Examining the 2025 Food and Agriculture Cyber Threat Landscape: Insights from Food and Ag-ISAC’s Newest Threat Report

The food and agriculture sector is increasingly managed by digital systems, creating a complex web of interconnected technology that sustains global populations. While this technology has streamlined the journey from farm to table, it has also invited a sophisticated breed of cyber threat onto the field. The Food and Ag-ISAC has recently released its 2025 Food and Agriculture Sector Cyber Threat Report, its findings indicating that the sector is no longer a peripheral target but becoming a focus for some of the world’s most sophisticated cyber adversaries.

To help the industry navigate these murky waters, the ISAC utilizes the Predictive Adversary Scoring System (PASS). Developed in collaboration with member organizations, this framework quantifies risk through four specific factors: how recently an actor has been seen, how often they strike the food and agriculture sector, the complexity of their methods, and their motivation. By scoring adversaries on a scale of 0 to 100, organizations can identify actors that pose the most credible threat to their operations.

The Food and Agriculture Sector’s Most Wanted

The 2025 data identifies 72 distinct threat actors targeting the food and agriculture sector. At the top of the list are the Lazarus Group and Moonstone Sleet, both nation-state entities with high PASS scores that indicate a persistent and high-impact presence. Following these are versatile actors like APT41 and Scattered Spider, which blend sophisticated technical skills with social engineering.

These actors possess a mix of motives. While nation-state groups APT18 might hunt for proprietary agricultural research or intellectual property, ransomware groups such as Qilin, LockBit 5.0, and Akira view the sector’s time-sensitive operations as leverage for extortion. Even hacktivist groups, such as Dark Engine, have entered the fray, showing that the motivation to disrupt the food supply can be ideological as well as financial.

Geopolitics on the Dinner Plate

Russia stands as the primary source of risk for the food and agriculture sector, accounting for nearly 60% of the adversaries observed in 2025. This dominance is largely fueled by the region's ransomware ecosystem. While these criminals are mostly after a payout, the presence of Russian state-affiliated actors suggests that the food supply is also viewed as a strategic lever for geopolitical tension.

China represents the second-largest threat source at roughly 25%. Historically, Chinese actors have been interested in the valuable intellectual property behind seeds, chemicals, and processing techniques. However, there is a growing concern regarding "pre-positioning," where malware is placed within networks not to steal data today, but to serve as a disruptor during future global conflicts. Smaller, but still potent, pockets of activity originate from North Korea, Iran, and the United Kingdom, each bringing unique risks ranging from cryptocurrency theft to regional espionage.

Modern Threat Tactics

All threat actors identified this year utilized living-off-the-land (LOTL) techniques. This technique uses the computer's own administrative tools to carry out attacks, making them nearly invisible to traditional security software. Furthermore, over 97% of actors modify existing tools to bypass security signatures, and roughly 94% utilize "low and slow" persistence, remaining inside a network for months without being detected.

Data exfiltration and supply chain compromises have also become standard procedures. By the time an organization realizes its data is being encrypted for ransom, the attackers have often already spent weeks stealing sensitive information or compromising third-party vendors to gain broader access. This shift toward stealth and longevity means that former approaches to security are no longer enough to protect the silos and processing plants of the modern world.

Cultivating a Collective Defense

Resilience in the face of these threats requires a multi-layered approach that prioritizes visibility and containment. The most effective starting point is the implementation of multi-factor authentication (MFA). Even the simplest form of MFA can create a significant hurdle for attackers who have stolen a password.

Additionally, companies must bridge the gap between their office IT and their plant-floor operational technology (OT). Implementing network segmentation is essential; it ensures that a compromised email account in the front office doesn't lead to a total shutdown of a grain elevator or a processing line.

Beyond technology, the human element remains a critical vulnerability. Continuous training to spot spearphishing and other social engineering tactics can stop an intrusion before it starts. Organizations are also urged to maintain tested, offline backups and comprehensive incident response plans that involve legal and communications teams.

Ultimately, the 2025 landscape shows that no single farm or manufacturer can stand alone. By participating in a shared intelligence community like the Food and Ag-ISAC, companies can turn individual insights into collective strength to combat these evolving threats.

Want to read the full analysis? Check out our public version on our Resources Page. Food and Ag-ISAC members can access the extended member report via Notion or by contacting our team at membership@foodandag-isac.org.