4. Reduce Dependency Risk Through Supply-Chain Controls
Your security posture is inherently tied to your weakest vendor. The major incidents of 2025 showed that supply-chain compromise is a dominant threat vector, so you must actively monitor the security posture of every third-party system connected to your network.
Start by formally scoring vendor security based on objective criteria and audits. For any purchased software, you should ask for a Software Bill of Materials (SBOM), an inventory of components that allows you to assess your risk if a vulnerability is found in an underlying component.
Additionally, isolate third-party systems. A vendor’s maintenance connection should never have unrestricted access to your critical data. Monitor contractor access for anomalies, and make sure you can instantly revoke access if a vendor reports a breach.
5. Implement Redundancy And Fallback Systems
The major cloud and infrastructure outages proved that system failure is inevitable, making cyber resilience a priority. Organizations must assume their primary services will fail and plan for continuity. Below are some tactics to be included in your backup plan:
- Implement a multi-region or multi-cloud setup. Traffic must automatically failover to a working region if a primary one goes down.
- Create offline operational backups and manual overrides to ensure that operations would still continue.
6. Harden Access Points And Identity Systems
Attackers can bypass traditional defenses by logging in with stolen credentials, but if Multi-Factor Authentication (MFA) is enforced, that creates a roadblock for them.
Remote access appliances are high-value targets, so ensure they are securely configured and patched. Continuously monitor for authentication anomalies, too. If a user’s access behavior suddenly changes, or if suspicious login attempts are detected, the system should block access and alert the security team.
7. Adopt Disciplined Configuration And Change Management
Some of the year’s outages were self-inflicted wounds, caused by configuration errors. Preventing these stability failures requires disciplined change management. You cannot simply push new firewall rules, DNS updates, or CDN changes to production without testing.
Every configuration change must be thoroughly vetted in a staged environment. Use phased or “canary” rollouts. Deploy the change to a small segment of servers or users first to monitor for errors. If the change performs as expected, you can then expand the deployment.
You must also make sure that you can quickly roll back if a new configuration breaks a critical system.
IMAGE: UNSPLASH
If you are interested in even more technology-related articles and information from us here at Bit Rebels, then we have a lot to choose from.
COMMENTS