FLORIDA CRITICAL INFRASTRUCTURE:
2025 Cybersecurity Intelligence Assessment
Randy Borum, PsyD
“Scuba” Steve Gary, PhD, CISSP
Kaden Fernandes
Luke Pontius
Florida Critical Infrastructure: 2025 Cybersecurity Intelligence Assessment
Randy Borum, Steve Gary, Kaden Fernandes & Luke Pontius
Executive Summary
Florida’s critical infrastructure (CI) is facing escalating cyber threats that jeopardize essential services and public safety. To protect important assets in the cyber domain, it is important to understand the capabilities, intentions, and activities of the cyber threat actors seeking “to disrupt, destroy, or threaten the delivery of essential services.”1 This report analyzes recent Florida-specific CI cyber incidents alongside national and global trends to identify the most urgent cyber threats and the cyber threat actors behind them. These trends are similar to last year’s trends and the number and severity of cyberattacks continue to increase, especially AI-assisted cyberattacks
Key Findings:
• Healthcare and public health sector is the most frequently targeted CI sector in Florida and nationwide due to it being a lucrative target
• Ransomware remains the dominant cyberattack method, often enabled by phishing and weak access controls.
• Cybercriminals conduct the majority of cyberattacks and pose the greatest tactical threat because of their volume and interest in financial gain via ransomware and scams.
• Nation-state actors, particularly China and Russia, pose the greatest strategic threat because of their advanced capabilities and the use of proxies and false flag operations.
• AI-driven attacks have emerged as critical threats, enabling more convincing phishing campaigns and AI-designed malware.
Implications:
Based on these trends, Florida CI owners and operators must strengthen cyber hygiene, implement CISA-recommended controls, and prepare for AI-assisted threats. Proactive measures can reduce the likelihood and impact of future disruptions.
This report provides a detailed threat analysis and practical recommendations to help decision makers prioritize resources, develop an intelligence-driven approach to secure Florida’s CI, and enhance cyber resilience across the state.
Introduction
CISA defines critical infrastructure (CI) as “the assets, systems, and networks whether physical or virtual that are so vital to the United States that their incapacity or destruction would have a debilitating impact on national security, the economy, public health, safety, or any combination of
those matters ”2 The CI is composed of 16 different sectors, focusing on industries such as healthcare,d public healt,h and government services and facilities. These sectors are often highly interconnected, so major disruptions in even one can have potentially catastrophic cascading consequences. Protecting CI is ultimately about safeguarding the American public, which requires a clear understanding of the evolving cyber threats that these sectors face.
Florida-Specific Findings
Since the last report, we identified and analyzed 26 new cyberattacks across all CI sectors in Florida. We conducted a systematic search for cyber events/incidents against CI occurring within the state of Florida or targeting Florida victims within the past year (October 2024-September 2025) Data points from identified events, such as the target, date, and sector, were added to the event database. Further details are available in the cyber-incident identification methodology (see Appendix I).
The overwhelming majority of reported incidents are from ransomware, targeting both healthcare and public health. Most of the reported ransomware attacks are attributed to unknown attackers. The results suggest that ransomware criminal groups such as RansomHub still pose a significant threat. These groups operate under a ransomware-as-a-service model, meaning that customers can pay for their services to attack a specific target with the strain of the ransomware they developed.3
Healthcare and public health is the sector most frequently targeted by Florida. This aligns with the national and global targeting trends. Healthcare and public health entities are often perceived as easy targets for money or political action.4 Hospitals and their critical life support systems generally lack adequate security, which allows cyber threats to directly cause physical, often life-threatening harm. One case in the U.K., for example, resulted in the death of a patient from delayed access to care 5 One of the most significant Florida incidents targeted the Department of Health and affected its Vital Statistics Systems. The ransomware group RansomHub claimed responsibility for stealing and allegedly leaking approximately 100 gigabytes of sensitive data (e.g., names, birth dates, Social Security numbers) when the ransom was not paid. Florida law prohibits ransomware payments. This attack disrupted the ability of funeral homes, healthcare offices, and residents to obtain birth and death certificates, causing significant operational and public-service delays across the state.6 Implementing zero-trust architectures and taking active measures to help employees recognize and avoid phishing attacks are critical to keeping healthcare safe and operational and protecting lives.
Critical manufacturing and commercial facilities were the next most reported targeted sectors. Ransomware is the primary cyberattack method and RansomHub is the most-attributed cyber threat actor in the Florida cases we examined. Organizations should focus on ransomware prevention and follow defense enhancement and mitigation recommendations for their specific sectors.
Cyber Threat Actors: Critical Analysis
Cyber threat actors (CTAs) targeting US critical infrastructure (CI) can be divided into four main groups: nation-state actors (i.e., China, Russia, Iran, and North Korea), cybercriminals (e.g., ransomware groups), insider threats, and hacktivists. Each group poses unique threats that CI entities must monitor closely. The identity of many CTAs is often unknown, or they are broadly linked criminal organizations (cybercriminals) that spread malware, such as RansomHub.7
China
China (People’s Republic of China/PRC state-linked actors) is assessed by the US and allied agencies as pre-positioning in US CI using living-off-the-land techniques and valid accounts to enable disruption during a crisis.8 Attack campaigns by China’s Salt Typhoon and Volt Typhoon which has included targets in the communications, energy, transportation, and water sectors have been among the most active and could signal a shift in how Chinese-affiliated CTAs conduct operations 9 A significant number of Chinese academic research articles were discovered on the US electrical grid’s weaknesses, causing concern about whether Beijing can conduct significant disruption campaigns in the energy sector 10 For Florida, prepositioning against energy, water, telecom, and maritime logistics could delay hurricane recovery, disrupt port resupply, and increase the risk of IT-to-OT pivots in electric and water utilities.
APT10
Cyber Threat Actor Smart Card
Name (Aliases) APT10 (menupass / Cloud Hopper)11
Country of Origin China
Targets
MSPs, Downstream CI, Tech sector
Intention Espionage
TTPs Supply chain insertion, server exploitation
Recent Activity Supplier-chain targeting for downstream CI access
The APT10 conducts cyber espionage activities worldwide. They were last spotted in 2022, exploiting unpatched Microsoft Exchange servers and using a “multipurpose” tool known as Sodamaster.12
APT31
Cyber Threat Actor Smart Card
Name (Aliases) APT31 (Zirconium / Judgement Panda)13
Country of Origin China
Targets
Intentions
Telecom, Travel, PII repositories
Espionage, political surveillance
TTPs Credential theft; phishing; cloud abuse
Recent Activity US indicted members
APT31 was tied to the hacks targeting “US maritime claims in the South China Sea” and antigovernment protests in 2019.14 The operation utilized ten thousand emails across multiple continents,s targeting many US institutions. In 2024, The US Department of Justice indicted seven individuals involved in the operation, the Treasury imposed sanctions against two, and the State Department offered to pay up to $ 10 million for information on these individuals.15
APT40
Cyber Threat Actor Smart Card
Name (Alias) APT40 (Leviathan)16
Country of Origin China
Targets
Maritime, Defense contractors, Shipbuilding, Energy Intention Espionage
TTPs Web app exploits; credential harvesting; spear-phishing
Recent Activity Phishing Campaign in Papua New Guinea
APT40, also known as Leviathan, conducts cyber espionage against maritime and defense contractors in the West.17 The last confirmed activity was in 2023, when they conducted a phishing campaign in Papua New Guinea.18 They utilized CVE-2023-3883, a vulnerability in WinRAR that executes arbitrary code when a victim views a file within a ZIP archive.19 In 2021, The FBI indicted four people tied to the group’s activities.20
APT41
Cyber Threat Actor Smart Card
Name (Aliases) APT41 (Salt Typhoon / UNC2286 / Double Dragon / Barium)21
Country of Origin China
Targets
Healthcare, Telecom, Government, IT, CI suppliers
Intentions Espionage, financial gain, pre-positioning
TTPs Supply-chain compromise; VPN appliance exploits; dual-use campaigns
Recent Activity Telecom lawful intercept intrusions
APT41, primarily known as Salt Typhoon or UNC2286,22 is one of the most prominent cyber espionage groups. APT41 is a Chinese CTA that uniquely combines state espionage with financially motivated crime using espionage-grade malware for personal gain. Since 2014, it has targeted sectors like healthcare, communications, education, and especially gaming, engaging in source code theft, ransomware, and supply chain attacks. With technically sophisticated capabilities, the group exploits both Windows and Linux, deploys 46+ malware families, and adapts rapidly after remediation, making it particularly dangerous. In addition to governmental targets, APT41 has targeted shipping companies worldwide. This “dual campaign” strategy targets selected victims, in addition to broader espionage and financial targeting in various sectors and countries.23
UNC3886
Cyber Threat Actor Smart Card
Name UNC388624
Country of Origin China
Targets
Telecom, Defense, Cloud/virtualization
Intentions Espionage, persistence
TTPs Exploiting firewalls/hypervisors; appliance persistence
Recent Activity Fortinet/VMware exploitation
UNC3886 is a suspected cyber espionage group tied to China that specializes in long-term surveillance after compromising target virtual machines.25 They conducted espionage and disruption operations in Singapore in 2025.26 They have also recently been linked to another espionage campaign, known as Fire Ant. This campaign targets virtual and network software, such as VMware ESXi and vCenter.27
UNC4841
Cyber Threat Actor Smart Card
Name UNC484128
Country of Origin China
Targets Email security gateways
Intention Espionage
TTPs Appliance compromise; post-exploitation persistence
Recent Activity Barracuda ESG exploitation
UNC4841 is a Chinese CTA that uses CVE-2023-7101, an Excel email attachment exploit that can be used to access ESG devices.29 In 2025, threat intelligence researchers at Silent Push discovered additional domains belonging to UNC4841 from the overlapping infrastructure with APT41.30
Volt Typhoon
Cyber Threat Actor Smart Card
Name (Aliases) Volt Typhoon (UNC3236 / Bronze Silhouette)31
Country of Origin China
Targets Communications, Energy, Transportation, Water/Wastewater, Government
Intentions Pre-positioning for disruption, Espionage
TTPs Live-off-the-land; hands-on-keyboard; edge/SOHO device exploitation
Recent Activity Access/staging within US CI including Guam region utilities
Volt Typhoon, or UNC3236,32 has a different focus than Salt Typhoon. Volt Typhoon operates cyber espionage and reconnaissance, breaking in and spying on their targets. In 2025, they conducted a campaign against US CI, most notably targeting cargo systems in Guam. CISA acknowledges that they maintain access within these systems, but the ultimate impact or purpose remains unclear.33
Russia
Russia (state-based units and proxies) is a major CI threat, with advanced, persistent, and sometimes destructive cyber capabilities oriented toward operational disruption and strategic coercion. Recently, Russian military intelligence (GRU) has been engaged in a sustained campaign targeting Western logistics entities and technology companies.34 A cadre of Russian-affiliated
hackers (APT29) also found a method to bypass multifactor authentication (MFA). They used their access to impersonate US State Department personnel in sophisticated phishing campaigns using large language models (LLMs) to craft highly credible emails and communicationss. APT29 has also recently targeted Florida healthcare providers and local government entities, including a 2025 ransomware attack on Florida Lung Asthma Sleep Specialists and the 2016 breaches of county election systems and public agencies, reflecting a broader pattern of data theft and extortion.35 In Florida, that track record from the 2016 county-election breaches to recent healthcare and federal government compromises elevates the risk that ports, utilities, and public agencies may be accessed via trusted channels (MFA bypass, vendor footholds), with data theft and extortion enabling IT-to-OT pivots that could disrupt energy, water, transportation, and healthcare services.
APT28
Cyber Threat Actor Smart Card
Name (Aliases) APT28 (Fancy Bear / Sofacy / Forest Blizzard) 36
Country of Origin Russia
Targets Energy, Defense, Transportation, Government
Intentions Espionage, political influence
TTPs Spear-phishing; credential theft; implants (X-Agent, Zebrocy); zero-days
Recent Activity Exploited Outlook and WinRAR vulnerabilities, AI malware
APT28 is a Russian government-supported CTA. They normally target government and military sectors but have switched to disrupting Ukrainian core sectors since Russia’s 2022 invasion of Ukraine.37
APT29
Cyber Threat Actor Smart Card
Name (Aliases) APT29 (Cozy Bear / Nobelium / Midnight Blizzard) 38
Country of Origin Russia
Targets Government, IT service providers, Defense, Policy think tanks, Diplomats Intention Espionage
TTPs Supply-chain compromise (SolarWinds); cloud identity abuse; OAuth/device-code flows; phishing w/ WINELOADER backdoor
Recent Activity Cloud identity/password spray ops
APT29 is the operational arm of Center 16, a specialized unit of the SVR Russia’s foreign intelligence service that directs its offensive cyber operations capability. These were tied to several attacks on cloud services in 2024 and 2025.39 They also conducted a phishing campaign against European diplomats.40 The campaign involved an aptly named backdoor WINELOADER in impersonated emails about an invitation to wine tasting events.
APT44
Cyber Threat Actor Smart Card
Name (Aliases) APT44 (Sandworm / TeleBots / Voodoo Bear)41
Country of Origin Russia
Targets Energy, Government, Critical Infrastructure
Intentions Disruption, espionage
TTPs dustroyer/Industroyer2; NotPetya; OT/ICS disruption; live-off-the-land; edge device abuse
Recent Activity OT/ICS targeting, pre-positioning against European energy; exploitation of perimeter devices
APT44, primarily known as Sandworm, has been actively supporting Russia’s efforts during the Russo-Ukrainian War.42 APT44 operates differently than most APTs, as they can accomplish a wide array of objectives using a “unified playbook.”43 They have recently been identified, infecting Ukrainian systems with trojans through pirated Key Management Services (KMS).44
Berserk Bear
Cyber Threat Actor Smart Card
Name (Aliases) Berserk Bear (Dragonfly / Energetic Bear)45
Country of Origin Russia
Targets
Energy utilities, Industrial equipment suppliers, CI providers
Intentions Espionage, pre-positioning
TTPs Watering holes; credential theft; remote access trojans
Recent Activity Recon and persistent access ops against US/European energy
Berserk Bear is a Russian government-affiliated CTA collecting intelligence on communications facilities.46 They have conducted attacks against energy companies in numerous countries, including Spain, France, and Germany 47 What is most distinctive about Berserk Bear is the broad targeting of a particular industry or sector rather than specific national or corporate targets.
Turla
Cyber Threat Actor Smart Card
Name (Aliases) Turla (Secret Blizzard / Iron Hunter)48
Country of Origin Russia
Targets Foreign Embassies
Intention Espionage
TTPs Ransomware; IAB coordination; credential theft; double extortion
Recent Activity Targeted US diplomats and embassies
Turla is a CTA that works for the Russian Federal Security Service (FSB).49 They were last spotted using their malware ApolloShadow against foreign embassies.50
Wizard Spider
Cyber Threat Actor Smart Card
Name (Aliases) Wizard Spider (Conti Ecosystem / Ryuk)51
Country of Origin Russia
Targets Healthcare, Municipal services, CI-adjacent organizations
Intentions Financial gain, opportunistic disruption
TTPs Ransomware; IAB coordination; credential theft; double extortion
Recent Activity Ransomware campaigns against US hospitals/local governments
Wizard Spider is best known for the development of the ransomware Trickbot and Ryuk.52 They are different from many other nationalistic Russian CTAs because they are primarily cybercriminals.53 Sectors such as healthcare and public health are likely targets, as they seek financial gain through extortion.
Iran
Iran-based CTAs, including those linked to the Iranian Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS, the country's primary civilian intelligence agency) remains an opportunistic threat to CI, employing wipers, DDoS, and identity-led intrusions, and targeting internet-exposed OT. In late 2023–2024, IRGC-affiliated “Cyber Av3ngers” CTAs compromised Unitronics PLCs at multiple US water systems and other sectors, prompting a joint federal advisory and urgent mitigations.54 After the US-led bombings of Iranian nuclear sites, statebased cyberattacks are expected to increase. Advisories suggest strengthening the most vulnerable parts of networks, because Iranian-linked cyber groups often target these areas.55 In Florida, smaller water utilities, ports, and energy OT are reachable via default credentials or unmanaged vendors, and IT assets exposed to DDoS/wiper spillover during geopolitical flashpoints are at an elevated risk.
APT33
Cyber Threat Actor Smart Card
Name (Aliases) APT33 (Elfin / Peach Sandstorm)56
Country of Origin Iran
Targets
Telecom, Finance, Energy, Government
Intentions Espionage, Disruption
TTPs Wipers (Shamoon); phishing; backdoors
Recent Activity Password spray attacks and Tickler Malware
APT33 is an Iranian CTA suspected to work directly for the Iranian government 57 They have been tied to disruption operations in Saudi Arabia, South Korea, and the US. Last year, Microsoft issued a press release announcing they had been using a new custom malware named Tickler,58 which is a “multi-stage” backdoor that operates in vulnerable Azure environments.59
APT34
Cyber Threat Actor Smart Card
Name (Aliases) APT34 (OilRig / Helix Kitten)60
Country of Origin Iran
Targets Telecom, Finance, Energy, Government Intention Espionage
TTPs Credential theft; DNS tunneling; phishing; BONDUPDATER
Recent Activity Campaigns against ME/US financial/telecom
APT34 targets multiple sectors, but generally focuses on victims in the Middle East.61 Most recently, backdoors were deployed using vulnerability CVE-2024-30088 across various targets.62
APT35
Cyber Threat Actor Smart Card
Name (Aliases) APT35 (Charming Kitten / Phosphorus / Mint Sandstorm) 63
Country of Origin Iran
Targets
Government, Media, Activists, Academia
Intention Espionage
TTPs Credential phishing; impersonation; custom RATs
Recent Activity Impersonated a modeling agency
APT35 has been operating since 2014, typically targeting government and media affiliates in the US and the Middle East.64 In June 2025, APT35 impersonated a German Model Agency by using a fake website that triggered a JavaScript capturing visitor information.65
APT39
Cyber Threat Actor Smart Card
Name (Aliases) APT39 (Chafer / Remix Kitten)66
Country of Origin Iran
Targets Water utilities; ICS/SCADA (Unitronics PLCs), Logistics, Airlines
Intention Espionage
TTPs Credential theft; spyware; long-term surveillance
Recent Activity Responsible for data breaches against airlines and US companies like FedEx
APT39 was linked to the Iranian Ministry of Intelligence and Security (MOIS).67 They have conducted “widespread theft of personal information.”68 They targeted the US, Spain, and multiple countries in the Middle East. Most recently, they were identified as the CTAs behind attacks against Turkish Airlines and Etihad, as well as FedEx, and USPS.69
Cyber Av3ngers
Cyber Threat Actor Smart Card
Name (Alias) Cyber Av3ngers (Soldiers of Solomon)70
Country of Origin Iran
Targets Telecom, Travel, PII repositories
Intentions Disruption, hacktivism
TTPs Credential theft; spyware; long-term surveillance
Recent Activity Targeted industrial control systems around the world
The CTA Cyber Av3ngers claims to be a hacktivist group. The legitimacy of some of their attack claims is contested; for example, falsely claiming to have successfully targeted critical infrastructure in Israel.71 Threat researchers at Bauxite claim that Cyber Av3ngers are supported by the Iranian government and have recently targeted industrial control systems worldwide using a backdoor tool known as IOcontrol.72
Muddy Water
Cyber Threat Actor Smart Card
Name (Aliases) MuddyWater (Static Kitten / Seedworm / Mango Sandstorm)73
Country of Origin Iran
Targets Telecom, Finance, Energy, Government
Intentions Espionage, disruption
TTPs PowerShell; DNS abuse; wipers; fake VPN/Android apps
Recent Activity
Distributing spyware through fake VPNs
Iranian espionage CTA Muddy Water has been spotted by distributing DCHSpy, an Android-based spyware, through SpaceX’s star link satellites.74 The spyware is disguised as VPN software under names such as “HideVPN” and “EarthVPN ”
North Korea
North Korea (Democratic People's Republic of Korea-DPRK) poses an indirect but material CI risk through large-scale cryptocurrency theft and by placing covert IT workers in global firms an activity that can enable follow-on intrusions. In more recent activity, US agencies have documented DPRK campaigns (“TraderTraitor”/Lazarus) targeting blockchain and cryptocurrency firms at scale, with proceeds used to support weapons programs.75,76 Funds obtained from their cybercrime and cryptocurrency attacks are used primarily to finance the regime's nuclear and missile programs. North Korean hackers have a history of targeting and stealing crypto wallets and stolen more than a billion dollars in a recent attack.77 A state-sponsored group known as BlueNoroff has used sophisticated social engineering attacks involving fake Zoom meetings with AI-generated deepfake participants to trick targets, especially in cryptocurrency and financial sectors, into downloading malware that fully compromises their systems.78 In Florida, banks and fintech/crypto service providers should expect DPRK money-laundering attempts, supplier compromises, and attempts to covertly insert North Korean IT workers in American companies, which could ripple into payment and third-party services underpinning energy, healthcare, and emergency response.
APT38
Cyber Threat Actor Smart Card Name (Aliases) APT38 (Lazarus Group / Hidden Cobra / BlueNoroff / Andariel)79
Country of Origin North Korea
Targets Defense, Government, Financial Institutions, Healthcare, Crypto Companies
Intentions Espionage, cybercrime, financial gain, disruption TTPs Supply-chain compromises; spear-phishing; WannaCry; ransomware/wipers
Recent Activity 3CX supply-chain; DreamJob lures
APT38 is best known as Lazarus Group. They are a massive collective of hackers who have dabbled both in espionage and cybercrime.80 They are tied to the BlueNoroff subgroup of cryptocurrency companies. BlueNoroff employs a complex phishing scheme involving deepfakes and an infected Zoom extension that steals crypto wallets 81 They have stolen $1.5 billion in crypto but have managed to cash around $300 million of that amount.82 Andariel is another collective operating under the auspices of Lazarus Group that began by targeting South Korean financial institutions,83 and progressed into hacking ATMs and targeted online gambling sites.
APT43
Cyber Threat Actor Smart Card
Name (Aliases) APT43 (Kimsuky / Velvet Chollima)84
Country of Origin North Korea
Targets Government, Think Tanks, Energy, Defense
Intention Espionage
TTPs Social engineering; phishing; AppleSeed/FastViewer
Recent Activity Targeting policy/energy researchers
APT43 is a North Korean cyber espionage group that traditionally targets the South Korean government, defense, and think tanks. They are also known to have conducted operations to extract military research in North Korea.85
BeagleBoyz
Cyber Threat Actor Smart Card
Name
BeagleBoyz86
Country of Origin North Korea
Targets
Intention
Financial Institutions, Payment Systems
Financial gain
TTPs SWIFT intrusions; ATM jackpotting; credential theft
Recent Activity FASTCash and bank intrusions
BeagleBoyz is a CTA connected to APT38 that steals from financial institutions. CISA posted an advisory warning of their wide reach, with as many as 30 different countries being involved in a single incident. This group poses a significant threat to any financial institution in the state.87
Cybercriminals
Most cyber incidents in Florida are perpetrated by cybercriminals. They primarily target healthcare and public health, commercial facilities, critical manufacturing, government services and facilities with ransomware. Most attackers in the reported Florida cyber incidents remain unidentified.
Scattered Spider
Cyber Threat Actor Smart Card
Name Scattered Spider88
Country of Origin Multiple
Targets
Intentions
Commercial, Financial Services, Transportation
Cybercrime, financial gain
TTPs SWIFT intrusions; ATM jackpotting; credential theft
Recent Activity Impersonated help desks, exploited MFA fatigue, and SIM-swapping
Scattered Spider is a cybercriminal group that has gained prominence over the last two years. They differ from other groups in that they take advantage of insecure IT help desks to initiate a privilege escalation cyberattack, which they leverage to steal sensitive data or information from their
victims.89 The group is currently targeting the aviation and insurance industries, possibly because these industries are often less well protected than healthcare organizations. Given Scattered Spider’s current level of activity, we recommend that CI entities implement phishing-resistant multifactor authentication (such as hardware tokens or FIDO2 security keys), eliminate shared secrets such as passwords, and carefully monitor endpoint detection and response (EDR) tools to detect and block lateral movement and credential misuse.
Ransomware Groups
Cyber Threat Actor Smart Card
Names RanomHub, FIN7, ALPHV, LockBit, etc.
Country of Origin Multiple
Targets All Sectors
Intentions Cybercrime, financial gain
TTPs Targets organizations with weak security to extract money through deployment of ransomware
Recent Activity Targeted hospitals and other critical services
Ransomware groups are loosely connected CTAs that distribute ransomware and target victims such as hospitals to extract payment. Their decentralized structure makes them difficult to identify and eradicate. These groups include RansomHub, FIN7, ALPHV, and LockBit, among others 90
Insider Threats
Insider threats are the rarest type of attack, but have the potential to cause catastrophic damage; therefore, networks should always be monitored for insider threats. We identified a single CI incident of an insider threat in Florida, in which a malicious insider, a former non-clinical staff member, accessed private patient data from a healthcare company to use for personal business.91 An investigation by the US Department of Health and Human Services Office for Civil Rights (OCR) found that the company did not have proper policies to control access to protected health information. It also failed to effectively manage risks to electronically protected health information (ePHI) and did not regularly review system activity logs. As a result, the company had to pay a fine and implement a corrective action plan that included conducting a risk analysis, updating policies to comply with HIPAA, and providing employee training, all of which will be monitored by OCR for two years.92
Hacktivists
Hacktivists a term combining the terms “hacker” and “activist” engage in malicious cyber activity to further political or social objectives “such as raising awareness about conflicts or advocating for particular ideas. In contrast to conventional cybercriminals, hacktivists are motivated by causes rather than financial or personal gain.”93 Hacktivist attacks tend to be less sophisticated, often deploying DDoS and defacing websites.94
Anonymous
Cyber Threat Actor Smart Card
Name Anonymous
Country of Origin Multiple
Targets All Sectors
Intention Hacktivism
TTPs Targets organizations for political, social, religious, and other reasons
Recent Activity Cyberattacks in Israel and Indonesia
Anonymous has not been active in Florida or the US in the past year, but this CTA should always be on the radar of CI owners and operators.
Primary Cyber Threats to Critical Infrastructure
Ransomware
Ransomware was the most commonly used attack method in our sample of CI cyberattacks in Florida. Ransomware appears to be a growing industry with ransomware-as-a-service (RaaS) becoming a business model for criminals to hire hackers’ services to attack targets.95 According to the FIU and Cyber Florida's Ransomware Readiness Report, among the 16 CI sectors in Florida, the financial services sector tends to be best prepared to prevent and mitigate ransomware attacks, with a compliance rate of 35%, whereas government services and facilities have the lowest at only 7.6%.96 Other sectors such as government services and facilities97 and the chemical sector98 are affected by incident response gaps, legacy systems, and weak links from third-party vendors like those seen in the food and agriculture sector.99
Our Florida CI cyberattack data show that RansomHub and Rhysidia are the most frequently identified RaaS services because they offer support to groups such as Scattered Spider.100 In addition, Play ransomware (also known as Playcrypt) has been active in a number of reported incidents. Playcrypt is a highly active and sophisticated cybercriminal group that uses double extortion tactics by stealing data and intermittently encrypting files with a distinctive ".PLAY" extension. They have targeted a wide range of sectors globally by exploiting known vulnerabilities, leveraging legitimate tools for lateral movement, and applying advanced evasion techniques.101
Florida Ransomware Attacks Summary (10/01/24-09/30/25)
Ransomware Ransomware Gang CI Sector Notes
RansomHub Multiple Gangs Healthcare and Public Health Widely used strain, CISA made an advisory last year102
Rhysida Rhysida Healthcare and Public Health Group claimed attack against Floridia Hand Center103 Play /
DragonForce
DragonForce
Unknown
BrianLian
Payouts King
BrianLian
Artificial Intelligence
Critical Manufacturing Started from a Malaysian hacktivist group, became a global “cartel”104
Healthcare and Public Health Claims to not sell their services105
Healthcare and Public Health Ties to Russia106
Artificial intelligence (AI) defined as the ability of computer systems or algorithms to imitate human intelligence on tasks like identifying patterns, solving problems, understanding language, and making decisions has proliferated since last year’s Threat Assessment 107 The emerging use of AI by cyber attackers and defenders is reshaping the cybersecurity landscape, creating both new risks and new opportunities for critical infrastructure. A 2025 report, Artificial Intelligence Threats: What Everyone Should Know, provides an accessible overview.108
ESET researchers documented the first known AI-written ransomware, showing how generative AI can automate malware development and lower the barriers for less skilled actors to launch damaging campaigns.109 Ukraine’s CERT-UA recently linked the AI-powered LameHug malware to the Russia-backed group APT28, showing that even advanced state-sponsored groups are using AI in their ongoing attacks against defense and industrial targets. In these instances, AI was not only used to speed up coding; it also helped create malware on-the-fly after gaining initial system access. This type of built-in adaptive behavior makes it much more difficult to detect and respond to these threats.110
AI’s role of AI in phishing campaigns is of equal concern. Studies show that phishing emails crafted with large language models (LLMs) are far more convincing than those written manually, particularly for attackers who lack strong language skills.111 Not long ago, poor use of language and typographical errors were the hallmarks of suspicious emails. They were coded into email filters and highlighted during employee cybersecurity awareness training. Generative AI eliminated these tell-tale indicators. Florida’s CI owners and operators rely on email for daily coordination across utilities, healthcare systems, and logistics, and these AI enhancements increase their vulnerability to compromise. Beyond email, AI-driven deepfakes add another layer of risk. These tools can almost perfectly impersonate executives, government officials, or trusted partners in video or voice calls, tricking staff into transferring funds, disclosing sensitive data, or even granting network access. This technology has already been used to spread political misinformation, such as a deepfake video falsely claiming that Governor Ron DeSantis had dropped out of the 2024 Republican presidential primary, underscoring how easily public trust can be manipulated.112
These AI threats profoundly matter to Florida. The state has dense clusters of energy generation and transmission facilities, water and wastewater plants, fertilizer and chemical production hubs, and healthcare networks. AI-assisted ransomware can cripple hospital systems and municipal services
at an unprecedented speed. AI-generated malicious code can be injected into supervisory control and data acquisition (SCADA) systems, manipulating operations in the energy or water sectors, and creating real-world hazards and physical consequences.113 Combined with natural disaster risks such as hurricanes, the convergence of physical and AI-powered cyber threats could produce cascading, compound crises that overwhelm emergency management capacity.
AI also introduces more technical risks that may be less visible, but equally dangerous. One growing concern is data poisoning, in which attackers manipulate the training data used to build AI or machine learning (ML) models. By corrupting even small portions of these datasets, adversaries can degrade system performance, force misclassifications, or create hidden vulnerabilities. As CI sectors increasingly adopt AI for monitoring, predictive maintenance, and incident detection, protecting the integrity of training data will be as important as defending the operational networks themselves.114
AI-powered cyber threats are no longer hypothetical. We are already seeing AI-written ransomware in the wild, AI-assisted campaigns by nation-states, and AI-driven phishing that undermines human defenses. For Florida’s CI owners and operators, the risks are immediate and increasing. The table below shows notional attack pathway scenarios in which AI-powered cyberattacks might be deployed against Florida’s CI. Proactive steps are necessary: accelerating patch cycles, integrating AI-based anomaly detection with human oversight, red-team SCADA systems against AI-assisted exploits, and stress-test continuity plans under AI-driven attack scenarios. By preparing now, operators can reduce the likelihood that AI-enhanced cyberattacks will translate into large-scale disruptions in essential services.
Example AI-assisted Cyberattack Pathway Scenarios for Florida’s Critical Infrastructure Sector Likely AI Attack Vector Rationale Potential Impact
Energy (Power Grid, Utilities)
Water & Wastewater Systems
Healthcare & Public Health
Chemical (Fertilizer)
AI-assisted/written ransomware targeting SCADA/AMI and OT gateways
AI-guided false-data injection/manipulated setpoints in SCADA
AI-enhanced phishing + ransomware; IoMT targeting
AI-assisted malware/process manipulation + LLM-driven spear-phishing
SCADA/AMI exposure + IT/OT paths; AI speeds payload/dev & lateral move
AI can craft stealthy FDIA to alter treatment parameters undetected
Hospitals are prime ransomware targets; AI boosts lure quality & pivots
Process control reliance; AI can aid access and trigger process upsets
Regional blackouts, cascading infrastructure failures, significant economic loss
Contaminated water, service outages, severe public health risks
Service paralysis, data breaches, risks to patient safety
Industrial accidents, toxic/chemical release, community harm
Sector Likely AI Attack Vector
Transportation Systems (Ports, Aviation)
Deepfake-enabled impersonation and social engineering
High trust workflows; AI deepfakes can spoof officials/partners
Port shutdowns, supply chain disruption, aviation delays
The 16 Critical Infrastructure Sectors
The Cybersecurity and Infrastructure Security Agency (CISA) is the US federal agency with primary responsibility for securing critical infrastructure. It coordinates national risk management and incident response, shares threat intelligence, issues guidance, and supports assessments across the 16 sectors. CISA defines critical infrastructure (CI) sectors as “assets, systems, and networks, whether physical or virtual, that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.”115
Each sector has a designated federal Sector Risk Management Agency (SRMA) that leads riskmanagement coordination and assistance for the sector and its subcomponents. CISA itself covers that role for some sectors. Regulatory authority, however, varies by sector. A 2024 National Security Memorandum reaffirmed the 16 CI sectors and directed SRMAs to develop sector-specific risk assessments and (where needed) pursue or help establish minimum security requirements. Each sector is also made up of smaller, distinct components that generally have an agency overseeing them, such as the chemical sector being composed of four components, starting from basic chemicals to consumer products.
CISA oversees 10 regions nationally, with Florida located in region 4 116 Each region has its own CISA office to assist in cybersecurity endeavors. The breakdown is based on reporting, plans, and other resources developed for each sector. Some sectors do not typically report cyberattacks publicly; therefore, this report does not cover them.
In the section below, we briefly review each of the 16 CI sectors, some of their Florida-specific features (assets, concentrations, dependencies), and offer some actionable recommendations or CI owners and operators. The cyber threat level was determined using our Cyber Threat Level Rating Methodology (see Appendix II).
1. Chemical
Cyber threat level: Moderate
The chemical sector includes facilities that manufacture, store, use, and transport potentially dangerous chemicals. It provides raw materials and products essential for many other CI sectors (e.g., specialty/basic chemicals, agricultural chemicals, and consumer goods). Disruptions can affect health, safety, supply chains, and national economic security.117 Attacks may come in the form of
ransomware, supply chain intrusions, or network infiltration, with potential consequences ranging from production shutdowns to environmental hazards. The CISA Chemical Sector Assessment Tool (CSAT) suffered a breach upon “several chemical facilities nationwide” earlier in the year.118 In Florida, the large concentration of fertilizer plants and chemical facilities around Tampa Bay and the phosphate industry in Central Florida increase regional importance. Our Florida CI cyberattack data show no incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Use the DHS CISA Chemical Security Assessment Tool (CSAT).
• Leverage Cyber Florida CI’s sector-specific incident response templates.
• Close identified planning gaps and document corrective actions.
• Replace legacy systems with supported, secure platforms.
• Implement Zero Trust architecture and rigorously vet third-party vendors.
• Enforce least privileged access controls, with emphasis on Safety Instrumented Systems (SIS).
• Continuously monitor Operational Technology (OT) protocols and traffic for anomalies.
2. Commercial Facilities
Cyber threat level: High
The commercial facilities sector includes sites that draw large crowds or have regular public access (shopping centers, hotels, office buildings, stadiums, convention centers, parks, etc.). Many of them are privately owned and have less regulatory oversight. They are critical because their disruptions can affect economic activity, social stability, and public safety.119 These facilities often rely on smart building technologies, surveillance systems, and digital payment platforms, making them vulnerable to cyberattacks. Florida’s tourism economy is uniquely dependent on this sector, with Orlando’s theme parks, Miami’s hotels, and Tampa’s stadiums representing some of the largest commercial facilities in the US. The Florida CI Ransomware Readiness Report found that nearly a third of entities in this sector met criteria for Basic ransomware readiness.120 Our Florida CI cyberattack data identified four incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Implement enhanced security controls and conduct regular security awareness training.
• Establish and enforce comprehensive structural security policies.
• Apply tailored security measures specific to each commercial facilities sub-sector, due to the sector’s diversity.
• Utilize upstream DDoS scrubbing services to mitigate large-scale attacks.
• Conduct regular training exercises to ensure preparedness and response capabilities.
• Implement ransomware isolation protocols and adhere to CISA-recommended guidelines.
3. Communications
Cyber threat level: Moderate-High
The communications sector encompasses providers and systems that deliver voice, data, media, video, and other information services including wired and wireless networks, satellite broadcasting, and the infrastructure behind them. It enables operations and coordination in almost all other
sectors, and is essential in emergencies.121 Florida hosts Miami’s NAP of the Americas (Equinix MI1), one of the largest Internet exchange points in the US and the primary hub for Latin American connectivity, making it a strategic asset for hemispheric communications.122 Small Office/Home Office (SOHO) edge devices remain an issue in this sector.123 Our Florida CI cyberattack data identified four incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Implement a Zero Trust security model to enhance access control and reduce attack surfaces.
• Replace Small Office/Home Office (SOHO) edge devices with more secure, enterprise-grade alternatives.
4. Critical Manufacturing
Cyber threat level: High
The critical manufacturing sector covers the manufacturing of products that are foundational to other sectors such as primary metals, machinery, electrical equipment, and transportation equipment (aircraft, ships, etc.).124 These operations often depend on automated systems and industrial control technologies, which can be vulnerable to cyberattacks. Florida’s manufacturing base is modest compared to other states, but aerospace and defense manufacturing on the Space Coast (e.g., avionics and spacecraft components) makes it critical to both state and national supply chains. The Florida CI Ransomware Readiness Report found that nearly a third of entities in this sector met criteria for Basic ransomware readiness 125 Our Florida CI cyberattack data identified three incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Follow CISA guidelines for ransomware defense and enhance collaboration to present a unified response.
• Adhere to CISA-recommended post-incident practices to improve recovery and resilience.
• Implement network segmentation between IT and OT environments to reduce risk and limit lateral movement
• Keep all device firmware updated to address vulnerabilities and maintain security posture
• Monitor supply chain activities and enforce robust security controls throughout the supply chain.
5. Dams
Cyber threat level: Low-Moderate
The Dams Sector includes dams, locks, levees, and related infrastructure. They provide water storage, hydroelectric power, flood control, navigation, recreation, and other functions. Failures or disruptions can result in flooding, infrastructure damage, and public safety risks.126 While there have been no publicized attacks on dam structures within Florida, research suggests they face heightened cyber threats as adversaries increasingly target water infrastructure to disrupt critical services. Experts warn that many facilities rely on outdated control systems that are vulnerable to modern attacks with limited cybersecurity resources to mitigate risks. Potential consequences include loss of gate control, flooding, and water shortages, which could cascade into broader public
safety and economic crises.127 The Florida CI Ransomware Readiness Report found that the ICS and SCADA systems were not built to withstand modern cybersecurity problems. It was noted that 38% of the potential operational impact involves “loss of gate control,” meaning ransomware threats could target dams and disrupt the release of water needed for critical resources.128 Dragos a cybersecurity firm specializing in industrial control systems (ICS) and operational technology (OT) protection warns that water utilities face rising cyber risks, as groups like CyberAv3ngers have already exploited weak defenses to compromise programmable logic controllers (PLCs) and disrupt services worldwide, with most severe OT flaws affecting controllers and most IT flaws tied to remote connectivity.129 Florida has few large hydroelectric dams compared to other states; the primary role of dams here is flood control and navigation rather than power generation. Our Florida CI cyberattack data identified no incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Remove programmable logic controllers (PLCs) from direct network access to reduce exposure.
• Replace default configurations and enforce change control processes with multi-factor authentication (MFA).
• Continuously monitor ladder logic changes, as they are a common target for manipulation
6. Defense Industrial Base
Cyber threat level: Moderate-High
The defense industrial base (DIB) sector comprises the industrial complex that produces military systems, equipment, materials, and research to support national defense. Disruption threatens national security and military readiness, making it a high value target for cyber espionage.130 The DIB also includes contractors and the design/manufacture of weapons, vehicles, and systems. The US defense supply chain, however, is increasingly intertwined with foreign entities, including firms based in China. This raises serious concerns about the potential risks to national security, as foreign subcontractors may introduce vulnerabilities through compromised hardware, intellectual property leakage, or influence over critical systems.131 Subcontractors often find it difficult to match the cybersecurity readiness of the main contractors, which can create openings that attackers can exploit.132 This sector incurs about $1.7 billion in “estimated annual losses from cyber incidents in DIB.”133 Florida has a dense DIB footprint, including aerospace/defense contractors on the Space Coast, ship repair yards in Jacksonville, military simulation firms in Orlando, SOUTHCOM headquarters in Doral/Miami, and two unified combatant command headquarters (CENTCOM and SOCOM) in Tampa. This elevates the strategic importance of DIB-related risks, even though (opensource) attacks are relatively rare. The Florida CI Ransomware Readiness Report found that nearly a third of entities in this sector met criteria for Basic ransomware readiness.134 Our Florida CI cyberattack data identified no incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Strengthen oversight of companies involved in the development of critical defense technologies.
• Identify and flag foreign-owned vendors participating in sensitive systems.
• Conduct supplier audits to classify components based on their strategic importance
• Develop dual-sourcing strategies or secure domestic alternatives for high-priority systems and components
• Leverage tools such as the DoD Project Spectrum cybersecurity resources to enhance cyber resilience
• Continuously monitor contractors to ensure compliance with security and operational standards.
7. Emergency Services
Cyber threat level: Moderate
The emergency services sector has five primary components: Emergency Management, Emergency Medical Services (EMS), Fire and Rescue Services, Law Enforcement, and Public Works. These services are essential for protecting life and property.135 Florida’s hurricane-prone environment requires one of the nation’s most robust emergency management systems, with the Florida Division of Emergency Management coordinating large-scale evacuation and disaster response. The Florida CI Ransomware Readiness Report found that just under 19% of entities in this sector met criteria for Basic ransomware readiness.136 Our Florida CI cyberattack data identified no incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Invest in modern infrastructure and cybersecurity practices to replace aging and outdated systems
• Utilize offline CAD (computer-aided dispatch) playbooks to ensure operational continuity during cyber incidents.
• Deploy endpoint detection and response (EDR) solutions on dispatch servers to detect and mitigate cyber threats
• Implement secure VPN access for first responders to protect communications and data in the field.
8. Energy
Cyber threat level: High
The energy sector covers the generation, transmission, and distribution of electricity; production, refining, and transport of fuel; infrastructure for petroleum, natural gas, renewable and nuclear power. These operations power the functions in every other sector, so disruptions can create widespread cascading effects.137 Florida’s energy system is highly dependent on natural gas, which fuels about 75% of its electricity generation, much of it imported via pipelines. The energy sector is vital to national security, and other nation-states are interested in finding vulnerabilities in our power grid. Florida faces challenges due to outdated systems and a lack of cybersecurity sophistication 138 The Florida CI Ransomware Readiness Report found that nearly a third of entities in this sector met criteria for Basic ransomware readiness.139 Our Florida CI cyberattack data identified no incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Limit reliance on Chinese-made components, closely scrutinize products partially manufactured in China, enhance grid monitoring for anomalies, and prioritize investment in domestic technologies
• Implement advanced threat detection, strengthen intelligence sharing, and enforce stricter supply chain vetting to prevent cyber intrusions that could trigger cascading failures in the power grid
• Invest in modern infrastructure and expand resources dedicated to cybersecurity training.
• Regularly patch edge devices to address vulnerabilities and maintain system security.
9. Financial Services
Cyber threat level: Very High
The financial services sector includes banks, investment firms, insurance companies, and payment systems. These elements support economic stability, commerce, government operations, and individual livelihoods.140 Cyberattacks, such as phishing, malware, and ransomware, that breach databases and leak or steal vital information are common and target various business infrastructures of all sizes. Florida is a major financial hub, especially Miami, which is central to Latin American banking and trade. Florida hosts one of the nation’s largest finance and insurance clusters, employing more than 425,000 professionals, with major deposit markets at Miami–Fort Lauderdale–West Palm Beach ($276.8B) and Tampa–St. Petersburg–Clearwater ($101.2B), which together make the state’s financial services footprint a high-value target for cyber threat actors.141 The state also has a strong insurance and retirement service presence owing to its large retiree population. The Florida CI Ransomware Readiness Report found that nearly a third of entities in this sector met criteria for Basic ransomware readiness.142 Our Florida CI cyberattack data identified two incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Implement a Zero Trust security model and strictly deny privilege escalation.
• Deploy DDoS mitigation strategies to protect against these types of attacks.
• Strengthen defenses to prevent attackers from stealing credentials.
• Employ techniques to detect and respond to insider threats.
10. Food & Agriculture
Cyber threat level: Moderate
The food and agriculture sector involves production, processing, transportation, and distribution of food, as well as agriculture (farms, livestock, fisheries), and related supply chains. Its functioning is crucial to public health, nutrition, and social stability.143 Food chain supply systems are vulnerable to ransomware and malware. Operational shutdowns are a common consequence of such attacks.144 Florida is the top US producer of citrus and ranks highly in sugar cane, tomatoes, and seafood. These sectors depend on cold-chain logistics through ports and airports, making them vulnerable to disruption.145 The Florida CI Ransomware Readiness Report found that 17% of the entities in this sector met criteria for basic ransomware readiness.146 Our Florida CI cyberattack data identified one incident occurring in this sector between October 2024 and September 2025.
Recommendations:
• Thoroughly vet all third-party vendors to ensure security compliance.
• Enforce multi-factor authentication (MFA) for all vendor access
• Secure gateway software to protect network entry points
11. Government Services & Facilities
Cyber threat level: Moderate
The government services and facilities sector comprises the buildings, systems, and operations of federal, state, local, tribal, and territorial governments. These include public administration, judicial systems, public service delivery, and physical infrastructure 147 The assets include both facilities that are open to the public and those that are closed with sensitive information. Embassies, courthouses, and general offices are included in this sector. Education is considered a sub-section within this sector, with CISA providing specific resources for schools to utilize.148 “Cyber elements that contribute to the protection of sector assets” (e.g., access control systems, alarms, monitoring, surveillance and cyber-physical) are a part of this sector. Florida hosts Kennedy Space Center, federal courthouses, prisons, and a wide range of state and municipal networks, which have been frequent ransomware targets nationally. The Florida CI Ransomware Readiness Report found that just 8% of entities in this sector met criteria for Basic ransomware readiness.149 Our Florida CI cyberattack data identified one incident occurring in this sector between October 2024 and September 2025.
Recommendations:
• Follow CISA guidelines to strengthen cybersecurity practices
• Implement a Zero Trust security model to enhance access control.
• Utilize industry-specific cybersecurity resources, such as those tailored for K-12 education.
• Thoroughly vet third-party vendors to ensure security compliance
• Foster collaboration across all levels of government
• Monitor insider activities to identify potential threat.
• Enforce strict access controls for facilities and vendors
12. Healthcare & Public Health
Cyber threat level: Very High
The healthcare and public health sector include hospitals, clinics, public health agencies, medical research, laboratories, and pharmaceutical manufacturing. These entities improve the health of the population and protect it from terrorism, diseases, outbreaks, and natural disasters Sector disruptions can have life-threatening consequences.150 Healthcare and public health is one of the most targeted sectors for cyberattacks in Florida and nationally. As of March 2024, Florida has over 300 hospitals, including 203 licensed general acute-care hospitals.151 Its large elderly population makes healthcare disruptions particularly consequential. The Florida CI Ransomware Readiness Report found that more than a quarter (28%) of entities in this sector met criteria for Basic ransomware readiness.152 Our Florida CI cyberattack data identified 12 incidents occurring in this sector between October 2024 and September 2025, which is the highest number of cyberattacks in any sector and three times the number of cyberattacks than the next highest sector.
Recommendations:
• Implement techniques to prevent ransomware, including phishing identification training, social engineering awareness, data backups, and encryption
• Provide targeted training to defend against the most common phishing attacks.153
• Adopt a Zero Trust security model to enhance overall protection
• Collaborate with healthcare agencies, such as HC3, for specialized support 154
• Apply robust protections for cloud infrastructure to safeguard data and services.155
• Enforce system hardening and use secure software practices
13. Information Technology
Cyber threat level: High
The information technology (IT) sector includes companies and infrastructure that provide hardware, software, cloud services, and IT support. It provides the backbone for data processing, control systems, communications, and cyber operations 156 Ransomware accounted for 18% of cyber threats to the IT sector in 2019, but that proportion rose to 48% by 2024.157 Florida’s IT sector is growing, with concentrations in Miami, Tampa, and Orlando. Managed service providers (MSPs) are particularly important for smaller governments and businesses, as they create systemic risks if compromised. The Florida CI Ransomware Readiness Report found that just under 19% of entities in this sector met criteria for Basic ransomware readiness.158 Our Florida CI cyberattack data identified no incidents occurring (directly) in this sector between October 2024 and September 2025, although technically, all cyberattacks traverse IT.
Recommendations:
• Conduct regular cybersecurity awareness training and promote good cyber hygiene practices.
• Follow the guidelines established by CISA’s “Stop Ransomware” program, as ransomware remains the most prevalent malware threat.
• Encourage collaboration with fusion centers to enhance cybersecurity awareness and information sharing.
• Engage in proactive living-off-the-land (LotL) threat hunts to detect hidden malicious activity.
• Implement secure system builds to minimize vulnerabilities.
• Verify and enforce strong authentication protocols
14. Nuclear Reactors, Materials, & Waste
Cyber threat level: Moderate
The nuclear reactors, materials, and waste sector includes nuclear power plants, research reactors, radioactive materials, and waste management. Disruption or compromise can have long-lasting consequences for safety and the environment 159 Detecting cyber threats in nuclear facilities normally depends on detecting anomalous behaviors in OT and IT systems.160 Florida currently has only two active commercial nuclear power facilities: the Turkey Point Nuclear Generating Station (Miami-Dade) and St. Lucie Nuclear Plant (near Jensen Beach) and a research reactor at the University of Florida. The Crystal River nuclear plant was shut down and is not operational. Combined, these plants generate approximately 13–20% of Florida's electricity.161 Owing to the highrisk nature of nuclear reactors and materials, the nuclear power industry is more secure than other
sectors. Our Florida CI cyberattack data identified no incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Implement a Zero Trust security model to strengthen access control and minimize risks.
• Deploy session recording to monitor user activity and enhance security oversight
• Utilize anomaly detection software for both IT and OT systems to identify unusual behavior.
15. Transportation Systems
Cyber threat level: Moderate-High
The transportation systems sector is responsible for moving people and goods, such as aviation, highways, rail, maritime, transit, and pipelines. It includes infrastructure and systems needed for mobility, commerce, supply chains, and emergency response 162 The sector is composed of seven subsectors: Aviation, Highway and Motor Carrier, Maritime Transport, Mass Transit, Pipeline, Freight Rail, and Postal. Transportation systems are attractive targets, as shown by Scattered Spider’s intent to attack airlines.163 Florida has 15 deepwater seaports164 and over 125 public-use airports (21 commercial service airports),165 along with the world’s busiest cruise ports (Miami, Port Canaveral, Tampa, and Jacksonville). These are vital for tourism, trade, and disaster evacuations. The Florida CI Ransomware Readiness Report found that nearly a third of entities in this sector met criteria for Basic ransomware readiness.166 Our Florida CI cyberattack data identified no incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Follow CISA guidelines to strengthen cybersecurity defenses.
• Implement DDoS protection and other security measures for critical software systems.
• Deploy multi-factor authentication (MFA) and enhance OT security in vulnerable areas such as logistics hubs and ports
16. Water & Wastewater Systems
Cyber threat level: High
The water and wastewater systems sector is responsible for the drinking water supply, wastewater treatment, and related systems. Disruption has immediate consequences on public health and sanitation 167 Smaller water treatment and utility-related infrastructure may be particularly vulnerable because of budget constraints at various government levels, outdated technologies, and weak supervisory control and data acquisition (SCADA) systems.168 Approximately 94% of Florida’s residents are served by community water systems, with more than 7,000 public water systems and 2,000 wastewater facilities regulated by DEP.169 Coastal desalination and aquifer reliance increase the potential vulnerability of the state to both cyber and physical disruptions The Florida CI Ransomware Readiness Report found that nearly a third of entities in this sector met criteria for Basic ransomware readiness.170 Our Florida CI cyberattack data identified no incidents occurring in this sector between October 2024 and September 2025.
Recommendations:
• Secure outdated technology to protect against current cyber threats
• Address the significant training gaps in water and wastewater organizations by implementing regular exercises and awareness programs, recognizing the sector’s increasing risk
• Remove programmable logic controllers (PLCs) from the network to reduce exposure.
• Change all default credentials to strengthen access controls.
• Implement anomaly detection systems to identify unusual activities
CI Sectors: Cyber Threat Levels and Number of Cyberattacks
*IT is inherently involved in every cyberattack.
Florida Critical Infrastructure Cybersecurity Incidents (October
2024 - September 2025)
We created the Florida Critical Infrastructure Cybersecurity Incident (CICI) database to catalog cybersecurity attacks/incidents within the state. An analysis of CICI-catalogued cybersecurity
incidents is presented below. This study focused on cybersecurity incidents that have occurred since our last report, Florida Critical Infrastructure: 2024 Cybersecurity Intelligence Assessment. A detailed explanation is provided in our cyber-incident identification methodology (see Appendix I).
For broader context, we also drew from the publicly available Hackmageddon database of cyber incidents.171 While Hackmageddon was not designed specifically to capture CI attacks, it does categorize incidents by sectors in a scheme that is similar to CISA’s 16 CI sectors.
Cyberattack Types
Across Florida CI in the past year, ransomware dominated the reported incidents targeting CI. Attacks are typically initiated via phishing or other user-driven access (e.g., social engineering and credential theft), followed by data theft and encryption for extortion. This pattern reinforces ransomware as the principal cyber threat to Florida CI. CI owners and operators should prioritize layered email controls, credential hardening (MFA resistant to phishing), rapid patch/update cycles for Internet-facing apps, and rehearsed backup/restore and business continuity procedures.
Global trend: Based on incidents recorded in the Hackmageddon database from Q2 2024 to midMarch 2025, malware was consistently the leading tactic, with ransomware a steady second Targeted/espionage operations showed episodic spikes. Phishing was the most common initial access vector. The exploitation of public-facing vulnerabilities also increased during the study period.
Comparison to Florida: Florida’s reporting is far more ransomware-heavy than the global trend, where “malware” encompasses a broader set of payloads and effects. That gap may reflect both operator targeting (healthcare/government in FL) and reporting bias (ransomware is more visible/reportable). Florida CI owners and operators should not neglect quiet intrusion methods (e.g., vulnerability exploitation, targeted access), but weigh their defensive efforts toward countering ransomware tradecraft (e.g., email/social engineering controls, credentials, backups, rapid containment).
Florida CI 2024-2025: Types of Cyberattacks (Overlapping)
CI Sectors Targeted
Healthcare and public health sector was by far the most frequently impacted sector in Florida, followed by commercial facilities and critical manufacturing. This pattern reflects attackers’ focus on monetizable data and essential services, with manufacturing’s rise signaling growing exposure across IT/OT boundaries. The distribution likely combines genuine targeting with disclosure effects (healthcare mandatory reporting); however, the trend still warrants sector-specific hardening, particularly OT/IT segmentation and vendor access governance in manufacturing, and robust ransomware resilience across healthcare and commercial operations.
Global trend: Based on incidents recorded in the Hackmageddon database from Q2 2024 to midMarch 2025, “multiple industries” (broad campaigns) accounted for the largest share of activity quarterly, but healthcare consistently ranked among the top single-sector targets. Government targets held a stable mid-tier share, and February–March 2025 saw the rise of espionage-linked “targeted attacks” alongside malware/ransomware.
Comparison to Florida: Florida’s sector profile diverges from the global trend: In Florida, while healthcare and public health leads decisively, followed by commercial facilities and critical manufacturing, Hackmageddon’s global view is dominated by “multiple-industries” campaigns. Healthcare and public health are prominent but are typically followed by government, IT, and finance rather than commercial facilities or critical manufacturing. In practical terms, Florida shows elevated exposure to (1) healthcare ransomware/data theft, (2) commercial facility operations and tenant/guest services (e.g., building management systems, access control/CCTV, reservation or tenant portals, vendor-managed services, guest Wi-Fi), and (3) OT/IT-bridge risks in manufacturing. Florida CI owners and operators should weigh controls accordingly, with a focus on ransomware resilience and network segmentation in healthcare. For commercial facilities, mitigation efforts might aim to harden identity and email, segment and monitor building/IoT systems, lock down vendor
Ransomware Data Theft
remote access, and protect public and tenant portals. In critical manufacturing, owners and operators may emphasize enforcing strict IT/OT segmentation, brokering vendor access, and passive OT monitoring.
Florida CI 2024-2025: CI Sectors Targeted
Cyber Threat Actors
Most Florida cases lacked a firm public attribution. The named actors that emerged were predominantly financially motivated ransomware crews or RaaS affiliates (e.g., groups aligned with BianLian/RansomHub ecosystems). This reflects the operational reality that criminal franchises frequently front for or overlap with state-aligned interests, complicating attribution and response. The prevalence of “unknown” should be interpreted as reflecting limited disclosure rather than the absence of capable adversaries.
Global trend: Based on incidents recorded in the Hackmageddon database from Q2 2024 to midMarch 2025, cybercrime was the dominant intention across the study period. Cyber espionage, however, rose notably at times, especially in early 2025, consistent with targeted campaigns against governments, technology, and healthcare. Hacktivism and overt cyber warfare were marginal in volume.
Comparison to Florida: Florida’s public attributions skew heavily to criminal/RaaS brands (or unknown), while the global dataset surfaces more activity that maps to espionage tradecraft. Practically, Florida CI owners and operators should assume that (a) ransomware crews remain the most likely disruptors, and (b) stealthier, data-centric intrusions (espionage/supply chain) are a growing secondary risk, particularly for governments, healthcare networks with research affiliations, and manufacturers with sensitive IP.
Florida CI 2024-2025: Cyber Threat Actors (As Attributed)
Conclusion: Understanding Cyber Threats Against Florida’s
Critical Infrastructure
Florida’s CI cyber threat picture over the past year is clear; ransomware remains the most likely and disruptive threat. The healthcare and public health sector is the most frequently targeted sector, with commercial facilities and critical manufacturing following. Florida CI owners and operators should act on both fronts: first, drive down exposure (e.g., phishing-resistant MFA, rapid patching of internet-facing services, strict IT/OT segmentation, brokered vendor access) and second, harden resilience (e.g., immutable/offline backups, practiced restoration, downtime procedures). These controls can be measured with quarterly exercises and time-to-patch and time-to-detect KPIs. Finally, we strongly encourage CI entities to accelerate cross-sector intelligence sharing with state and federal partners so that emerging tactics seen in one sector can be shared with other sectors in a timely manner.
From Intelligence to Action: Securing Florida’s Critical Infrastructure
The following recommendations translate this year’s cyber threat picture into operator actions. They prioritize an intelligence-driven approach to anticipating and disrupting critical infrastructure cyberattacks.
Establish a central cyber intelligence team
Even CI facilities assets with limited resources can begin to use “cyber intelligence” to develop a more proactive cybersecurity posture 172 They can establish a small team that monitors and integrates reporting from various sources (e.g., the government, ISACs, vendors, and trusted communities). The team should use that fused information to increase situational awareness of trends in the sector and develop actionable insights into the capabilities,173 intentions and activities of cyber threat actors. The insights should inform decisions across all levels: strategic (long-term risk picture),174 operational (campaign/sector planning), and tactical (immediate technical cues) 175
Create a cycle or feedback loop for your cyber threat intelligence
From Intelligence to Action
• Establish a central cyber intelligence team
• Create a cycle or feedback loop for your cyber threat intelligence
• Develop a systematic collection plan for open-source intelligence (OSINT)
• Actively engage with partners in information sharing
• Develop and deliver actionable insights to key decisionmakers and operators
• Schedule regular threat hunting to search for hidden intrusions
• Use AI where it can add the most value
Cyber intelligence should be designed and executed in a cycle,176 that starts with “Planning and Direction” in the form of a “Collection Plan” and ends with “Feedback” where the results of the analysis and intelligence products are used to re-shape and update the Collection Plan.177 To round out the cycle, after Planning comes Collection (gathering data and information), Processing & Exploitation (putting raw data and information into a usable form for analysis), Analysis & Production (developing actionable insights from the analyzed information), and Dissemination (delivery of insights/finished products to relevant consumers) 178 The final Feedback phase closes the loop.
Develop a systematic collection plan for open-source intelligence (OSINT)
The cyber intelligence team should develop, regularly update, and maintain a systematic collection plan for open-source intelligence (OSINT) to look for early targeting cues, information on actor motives, and “chatter” pertaining to Florida CI assets within their sector. A collection plan should include topics, keywords, priority assets and a list of sources. It should outline roles and responsibilities, specify a rating system for characterizing source credibility and relevance, and specify the regularity or cadence of OSINT reviews. Collection plans should be reviewed to comply
with prevailing legal and ethical guidelines, and their outputs should be aligned with ISO/IEC 27001:2022 practices for early threat identification and detection.179
Actively engage with partners in information sharing
CI entities should create standard operating procedures and named liaisons for sharing threatrelated data and information with state and federal partners and peer operators.180 ISACs and InfraGard can be valuable resources in that effort.181 Cyber intelligence analysts should constantly look for and learn new tools and refine their tradecraft to improve the quality and timeliness of shared intelligence and integrate and lessons learned.182
Develop and deliver actionable insights to key decisionmakers and operators
Finished cyber intelligence products should contain insights about what happened, why it matters, and what to do now. That information should be tailored to the specific needs of relevant decisionmakers, operators, and responders 183 Those products should be objective, timely. They should identify all relevant sources used and summarize the strengths and limits of the evidence on which the assessments are based. Facts should be clearly distinguished from assumptions and judgments.184 Analysts should acknowledge uncertainty and document it using standardized terms of likelihood. Analytic products should note alternative explanations and key “conditional” (what uncertain conditions might change the assessment) when they are pertinent
Schedule regular threat hunting to search for hidden intrusions
The cyber-intelligence team should run regular, fixed-length threat hunts to look for internal signs that an attacker is already inside the IT (business) and OT (industrial control) systems (e.g., unusual logins, lateral movement, suspicious remote access, beaconing).185 They should create anomaly alerts and engage in continuous monitoring.186 To track the effectiveness of those approaches, they should measure (1) dwell time (how long the attacker was inside before detection) and (2) hit rate (how often a hunt finds a real threat) and use those metrics to track and improve their performance 187
Use AI where it can add the most value
AI enhancements for detecting cyber threats and collecting threat-related information are now being widely used.188 CI entities must keep pace with the new ways attackers are using AI, but they must also identify and use their own AI tools to strengthen their defensive measures. Cyber threat intelligence tools can help to integrate information from diverse data/information sources (e.g., hospitals, social media, or local government) for risk modeling and surge awareness.189 They can also use data from logs, configurations, and user behavior in machine learning models to help forecast and anticipate likely targets and identify potential vulnerabilities. These efforts should all include a component for human review.
Appendix I
Cyber Incident Identification Methodology
Methodology
This assessment sought to identify and document all verified cyberattacks against critical infrastructure (CI) entities in Florida between October 1, 2024, and September 30, 2025. The approach combined systematic searches of authoritative sources, structured keyword-based opensource searches, and supplementary review of secondary reporting.
Source Identification and Search Strategy
The Threat Assessment Support Specialist (TASS) employed a multi-step collection process:
Federal Agency Websites
The TASS systematically checked relevant US federal government websites that routinely publish cybersecurity advisories, alerts, and incident notifications. Examples may include:
• Cybersecurity and Infrastructure Security Agency (CISA) – Advisories, Alerts, and ICS-CERT reports
• Federal Bureau of Investigation (FBI) – Cyber Division public notices
• Department of Energy (DOE) – Office of Cybersecurity, Energy Security, and Emergency Response
• Department of Health and Human Services (HHS) – Health Sector Cybersecurity Coordination Center (HC3) advisories
The TASS systematically searches websites that aggregate cybersecurity or local news and sets up alerts on information that could be relevant. Some examples include:
• Statescoop - an aggregate of state and local government news with filters for cybersecurity.
• OODALoop - provides briefings and links to cyber threats and other technology-related news.
• Darkreading - a news site focusing on cybersecurity concerns.
Websites that cataloged ransomware or breach incidents were routinely checked. Some include:
• BreachSense - a website that tracks data breaches by monitoring the dark web.
• Comparitech - a company that tracks ransomware breaches.
Local and Mainstream news outlets were also examined for information regarding incidents that occurred within the state. Some of these sites include:
• MSNBC - Mainstream news company that will report on tech news if deemed significant enough.
• WFTV - Orlando-based news station.
Targeted Search Queries
• The TASS conducted keyword-based Google searches to capture publicly reported Florida CI incidents.
◦ Searches combined the keyword “Florida” with both general cyberattack terms and sector-specific terms. Example search logic included:
• “Florida” AND (“cyberattack” OR “ransomware” OR “data breach” OR “malware”)
• “Florida” AND [sector name] (e.g., “energy”, “transportation”, “healthcare”)
• “Florida” AND (“SCADA” OR “ICS”)
• Florida” AND (“HHS” OR “Hospital”)
• “Florida” AND (“legal” AND “Cyber”)
While we were primarily looking for items from the 1st of October 2024 to the 30th of September 2025, news items that were found before that date were added to document every incident. The findings in the report were determined from the previously mentioned timeframe.
Snowball/Reference Chaining
In addition to direct searches, the TASS used a snowball sampling approach (i.e., reference chasing). When incidents were identified in secondary reports (e.g., sector-specific reports, cybersecurity firm publications, or news media), cited incidents and sources were further reviewed to capture additional Florida-specific events.
• Previous Florida CI reports
• Florida CI Ransomware reports
• CI Readiness Drafts
• Google Mandiant Reports
• Other news reports
Event Coding and Categorization
Events were coded primarily on six main fields:
• Target: The specific organization or entity affected (where reported).
• Location: Which city or location did the incident take place in?
• Malware: The name of the malware (Unknown is a viable answer).
• Attack type: A drop-down list of the attack used in the event.
• Date: The reported date of occurrence or disclosure.
• Sector: The sector classification of the target entity, following the CISA-defined 16 critical infrastructure sectors. Where available, additional fields (e.g., attack vector, perpetrator attribution, impact) were noted.
Inclusion and Exclusion Criteria
Inclusion:
• Incident occurred within Florida or directly affected Florida-based CI entities or residents.
• Targeted one or more of the 16 CISA CI sectors.
• Involved a deliberate cyberattack (e.g., malware deployment, unauthorized access, denial of service).
• Publicly available sources provided at least three core fields (date, sector, and attack type).
Exclusion:
• Accidental outages or incidents with no cyber component.
• Purely physical attacks not involving digital systems.
• National or global incidents with no Florida-specific focus or identifiable Florida impact. Events where the ambiguity is high (No confirmation of attack, primarily fields unable to be fulfilled)
Additional but not essential fields include:
• Common Vulnerabilities and Exposure (CVE) ID
• Ransom (Amount Paid, None, Unknown)
Verification and Triangulation
To enhance reliability, events were included only if reported in at least one authoritative or corroborated source. Federal advisories, major cybersecurity reporting outlets, and multiple independent news reports were prioritized over single-source claims. If other sources were available, then they were analyzed for additional information. If new information is found on a specific event, then that event will be updated with the new information, and the source replaced with the item that is up to date
Appendix II
Florida Critical Infrastructure Cyber Incidents:
10/01/24-09/30/25
Date Sectors Affected:
8/29/2025 Commercial Facilities The Celeste Hotel190 Orlando Ransomware
8/14/2025 Commercial Facilities Barbas Nunez Sanders Butler & Hovsepian191 Tampa, FL
7/8/2025
and Public Health Florida Hand Center192 Punta Gorda, Port Charlotte, and Fort Myers, FL Data Theft/ Ransomware
6/17/2025 Government Services and Facilities Winter Park Law Firm 193 FL Phishing
6/8/2025
and Public Health Jackson Health System194 Miami, FL Insider
5/21/2025195 Healthcare and Public Health Florida Lung, Asthma and Sleep Specialists196 Orlando, Winter Garden, Lake Nona, Poinciana and Kissimmee. Ransomware No Rhysida Rhysida Unknown
5/1/2025 Critical Manufacturing EIZO Rugged Solutions, Inc.197 Orlando, FL Ransomware
5/1/2025 Critical Manufacturing TSE Industries, Inc.198 Clearwater, FL Ransomware
4/11/2025 Healthcare and Public Health Cancer Care Center of North Florida 199 FL Intrusion
4/1/2025
3/19/2025
3/17/2025
and Public Health Gateway Community Services, Inc.200 Jacksonvile, FL
and Public Health Great Florida201 FL Ransomware
and Public Health Center for Digestive Health202 FL Ransomware Unknown BianLian BianLian Unknown
3/16/2025 Transportation Systems Florida Department of Transportation203 FL Data Theft
2/28/2025
2/28/2025
Facilities Andretti Indoor Karting & Games204 Orlando, FL Ransomware
and Public Health Bay Village of Sarasota205 Sarasota, FL Ransomware
2/28/2025 Healthcare and Public Health Quigley Eye Specialists 206 FL Ransomware/ Data Theft
2/18/2025 Healthcare and Public Health Pulmonary Physicians of South Florida207 Miami-Dade, FL Ransomware/ Intrusion
2/3/2025 Commercial Facilities Stock Development208 Naples, FL Ransomware/ Intrusion
1/13/2025
and Public Health Community Health Northwest Florida 209 FL Ransomware
Babuk Unkown
Cipher Unknown
1/5/2025 Food and Agriculture Costadelsol Enterprises210 Miami Florida Ransomware Unknown
12/31/2024 Critical Manufacturing Mid-State Industrial Maintenance 211 Lakeland, FL Ransomware Unknown Play Unknown Unknown
12/31/2024 Financial Services Estrella Insurance212 Miami, FL Ransomware
12/31/2024 Financial Services US Claims Capital213 Boca Raton, FL Ransomware
12/23/2024 Healthcare and Public Health Community Health Northwest Florida 214 Pensacola, FL Ransomware
12/16/2024 Healthcare and Public Health Mid Florida Primary Care215 FL Ransomware Unknown Unknown BianLian Unknown
11/9/2024 Healthcare and Public Health Retina Group of Florida 216 FL Intrusion/ Data Theft Unknown Unknown Unknown N/A
Appendix III
Cyber Threat Level Rating Methodology
We used a criteria-based methodology to provide a systematic and consistent approach to assigning cyber threat levels to Florida’s critical infrastructure sectors. We did this to enhance transparency (so readers can clearly see how ratings were assigned) and reliability (so ratings can be applied consistently over time and across sectors). By using simple, observable criteria, we reduce the risk of impressionistic or opaque assessments.
The framework evaluates each sector across three dimensions:
• S1 (Global Targeting Signal): whether the sector is regularly among the most frequently targeted globally in the Hackmageddon dataset
• S2 (Severity of Attacks): whether incidents tend to involve high-impact techniques such as ransomware with data theft, supply chain compromises, or operational technology (OT) disruptions.
• S3 (Florida-Specific Relevance): whether there is evidence of incidents within Florida in the past year or whether the sector qualifies as a lifeline function whose disruption would immediately and severely affect public safety and societal functioning (e.g., energy, water, healthcare, transportation).
Each dimension is scored separately, and the three scores are combined to determine an overall threat score for the sector. This ensures that both frequency of attacks and consequence potential are considered, with adjustments for local relevance in Florida.
Data Sources. The primary source for global targeting and attack techniques is the Hackmageddon open-source database (https://www.hackmageddon.com/) which compiles incidents from publicly available reporting. Hackmageddon provides valuable trend snapshots, but it is incomplete: some attacks go unreported, undetected, or are not identified, sectors may be underrepresented, and large shares of incidents are categorized as “Unknown” or “Multiple industries.” To mitigate these limitations, Hackmageddon data were combined with:
• a Florida-specific incident table compiled specifically for this report,
• cross-sector analyses in recent scholarly reviews of cyber threats to critical infrastructure, and
• professional judgment about lifeline functions in the Florida context.
By explicitly reporting criteria, data sources, and limitations, we hope this methodology provides a transparent and repeatable process for assessing relative threat levels across sectors, while acknowledging the constraints of open-source data.
Here are the three dimensions and the criteria aligned with each score:
S1. Global Targeting Signal (0–2)
• 2 = Regularly among top-hit sectors in recent global snapshots.
• 1 = Mid-pack / recurrent but not top tier.
• 0 = Seldom highlighted.
S2. Impact Pattern Signal (0–2)
• 2 = Common patterns include ransomware w/ data theft, targeted intrusions, supply-chain, or OT/ICS disruption.
• 1 = Mixed/unclear; some higher-impact activity, but not persistent.
• 0 = Mostly low-impact (defacements, scams).
S3. Florida Relevance Signal (0–2)
• 2 = (a) Multiple FL incidents in last year or (b) lifeline exposure in FL (energy, water, hospitals, ports/airports).
• 1 = (a) One known FL incident or (b) notable sector presence in FL.
• 0 = None/minimal FL signal.
Total = S1 + S2 + S3 (0–6)
Map to Level:
• 0–1 = Low
• 2–3 = Moderate
• 4 = Moderate-High
• 5–6 = High (6 as “Very High”)
Two guardrails:
• If S2=2 (serious impact patterns) and S3≥1, we did not downgrade due to sparse counts.
• We did not assign “Unknown/Multiple industries” to a sector, so it was not used for calculating S1.
Criterion-Based Cyber Threat Level Ratings by Sector
References
1 Cybersecurity and Infrastructure Security Agency, "Cyber Threats and Advisories”, CISA, accessed September 21, 2025. https://www.cisa.gov/topics/cyber-threats-and-advisories
2 Cybersecurity and Infrastructure Security Agency, "Critical Infrastructure Systems”, CISA, accessed September 21, 2025. https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/resilienceservices/infrastructure-dependency-primer/learn/critical-infrastructure-systems
3 Kurt Baker, "What Is Ransomware as a Service (RaaS)?", CrowdStrike, January 30, 2023. https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/ransomware-as-a-service-raas/
4 Giedrė Peseckytė, "Why Hackers Love Europe’s Hospitals”, Politico, July 18, 2025. https://www.politico.eu/article/hackers-europe-hospitals-cyber-attack-data-security-technology-internetcrime-russia/
5 Steven Adler, "Patient Death Linked to Ransomware Attack on Pathology Services Provider”, HIPAA Journal, June 27, 2025. https://www.hipaajournal.com/patient-death-linked-to-ransomware-attack/
6 Marianne McGee, "Florida Department of Health Informs RansomHub Hack Victims”, BankInfoSecurity, September 19, 2024. https://www.bankinfosecurity.com/florida-dept-health-notifyingvictims-ransomhub-hack-a-26169
7 Cybersecurity and Infrastructure Security Agency, "#StopRansomware: Ransomhub Ransomware”, U.S Government, August 29, 2024 https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
8 Cybersecurity and Infrastructure Security Agency, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure, Cybersecurity Advisory AA24-038A”, U.S Government, February 7, 2024. https://www.cisa.gov/sites/default/files/2024-02/aa24-038a-jcsa-prc-statesponsored-actors-compromise-us-critical-infrastructure_1.pdf
9 Martin Ciaran, "Typhoons in Cyberspace”, Royal United Services Institute, March 20, 2025. https://www.rusi.org/explore-our-research/publications/commentary/typhoons-cyberspace
10 Erika Langerová, "China Is Studying How to Hack and Crash Our Power Grids”, LinkedIn, August 27, 2025. https://www.linkedin.com/pulse/china-studying-how-hack-crash-our-power-grids-erikalangerov%C3%A1-2jkpc/?utm_source=substack&utm_medium=email
11 Emil Sayegh, "Spotlight on APT10”, Forbes, February 22, 2023. https://www.forbes.com/sites/emilsayegh/2023/02/21/spotlight-on-apt10//
12 Threat Hunter Team, "Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity”, Security.com, April 5, 2022. https://www.security.com/threat-intelligence/cicada-apt10-china-ngogovernment-attacks
13 Fraunhofer, "APT 31”, Malpedia, last modified March 3, 2025. https://Malpedia.caad.fkie.fraunhofer.de/actor/apt31
14 James Pomfret and Yew Tian, "APT31: The Chinese Hacking Group Behind Global Cyberespionage Campaign", Reuters, March 26, 2024. https://www.reuters.com/technology/cybersecurity/apt31-chinesehacking-group-behind-global-cyberespionage-campaign-2024-03-26/
15 Office of Public Affairs, "Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and US Businesses and Politicians”, U.S Department of Justice, February 6, 2025. https://www.justice.gov/archives/opa/pr/seven-hackersassociated-chinese-government-charged-computer-intrusions-targeting-perceived
16 Mike Stokkel et al., “APT40: Examining a China-Nexus Espionage Actor”, Google, July 18, 2025. https://cloud.google.com/blog/topics/threat-intelligence/apt40-examining-a-china-nexus-espionage-actor.
17 Fraunhofer FKIE, "APT40", Malpedia, last modified August 28, 2025. https://Malpedia.caad.fkie.fraunhofer.de/actor/apt40
18 Kate Morgan, "Government-Backed Actors Exploiting WinRAR Vulnerability”, Google, October 18, 2023. https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrarvulnerability//
19 Kate Morgan, "Government-Backed Actors Exploiting WinRAR Vulnerability”, Google, October 18, 2023. https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrarvulnerability/
20 Federal Bureau of Investigation, “APT 40 Cyber Espionage Activities”, FBI, May 28, 2021. https://www.fbi.gov/wanted/cyber/apt-40-cyber-espionage-activities.
21 Mandiant, "APT41 Has Arisen from the Dust”, Google, July 18, 2024. https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
22 Fraunhofer, "GhostEmperor”, Malpedia, last modified February 13, 2025. https://Malpedia.caad.fkie.fraunhofer.de/actor/ghostemperor
23 Nalani Fraser et al., "APT41 Chinese Cyber Threat Group”, Google, August 7, 2019. https://cloud.google.com/blog/topics/threat-intelligence/apt41-dual-espionage-and-cyber-crime-operation
24 Punsaen Boonyakarn et al., "Cloaked and Covert: Uncovering UNC3886 Espionage Operations”, Google, June 18, 2024. https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886espionage-operations
25 Punsaen Boonyakarn et al., "Cloaked and Covert: Uncovering UNC3886 Espionage Operations”, Google, June 18, 2024. https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886espionage-operations
26 TXOne, "Unmasking UNC3886: A Sophisticated Cyber Espionage Group Targeting Critical Infrastructure”, TXOne Networks, July 29, 2025. https://www.txone.com/blog/unmasking-unc3886/
27 Anna Ribeiro, "Sygnia Uncovers Fire Ant Espionage Campaign Targeting Virtualization Infrastructure with UNC3886 Ties”, Industrial Cyber, July 25, 2025. https://industrialcyber.co/ransomware/sygniauncovers-fire-ant-espionage-campaign-targeting-virtualization-infrastructure-with-unc3886-ties/
28 Austin Larsen et al., "Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)”, Google Cloud Blog, August 29, 2023. https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation
29 Barracuda Networks, "Barracuda Email Security Gateway Appliance (ESG) Vulnerability”, Barracuda, February 25, 2025. https://trust.barracuda.com/security/information/esg-vulnerability
30 Anna Ribeiro, “Sygnia Uncovers Fire Ant Espionage Campaign Targeting Virtualization Infrastructure with UNC3886 Ties”, Industrial Cyber, July 25, 2025. https://industrialcyber.co/ransomware/sygniauncovers-fire-ant-espionage-campaign-targeting-virtualization-infrastructure-with-unc3886-ties/
31 MITRE Corporation, "Volt Typhoon”, MITRE ATT&CK, last modified April 30, 2025. https://attack.mitre.org/groups/G1017/
32 Fraunhofer, "Volt Typhoon", Malpedia, last modified July 23, 2025. https://Malpedia.caad.fkie.fraunhofer.de/actor/volt_typhoon
33 Tim Starks, "Feds Still Trying to Crack Volt Typhoon Hackers’ Intentions, Goals”, CyberScoop, July 31, 2025. https://cyberscoop.com/feds-still-trying-to-crack-volt-typhoon-hackers-intentions-goals/
34 Cybersecurity and Infrastructure Security Agency, "APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers, Cybersecurity Advisory AA23-108”, U.S Government April 18, 2023. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108
35 Ryan Naraine, "Russian Hackers Bypass Gmail MFA with APP-Specific Password Ruse”, Security Week, June 18, 2025. https://www.securityweek.com/russian-hackers-bypass-gmail-mfa-with-appspecific-password-ruse/
36 MITRE Corporation, "APT28”, MITRE ATT&CK, last modified March 10, 2025. https://attack.mitre.org/groups/G0007/
37 CERT-FR, “Targeting and Compromise of French Entities Using the APT28 Intrusion Set”, République Française, April 29, 2025. https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-007.pdf
38 MITRE Corporation, "APT29”, MITRE ATT&CK, last modified April 4, 2025. https://attack.mitre.org/groups/G0016/
39 MITRE Corporation, "Dragonfly”, MITRE ATT&CK, last modified January 8, 2024. https://attack.mitre.org/groups/G0035//
40 Check Point Research, "Renewed APT29 Phishing Campaign Against European Diplomats”, cp<r>, April 15, 2025. https://research.checkpoint.com/2025/apt29-phishing-campaign//
41 Gabby Roncone et al., “Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm “, Google, April 17, 2024. https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthingsandworm.
42 Gabby Roncone et al., “Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm “, Google, April 17, 2024. https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthingsandworm.
43 Dan Black and Gabby Roncone, "The GRU’s Disruptive Playbook”, Google, July 12, 2023. https://cloud.google.com/blog/topics/threat-intelligence/gru-disruptive-playbook
44 Arda Büyükkaya, "Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns”, EclecticIQ Blog, February 11, 2025. https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kmsactivation-tools-in-cyber-espionage-campaigns
45 MITRE Corporation, "Dragonfly”, MITRE ATT&CK, last modified January 8, 2024. https://attack.mitre.org/groups/G0035/
46 Foreign, Commonwealth & Development Office, “Russia’s FSB Malign Activity: Factsheet”, U K Government, December 7, 2023. https://www.gov.uk/government/publications/russias-fsb-malign-cyberactivity-factsheet/russias-fsb-malign-activity-factsheet
47 Jeffay Calum, "Of Energetic Bears and Dragonflies: Espionage and the Energy Sector”, Royal United Services Institute, September 26, 2014. https://www.rusi.org/explore-our-research/publications/rusidefence-systems/of-energetic-bears-and-dragonflies-espionage-and-the-energy-sector
48 MITRE Corporation, "Turla”, MITRE ATT&CK, last modified June 26, 2024. https://attack.mitre.org/groups/G0010/
49 MITRE Corporation, "Turla”, MITRE ATT&CK, last modified June 26, 2024. https://attack.mitre.org/groups/G0010/
50 Microsoft Threat Intelligence, "Frozen in Transit: Secret Blizzard’s AITM Campaign Against Diplomats”, Microsoft Security, August 18, 2025. https://www.microsoft.com/enus/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/
51 MITRE Corporation, "Wizard Spider”, MITRE ATT&CK, last modified March 12, 2025. https://attack.mitre.org/groups/G0102/
52 MITRE Corporation, "Wizard Spider”, MITRE ATT&CK, last modified March 12, 2025. https://attack.mitre.org/groups/G0102/
53 MITRE Corporation, “WIZARD SPIDER Update: Resilient, Reactive and Resolute", CrowdStrike, October 16, 2020. https://www.crowdstrike.com/en-us/blog/wizard-spider-adversary-update/
54 Cybersecurity and Infrastructure Security Agency; Federal Bureau of Investigation; National Security Agency; Environmental Protection Agency; and Israel National Cyber Directorate, IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities, Joint Cybersecurity Advisory, Product ID AA23-336A, December 2, 2023, https://www.cisa.gov/newsevents/cybersecurity-advisories/aa23-335a
55 Eric Geller, "US Government Warns of New Iran-Linked Cyber Threats on Critical Infrastructure”, Cybersecurity Dive, June 30, 2025. https://www.cybersecuritydive.com/news/iran-cyberattacks-warningus-government-israel-war/751963/
56 Jacqueline O’Leary et al., "APT33 Targets Aerospace & Energy Sectors | Spear Phishing | Google Cloud Blog”, Google, September 20, 2017. https://cloud.google.com/blog/topics/threatintelligence/apt33-insights-into-iranian-cyber-espionage/
57 Jacqueline O’Leary et al., "APT33 Targets Aerospace & Energy Sectors | Spear Phishing | Google Cloud Blog”, Google, September 20, 2017. https://cloud.google.com/blog/topics/threatintelligence/apt33-insights-into-iranian-cyber-espionage/
58 Microsoft Threat Intelligence, "Peach Sandstorm Deploys New Custom Tickler Malware in LongRunning Intelligence Gathering Operations”, Microsoft Security, May 29, 2025. https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-customtickler-malware-in-long-running-intelligence-gathering-operations/
59 Microsoft Threat Intelligence, "Peach Sandstorm Deploys New Custom Tickler Malware in LongRunning Intelligence Gathering Operations”, Microsoft Security, May 29, 2025. https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-customtickler-malware-in-long-running-intelligence-gathering-operations/
60 MITRE Corporation, "Oilrig", MITRE ATT&CK, last modified January 16, 2025. https://attack.mitre.org/groups/G0049/
61 LevelBlue, "Inside APT34 (Oilrig): Tools, Techniques, and Global Cyber Threats”, Trustwave, May 12, 2025. https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/inside-apt34-oilrig-toolstechniques-and-global-cyber-threats/
62 LevelBlue, “Inside APT34 (Oilrig): Tools, Techniques, and Global Cyber Threats”, Trustwave, May 12, 2025. https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/inside-apt34-oilrig-toolstechniques-and-global-cyber-threats/
63 MITRE Corporation, "Magic Hound”, MITRE ATT&CK, last modified November 17, 2024. https://attack.mitre.org/groups/G0059/
64 Fraunhofer, "APT35", Malpedia, last modified May 7, 2025. https://Malpedia.caad.fkie.fraunhofer.de/actor/apt35
65 Palo Alto Networks, "Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation”, Unit 42, May 7, 2025. https://unit42.paloaltonetworks.com/iranian-attackers-impersonatemodel-agency/
66 MITRE Corporation, “APT39” MITRE ATT&CK, last modified April 11, 2024. https://attack.mitre.org/groups/G0087/
67 MITRE Corporation, “APT39” MITRE ATT&CK, last modified April 11, 2024. https://attack.mitre.org/groups/G0087/
68 Sarah Hawel et al., "Iranian Threat Group Focused on Personal Information", Google, January 29, 2019. https://cloud.google.com/blog/topics/threat-intelligence/apt39-iranian-cyber-espionage-groupfocused-on-personal-information
69 Mandvi, "Iranian Cyber Attackers Breach Global Airlines for Data Theft”, Cyber Security News, July 22, 2025. https://cyberpress.org/iranian-cyber-attackers-breach-global-airlines/
70 MITRE Corporation, "CyberAv3ngers", MITRE ATT&CK, last modified April 10, 2024. https://attack.mitre.org/groups/G1027/
71 MITRE Corporation, "CyberAv3ngers", MITRE ATT&CK, last modified April 10, 2024. https://attack.mitre.org/groups/G1027/
72 Andy Greenberg, "CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide”, Wired, April 14, 2025. https://www.wired.com/story/cyberav3ngers-iran-hacking-waterand-gas-industrial-systems/
73 MITRE Corporation, "Muddywater”, MITRE ATT&CK, last modified August 29, 2025. https://attack.mitre.org/groups/G0069/
74 Kyle Poireault, "Iranian Hackers Deploy New Android Spyware Version”, Infosecurity, July 21, 2025. https://www.infosecurity-magazine.com/news/iranian-hackers-deploy-new-android-71210/
75 Cybersecurity and Infrastructure Security Agency, "North Korean State-Sponsored APT Targets Blockchain Companies, Cybersecurity Advisory, AA22-108A”, U.S Government, last modified April 18, 2022. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a
76 U.S. Department of the Treasury, “Treasury Targets DPRK Malicious Cyber and Illicit IT Worker Schemes (Press Release)”, U.S Treasury, May 23, 2023. https://home.treasury.gov/news/pressreleases/jy1498
77 Internet Crime Complaint Center, "North Korea Responsible for $1.5 Billion Bybit Hack”, IC3, February 26, 2025. https://www.ic3.gov/psa/2025/psa250226
78 Ionut Arghire, “North Korean Hackers Take Over Victims’ Systems Using Zoom Meeting”, SecurityWeek, June 23, 2025. https://www.securityweek.com/north-korean-hackers-take-over-victimssystems-using-zoom-meeting/
79 MITRE Corporation, "Lazarus Group”, MITRE ATT&CK, last modified April 16, 2025. https://attack.mitre.org/groups/G0032/
80 Fraunhofer FKIE, "Lazarus Group" Malpedia, last modified August 5, 2025. https://Malpedia.caad.fkie.fraunhofer.de/actor/lazarus_group
81 Alden Schmidt, Stuart Ashenbrenner, and Jonathan Semon, "Inside the Bluenoroff Web3 macOS Intrusion Analysis”, Huntress, June 18, 2025. https://www.huntress.com/blog/inside-bluenoroff-web3intrusion-analysis
82 Joe Tidy, "North Korean Hackers Cash Out Hundreds of Millions from $1.5bn Bybit Hack”, BBC, March 10, 2025. https://www.bbc.com/news/articles/c2kgndwwd7lo
83 U.S. Department of the Treasury, "Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups”, U.S. Treasury, September 13, 2019. https://home.treasury.gov/news/press-releases/sm774
84 Fraunhofer, "APT43”, Malpedia, last modified March 3, 2025. https://Malpedia.caad.fkie.fraunhofer.de/actor/apt43
85 Varadharajan Krishnasam and Aditya Sood, "Aryaka Unified SASE Solution for Secure”, aryaka, July 31, 2025. https://www.aryaka.com/reports-and-guides/kimsuky-apt-operational-blueprint/
86 Cybersecurity and Infrastructure Security Agency, "FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks, Cybersecurity Advisory AA20-239A”, U.S Government, October 24, 2020. https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a
87 Cybersecurity and Infrastructure Security Agency, "FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks, Cybersecurity Advisory AA20-239A”, U.S Government, October 24, 2020. https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a
88 Counter Adversary Operations, “Scattered Spider Escalates Attacks Across Industries”, CrowdStrike, July 2, 2025. https://www.crowdstrike.com/en-us/blog/crowdstrike-services-observes-scattered-spiderescalate-attacks/
89 Reuters, "Tech Firms Warn ‘Scattered Spider’ Hacks Are Targeting Aviation Sector”, Reuters, June 27, 2025. https://www.reuters.com/business/tech-firms-warn-scattered-spider-hacks-are-targeting-aviationsector-2025-06-27/
90 Kevin Poireault, "Top 10 Most Active Ransomware Groups of 2024”, Infosecurity Magazine, December 27, 2024. https://www.infosecurity-magazine.com/news-features/top-10-most-activeransomware/
91 Steve Alder, "Malicious Insider Incident Results in $800,000 HIPAA Penalty for Florida Health System”, HIPAA Journal, May 29, 2025. https://www.hipaajournal.com/baycare-health-system-hipaapenalty//
92 Steve Alder, "Malicious Insider Incident Results in $800,000 HIPAA Penalty for Florida Health System”, HIPAA Journal, May 29, 2025. https://www.hipaajournal.com/baycare-health-system-hipaapenalty//
93 Cyble, "What Is Hacktivism? Understanding Cyber Activism & Risks”, Cyble, last modified October 31, 2023. https://cyble.com/knowledge-hub/what-is-hactivism/
94 Cyble, "Hacktivists' Attacks on Critical Infrastructure Surge in 2025”, Cyble, July 11, 2025. https://cyble.com/blog/hacktivists-attacks-on-critical-infrastructure/
95 Federal Trade Commission, “Ransomware”, FTC, accessed September 23, 2025, https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/ransomware
96 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 4.
97 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 2.
98 Nick Coates and James Maloney, “Florida Critical Infrastructure Ransomware Readiness Report (2025)”, Cyber Florida accessed October 1, 2025, 26.
99 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 42.
100 Maria Geronikolou, “Ransomhub’s Rise: Raas Market Insights”, Darktrace, February 6, 2025. https://www.darktrace.com/blog/ransomhub-revisited-new-front-runner-in-the-ransomware-as-a-servicemarketplace.
101 Cybersecurity and Infrastructure Security Agency, "#stopransomware: Play ransomware, Cybersecurity Advisory AA23-352A”, U.S Government, June 4, 2025. https://www.cisa.gov/sites/default/files/2025-06/aa23-352a-stopransomware-playransomware_2_revised.pdf
102 Cybersecurity and Infrastructure Security Agency, "#stopransomware: Ransomhub ransomware, Cybersecurity Advisory AA24-242A”, U.S Government, August 27, 2025. https://www.cisa.gov/newsevents/cybersecurity-advisories/aa24-242a
103 Claim Depot, "Florida Hand Center hit by Ransomware attack”, Claim Depot, August 6, 2025. https://www.claimdepot.com/data-breach/florida-hand-center-2025
104 HookPhish, “Ransomware group Dragonforce Hits: Tse Industries and WHK Biosystems”, HookPhish, June 17, 2025. https://www.hookphish.com/blog/ransomware-group-dragonforce-hits-tseindustries-and-whk-biosystems/
105 Paul Bischoff, "Rehab clinics in Jacksonville, FL targeted by new ransomware gang”, Comparitech, July 7, 2025. https://www.comparitech.com/news/rehab-clinics-in-jacksonville-fl-targeted-by-newransomware-gang/
106 Cybersecurity and Infrastructure Security Agency, "#stopransomware: Bianlian Ransomware Group, Cybersecurity Advisory AA23-136A”, US Government, August 27, 2025a. https://www.cisa.gov/newsevents/cybersecurity-advisories/aa23-136a
107 Stuart Russell and Pual Norvig, “Artificial Intelligence: A Modern Approach. 4th ed”, Pearson accessed October 1, 2025.
108 Stephen Gary et al., Artificial Intelligence Threats: What Everyone Should Know. Strategic and Cyber Intelligence Program & Cyber Florida, (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025).
109 Roman Cuprik, "ESET researcher discovers the first known AI-written ransomware: I feel thrilled but cautious”, ESET, August 27, 2025. https://www.eset.com/blog/en/business-topics/threat-landscape/thefirst-known-ai-written-ransomware/
110 Anna Ribeiro, "Ukraine pins AI-powered LameHug malware attacks on defense sector to Russianbacked APT28 Group”, Industrial Cyber, July 21, 2025. https://industrialcyber.co/ransomware/ukrainepins-ai-powered-lamehug-malware-attacks-on-defense-sector-to-russian-backed-apt28-group/
111 Nicole Johnson, "Catching AI-generated phishing scams before they reel you in”, University of Nevada, Las Vegas, January 15, 2025. https://www.unlv.edu/news/article/catching-ai-generated-phishingscams-they-reel-you
112 Loreben Tuquero, " PolitiFact FL: How a Deepfake Video of Ron DeSantis Dropping Out Went Viral”, Central Florida Public Media, September 13, 2023. https://www.cfpublic.org/politics/2023-0913/politifact-florida-ron-desantis-deepfake-video-elections
113 Stephen Gary et al., Artificial Intelligence Threats: What Everyone Should Know. Strategic and Cyber Intelligence Program & Cyber Florida, (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025).
114 Tom Krantz and Alexandra Joker, "What is data poisoning?" IBM, accessed September 23, 2025. https://www.ibm.com/think/topics/data-poisoning
115 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
116Cybersecurity and Infrastructure Security Agency, “CISA regions”, CISA, accessed September 30, 2025. https://www.cisa.gov/about/regions
117 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
118 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 28.
119 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
120 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46.
121 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
122 Equinix Inc., "MI1 (Miami IBX data center)”, Equinix, accessed September 30, 2025 https://www.equinix.com
123 U.S. Department of War, "Mitigation strategies for edge devices: Executive guidance”, Defense, Last accessed September 23, 2025 https://media.defense.gov/2025/Feb/03/2003636713/-1/1/0/CSI_MITIGATION-STRATEGIES-FOR-EDGE-DEVICES-EXECUTIVE-GUIDANCE.PDF
124 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
125 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46
126 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
127 Chris Riotta, "Hacking the Floodgates: US Dams Face Growing Cyber Threats”, BankInfoSecurity, September 18, 2024. https://www.bankinfosecurity.com/hacking-floodgates-us-dams-face-growingcyber-threats-a-24894
128 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46.
129 Dragos Inc., "The Rising Tide of Water Utility Cyber Threats: How Dragos Shields Water Systems”, Dragos Blog, May 2, 2024. https://www.dragos.com/blog/water-utility-cyber-threats/
130 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
131 Sydney Freedburg, "Nearly One in 10 'Tier 1' Subcontractors to Defense Primes Are Chinese Firms: Report”, Breaking Defense, June 27, 2025. https://breakingdefense.com/2025/06/nearly-one-in-10-tier-1subcontractors-to-defense-primes-are-chinese-firms-report/
132 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), accessed October 1, 202558.
133 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), accessed October 1, 202560
134 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), accessed October 1, 202546
135 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
136 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46.
137 “Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
138 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 6.
139 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46.
140 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025. https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
141 Enterprise Florida, “Financial and Professional Services Industry Profile”, Revised June 2021, SelectFlorida, https://selectflorida.org/wp-content/uploads/financial-and-professional-services-industryprofile.pdf
142 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46.
143 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025. https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
144 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 42.
145 National Agricultural Statistics Service, "Florida Agricultural Overview”, https://www.nass.usda.gov, U.S. Department of Agriculture, accessed September 30, 2025.
146 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46.
147 Cybersecurity and Infrastructure Security Agency, "Government Services and Facilities Sector”, CISA, Accessed September 23, 2025. https://www.cisa.gov/topics/critical-infrastructure-security-andresilience/critical-infrastructure-sectors/government-services-facilities-sector
148 Cybersecurity and Infrastructure Security Agency, “CISA Cybersecurity Awareness Program”, CISA, Accessed September 23, 2025 https://www.cisa.gov/resources-tools/programs/cisa-cybersecurityawareness-program
149 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46.
150 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025. https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
151 Florida Hospital Association, "Florida Licensed Hospitals”, FHA, accessed September 23, 2025. https://www.fha.org
152 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46.
153 Steve Alder, "Protect Healthcare Data from Phishing”, HIPAA Journal, April 6, 2025. https://www.hipaajournal.com/protect-healthcare-data-from-phishing/
154 “Health Sector Cybersecurity Coordination Center (HC3)”, HHS.gov, May 27, 2025. https://www.hhs.gov/about/agencies/asa/ocio/hc3/index.html
155 Mohammad Mehrtak et al., "Security Challenges and Solutions Using Healthcare Cloud Computing”, Journal of Medicine and Life, July-August 2021. https://pmc.ncbi.nlm.nih.gov/articles/PMC8485370/
156 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025. https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
157 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 19.
158 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46.
159 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025. https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
160 Shiqiao Liu et al., "Unsupervised Anomaly Detection for Nuclear Power Plants Based on Denoising Diffusion Probabilistic Models”, Science Direct, January 2025. https://www.researchgate.net/publication/351163114_httpswwwsciencedirectcomsciencearticleabspiiS10 51200421000968
161 U.S. Nuclear Regulatory Commission, "Operating Nuclear Reactors and Facilities in Florida”, NRC, accessed September 23, 2025 https://www.nrc.gov
162 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025. https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
163 Benjamin Karch et al.,"Zero Trust Architectures in Nuclear Control System”, Sandia, 2024. https://www.sandia.gov/app/uploads/sites/273/2024/11/ZTA_Report.pdf
164 Florida Ports Council, "Florida Seaports Overview”, FLAPorts, accessed September 23, 2025 https://flaports.org
165 Florida Department of Transportation, “Airports”, FDOT, accessed September 30, 2025 https://www.fdot.gov/aviation/airports
166 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46.
167 Cybersecurity and Infrastructure Security Agency, “Critical Infrastructure Sectors”, CISA, accessed September 23, 2025. https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/criticalinfrastructure-sectors.
168 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 22.
169 Florida Department of Health, "Population Served by Community Water Systems”, FLHealthCharts, accessed September 23, 2025. https://www.flhealthcharts.gov
170 Nick Coates and James Maloney, Florida Critical Infrastructure Ransomware Readiness Report (Tampa, FL: Florida Center for Cybersecurity, University of South Florida, 2025), 46.
171 Paolo Passeri, “HACKMAGEDDON – Information Security Timelines and Statistics,” Hackmageddon, accessed September 20, 2025, https://www.hackmageddon.com/
172 James Kotsias, Atif Ahmad, and Rens Scheepers, “Adopting and Integrating Cyber-Threat Intelligence in a Commercial Organisation,” European Journal of Information Systems 32, no. 1 (2023): 35–51, https://doi.org/10.1080/0960085X.2022.2088414. (Taylor & Francis Online)
173 Mary B. DeRosa, “Congressional Oversight of U.S. Intelligence Activities,” in National Security Intelligence and Ethics, ed. Seumas Miller (New York: Routledge, 2021), 216–31, https://doi.org/10.4324/9781003164197-19. (OUCI)
174 G. P. Acharya and Christian Kaunert, “Assessing the Gap Between Cyber Threat and Cyber Intelligence: A Rational Approach to Enhancing Broad-Spectrum Security Architecture,” in Transnational Unconventional Organized Crime: A National and Global Security Concern, vol. 1: Thematic Perspectives, ed. Christian Kaunert, Sarah Léonard, and Anthony J. Masys (Cham: Springer, 2025), 187–212, https://doi.org/10.1007/978-3-031-96432-9. (SpringerLink)
175 Atif Ali and Baber Majid Bhatti. Spies in the Bits and Bytes: The Art of Cyber Threat Intelligence. CRC Press, 2024.
176 Scott Ainslie, Dean Thompson, Sean Maynard, and Atif Ahmad, “Cyber-Threat Intelligence for Security Decision-Making: A Review and Research Agenda for Practice,” Computers & Security 132 (2023): 103352, https://doi.org/10.1016/j.cose.2023.103352
177 Martin Lee. Cyber Threat Intelligence. John Wiley & Sons, 2023.
178 Mark Phythian, ed., Understanding the Intelligence Cycle (Abingdon, Oxon; New York: Routledge, 2013), PDF, https://www.defence.lk/upload/ebooks/Mark%20PhythianUnderstanding%20the%20Intelligence%20Cycle-Routledge%20(2013).pdf
179 Zafir Avrahami, Leszczyna, R., & Kollias, C. (2025). Leveraging OSINT for Advanced Proactive Cybersecurity: Strategies and Solutions. IEEE Access. Advance online publication.
180 Onyinye Obioha Val, Titilayo Modupe Kolade, Michael Olayinka Gbadebo, Oluwatosin Selesi-Aina, Omobolaji Olufunmilayo Olateju, and Oluwaseun Oladeji Olaniyi. "Strengthening cybersecurity measures for the defense of critical infrastructure in the United States." Asian Journal of Research in Computer Science 17, no. 11 (2024): 25-45.
181 Martin Rudner, “Cyber-Threats to Critical National Infrastructure: An Intelligence Challenge,” International Journal of Intelligence and CounterIntelligence 26, no. 3 (2013): 453-481, https://doi.org/10.1080/08850607.2013.780552.
182 Ifeyinwa Obiokafor, Nkemdilim, Moses Okey Onyesolu, Fakoya Anthony Olusanya, Nwamaka Peace Oboti, and Michael Ebere Ajonuma. (2024). Cyber Intelligence's Efficacy in Mitigating Cyber Threats: A Narrative Review. ANSPOLY Journal of Innovative Development (AJID), 3(1), 29-41.
183 Ifeyinwa Obiokafor, Nkemdilim, Moses Okey Onyesolu, Fakoya Anthony Olusanya, Nwamaka Peace Oboti, and Michael Ebere Ajonuma. (2024). Cyber Intelligence's Efficacy in Mitigating Cyber Threats: A Narrative Review. ANSPOLY Journal of Innovative Development (AJID), 3(1), 29-41.
184 Office of the Director of National Intelligence, Intelligence Community Directive 203: Analytic Standards (Washington, DC: ODNI, January 2, 2015; technical amendment January 21, 2022), PDF, https://www.dni.gov/files/documents/ICD/ICD-203.pdf
185 Onyinye Obioha Val, Titilayo Modupe Kolade, Michael Olayinka Gbadebo, Oluwatosin Selesi-Aina, Omobolaji Olufunmilayo Olateju, and Oluwaseun Oladeji Olaniyi. "Strengthening cybersecurity measures for the defense of critical infrastructure in the United States." Asian Journal of Research in Computer Science 17, no. 11 (2024): 25-45.
186 Arash Mahboubi, Khanh Luong, Hamed Aboutorab, Hang Thanh Bui, Geoff Jarrad, Mohammed Bahutair, Seyit Camtepe et al. "Evolving techniques in cyber threat hunting: A systematic review." Journal of Network and Computer Applications 232 (2024): 104004.
187 Atif Ali and Baber Majid Bhatti. Spies in the Bits and Bytes: The Art of Cyber Threat Intelligence. CRC Press, 2024.
188 Md Abuboko Siam, Shan-A-Alahi, A., Tuhin, M. K., Hossain, E., Bashir, M., Lucky, K. Y., Uddin, S. M. M., & Zaiem, A. A. (2025). AI-Driven Cyber Threat Intelligence Systems: A National Framework for Proactive Defense Against Evolving Digital Warfare. International Journal of Computational and Experimental Science and Engineering (IJCESEN), 11(3), 6126–6140.
189 Zhibo Zhang,, Hussam Al Hamadi, Ernesto Damiani, Chan Yeob Yeun, and Fatma Taher. "Explainable artificial intelligence applications in cyber security: State-of-the-art in research." IEEE Access 10 (2022): 93104-93139.
190 Hudson Rock, “Celeste Hotel”, ransomware.live, accessed October 12, 2025.
https://www.ransomware.live/id/dGhlY2VsZXN0ZWhvdGVsLmNvbUBzYWZlcGF5
191 Hudson Rock, “Barbas Nunez Sanders Butler & Hovsepian”, ransomware.live, accessed October 12, 2025.
https://www.ransomware.live/id/QmFyYmFzIE51bmV6IFNhbmRlcnMgQnV0bGVyICYgSG92c2VwaW FuQGJlYXN0
192 “Ransomware Group rhysida Hits: Florida Hand Center”, HookPhish, 8 July 2025. https://www.hookphish.com/blog/ransomware-group-rhysida-hits-florida-hand-center/
193 Mark Killian, “Phishing scams continue to target Florida firms”, The Florida Bar, June 17, 2025. https://www.floridabar.org/the-florida-bar-news/phishing-scams-continue-to-target-florida-firms/ 194 Naomi Diaz, “Florida health system fires employee after 5-year patient data breach, Becker’s Hospital Review, https://www.beckershospitalreview.com/healthcare-informationtechnology/cybersecurity/florida-health-system-fires-employee-after-5-year-patient-data-breach/ 195 Breachsense, “Florida Lung, Asthma & Sleep Specialists”, accessed October 12, 2025. https://www.breachsense.com/breaches/florida-lung-asthma-sleep-specialists-data-breach/ 196 WFTV.com News Staff, “Russian hackers claim responsibility for hacking Central Florida medical group”, WFTV, May 21, 2025. https://www.wftv.com/news/local/russian-hackers-claim-responsibilityhacking-central-florida-medical-group/E4JNA3ITCRHRVG2PDKU4RT47YI/
197 Charlotte Bond and Rebecca Moody, “Map of US ransomware attacks (updated daily)”, Comparitech, updated October 10, 2025. https://www.comparitech.com/ransomware-attack-map/
198 Charlotte Bond and Rebecca Moody, “Map of US ransomware attacks (updated daily)”, Comparitech, updated October 10, 2025. https://www.comparitech.com/ransomware-attack-map/
199 Steve Alder, “New York Counseling Provider and Florida Cancer Center Announce Data Breaches”, The HIPAA Journal, August 29, 2025. https://www.hipaajournal.com/counseling-provider-florida-cancercenter-data-breach/
200 Steve Alder, “Gateway Community Services Announces 34,500-Record Data Breach”, The HIPAA Journal, June 4, 2025. https://www.hipaajournal.com/june-4-2025-healthcare-data-breaches/
201 Breachsense, “GreatFlorida Data Breach in 2025”, accessed October 12, 2025. https://www.breachsense.com/breaches/greatflorida-data-breach/
202 Mitchell Langley, “Florida Hospital Data Breach Impacts Over 120,000 Patients”, Daily Security Review, March 17, 2025. https://dailysecurityreview.com/security-spotlight/florida-hospital-data-breachimpacts-over-120000-patients/
203 Breachsense, “Florida Department of Transportation Data Breach in 2025”, accessed October 12, 2025. https://www.breachsense.com/breaches/florida-department-of-transportation-data-breach/
204 Paul Bischoff, “Ransomware gang claims responsibility for shutdown of Andretti Karting & Games locations across the USA”, Comparitech, April 7, 2025.
https://www.comparitech.com/news/ransomware-gang-claims-responsibility-for-shutdown-of-andrettikarting-games-locations-across-the-usa/
205 Breachsense, “Bay Village of Sarasota”, accessed October 12, 2025. https://www.breachsense.com/breaches/bay-village-of-sarasota-data-breach/
206 Gabby Lee, “Ransomware Victims on Dark Web – 04th March, 2025”, Daily Security Review, April 21, 2025. https://dailysecurityreview.com/ransomware/ransomware-victims-on-dark-web-04th-march2025/
207 Rebecca Harpur, “The State of Ransomware 2025”, BlackFog, updated October 2, 2025. https://www.blackfog.com/the-state-of-ransomware-2025/#January
208 Andrew Doyle, “Imaflex Inc. Data Breach Exposes Personal and Employment Data”, Security Daily Review, April 22, 2025 https://dailysecurityreview.com/security-spotlight/imaflex-inc-data-breachexposes-personal-and-employment-data/
209 Breachsense, “Community Health Northwest Florida”, accessed October 12, 2025. https://www.breachsense.com/breaches/community-health-northwest-florida-data-breach/
210 Costadelsol Enterprises, “NOTICE OF DATA BREACH”, Massachusetts Department of Corrections, Accessed October 12, 2025. “https://www.mass.gov/doc/2025-446-costadelsol-enterprises-llc/download
211 Charlotte Bond and Rebecca Moody, “Map of US ransomware attacks (updated daily)”, Comparitech, updated October 10, 2025. https://www.comparitech.com/ransomware-attackmap/https://www.comparitech.com/ransomware-attack-map/
212 Charlotte Bond and Rebecca Moody, “Map of US ransomware attacks (updated daily)”, Comparitech, updated October 10, 2025. https://www.comparitech.com/ransomware-attack-map/
213 Charlotte Bond and Rebecca Moody, “Map of US ransomware attacks (updated daily)”, Comparitech, updated October 10, 2025. https://www.comparitech.com/ransomware-attack-map/
214 Paul Bischoff, “Ransomware gang says it hacked Pensacola, FL medical clinics”, Comparitech, January 14, 2025. https://www.comparitech.com/news/ransomware-gang-says-it-hacked-pensacola-flmedical-clinics/
215 Breachsense, “Mid Florida Primary Care Data Breach in 2024”, accessed October 12, 2025. https://www.breachsense.com/breaches/mid-florida-primary-care-data-breach/
216 Steve Alder, “Florida Eye Care Provider Data Breach Affects 153,000 Patients”, The HIPPA Journal, September 17, 2025. https://www.hipaajournal.com/retina-group-florida-data-breach/
