Threat Actors
Who Is Attacking Your Vendors and Where Are They Landing?
OVERVIEW
Threat actors achieve immense scale, not by attacking individual organizations one by one, but by compromising the shared software and infrastructure the world relies on. By mapping global threat actor activity against vendor exposure data, the Black Kite Research Group has identified exactly who is executing these attacks and the specific third-party components they target to gain initial access.
Threat Actor Landscape
The geographical footprint of modern cybercriminal organizations and state-sponsored groups directly demonstrates the vast scale of supply chain risk.
Distribution by Number of Unique Countries Targeted by Threat Actors
Top 10 Exploited Vulnerabilities by Threat Actor
Top 10 Industries Targeted by Threat Actors by Number of Victim Companies (2025)
How Ransomware Cartels Scale Through Your Supply Chain
Ransomware cartels utilize the supply chain to expand horizontally, deploying single attack campaigns that compromise thousands of enterprises simultaneously. The sheer geographic spread of these groups highlights the danger of relying on interconnected third-party ecosystems without continuous monitoring:
Lockbit
targeted
victims across 92 countries.
Qilin
targeted
victims across 89 countries.
INC Ransom
targeted
victims across 65 countries.
Akira
targeted
victims across 55 countries.
Clop
targeted
victims across 52 countries.
State-Sponsored Actors: Fewer Targets, Greater Damage
State-sponsored Advanced Persistent Threat (APT) actors exhibit similar global expansion, though their operations are driven by espionage and strategic access rather than financial extortion.
APT29
Targeted organizations across
countries.
APT41
Targeted organizations across
countries.
Volt Typhoon
Targeted organizations across only
countries, yet this group generated the highest overall exposure score in the Black Kite dataset.
Why Volt Typhoon's Exposure Matters
While ransomware groups prioritize horizontal expansion, Volt Typhoon's strategy focuses on establishing long-term, deep vertical persistence. By deliberately targeting critical infrastructure and edge devices, the group creates an immense systemic risk that generates massive exposure severity, despite operating within a smaller geographical footprint.
Key Insight
Single attack campaigns achieve massive global reach exclusively by exploiting ubiquitous third-party software. Attackers compromise one foundational tool and instantly gain administrative access to thousands of downstream targets.
Vendor and Product Concentration
Where does vulnerability risk actually live across the supply chain? Vulnerability risk is not distributed equally; it concentrates deeply within specific software arteries. To understand the exact entry points attackers favor, the Black Kite Research Group mapped the external discoverability of high-priority vulnerabilities across the global supply chain.
Vendor Discoverability Data Analysis of external attack surfaces reveals the most exposed foundations of the vendor ecosystem:
- Open Source: 14.42%
- Microsoft: 6.58%
- Cisco: 1.93%
- Ivanti: 1.77%
- Google: 1.69%
Open-source software remains the absolute bedrock of supply chain exposure, carrying 14.42% of the discoverable risk. This proves that third-party risk begins deep within foundational software dependencies, long before a commercial enterprise product is ever purchased or deployed.
Discoverable Risk by Vendor: Top Vendors vs. the Long Tail
The "Long Tail" Insight
The vendor discoverability data above captures only part of the picture. When examining the full universe of analyzed risk, more than 60% is distributed across thousands of niche vendors, industrial control systems, and mid-market software publishers — not the household names most TPCRM programs are built around. Even the narrower lens of OSINT-discoverable risk shows 36.7% falling outside the top vendors. By either measure, the message is the same: focusing exclusively on Big Tech leaves a massive defensive blind spot.
Why This Matters for TPCRM
Focusing Third-Party Cyber Risk Management (TPCRM) efforts exclusively on major, top-tier suppliers leaves a critical defensive blind spot. Threat actors recognize that mid-market vendors and niche software components often lack enterprise-grade security controls. Managing modern cyber risk requires continuous, automated visibility across your entire fragmented vendor base, ensuring no supplier is ignored simply because they fall outside the top twenty.
While threat actors continue to ruthlessly exploit this highly fragmented network of traditional software and infrastructure, they are also rapidly weaponizing an entirely new dimension of the supply chain: artificial intelligence.