Annual Threat Dynamics 2026

„KI hat die Spielregeln der Cyberkriminalität grundlegend verändert – nicht irgendwann, sondern jetzt. Angreifer nutzen KI nicht mehr nur als Hilfsmittel, sondern als Kern ihres Vorgehens. Sie automatisieren Aufklärung, erzeugen mehrsprachige Phishing-Kampagnen, imitieren Stimmen und Gesichter von Vorständen in Echtzeit und setzen autonome Agenten ein, die ganze Angriffssequenzen ausführen. Zugleich schrumpft die Zeit zwischen der Veröffentlichung neuer KI-Fähigkeiten und ihrem Missbrauch durch Angreifer dramatisch.“

Roland Pucher, Senior Manager, Cybersecurity, PwC Österreich

Annual Threat Dynamics Bericht im englischen Original lesen

Künstliche Intelligenz späht Identitäten aus

Angriffe, die auf Identitäten abzielen, haben inzwischen die Poleposition eingenommen, da Angreifer es vorziehen, sich einfach im System anzumelden statt sich gewaltsam Zugang zu verschaffen.

Angreifer wie Verteidiger verwenden zunehmend KI zur Unterstützung, und Angreifer mit unterschiedlichsten Motiven haben neue Wege gefunden, um die blinden Flecken von Edge-Geräten, Lieferketten und Cloud-Ökosystemen auszunutzen.

Von einer Rekordzahl an Opfern von Ransomware-Leak-Seiten und Krypto-Raubüberfällen bis hin zu weitreichenden Kompromittierungen von Technologien und anhaltenden Spionagekampagnen, die auf kritische Infrastruktur abzielen... wir erleben eine zunehmend leistungsfähige und anpassungsfähige Bedrohungslandschaft, in der Angreifer Full-Stack-Techniken einsetzen und sich mit beispielloser Präzision fließend durch Identitäts-, Cloud-, Edge- und Anwendungsschichten bewegen.

In diesem Umfeld haben diejenigen Organisationen die Nase vorn, die Sicherheit nicht als festes Regelwerk betrachten, sondern als leistungsstarkes System – das Identitäten zügig verwaltet, Vertrauen bei jedem Schritt überprüft und Cyber-, Geschäfts- und geopolitische Strategien aufeinander abstimmt, um in einem immer schneller werdenden Umfeld die Oberhand zu behalten.

Unser Bericht „Annual Threat Dynamics 2026: Cyber threats in motion“ befasst sich mit den Akteuren, Trends und Motiven, die die Landschaft der Cyberbedrohungen prägen. Er enthält einen Überblick über die Faktoren, die zu einer allgemeinen Zunahme der Bedrohungsaktivitäten beitragen, sowie über aufkommende Trends, die sich weiterentwickelnden Werkzeuge, Techniken und Vorgehensweisen (TTPs) bedeutender Akteure mit unterschiedlichsten Motiven und die Auswirkungen der allgemeinen geopolitischen Lage und technologischer Innovationen.

Trends

Die Landschaft der Cyberbedrohungen verändert sich in einem noch nie dagewesenen Tempo. Die Grenzen verschwimmen, und die Spielregeln haben sich geändert.

Entscheidungsschlacht um Identität

Angreifer mit unterschiedlichsten Motiven entscheiden sich zunehmend dafür, sich anzumelden, anstatt einzudringen, und nutzen dabei Anmeldedaten, Sitzungstoken und föderierten Zugriff, um herkömmliche Perimeter-Abwehrmaßnahmen zu umgehen.
Social Engineering wird immer raffinierter: Dazu gehören KI-generierte Deepfakes, das Vortäuschen einer IT-Helpdesk-Identität, gestohlene Identitäten für illegale Remote-Arbeitsvorgänge sowie mehrstufige Phishing-Kampagnen, die sowohl auf menschliche als auch auf maschinelle Identitäten abzielen.
Da Unternehmen ihre SaaS-Ökosysteme und ihre Abhängigkeiten von der Cloud ausbauen, vergrößert sich die Angriffsfläche – wobei eine einzige kompromittierte Identität den kaskadierenden Zugriff auf ganze Umgebungen ermöglichen kann.

Der Blick nach vorne

Identität bleibt weiterhin der wichtigste Angriffsvektor. Während Unternehmen Zero-Trust-Architekturen einführen, entwickeln Angreifer immer neue Techniken, um den Sicherheitsstatus von Geräten zu fälschen, nicht-menschliche Identitäten (NHIs) zu missbrauchen und auf KI-gesteuerte automatisierte Arbeitsabläufe abzuzielen. Die Behandlung von Identity Governance als strategische Priorität auf Vorstandsebene – und nicht als bloße technische Anforderung – wird entscheidend sein, um der Konkurrenz einen Schritt voraus zu bleiben.

AI auf beiden Seiten

Angreifer nutzen KI nicht als bloße Ergänzung, sondern als Kernbestandteil ihrer Vorgehensweise. Sie automatisieren Aufklärung, generieren überzeugende Phishing-Köder, beschleunigen die Entwicklung von Malware und vergrößern die Reichweite von Social Engineering.
Die Zeitspanne zwischen der öffentlichen Veröffentlichung einer KI-Fähigkeit und ihrer Nutzung als Waffe durch Angreifer verkürzt sich dramatisch. Autonome KI-Agenten, die in der Lage sind, ganze Angriffsabläufe ohne menschliches Eingreifen auszuführen, bieten Anlass zu großer Sorge.
KI stellt die größte Chance für Verteidiger dar, mit dieser Entwicklung Schritt zu halten. Sie ermöglicht eine schnellere Erkennung, automatisierte Eindämmung und informationsgestützte Entscheidungsfindung in großem Maßstab.

Der Blick nach vorne

KI-gesteuerte Bedrohungen könnten herkömmliche Erkennungs- und Reaktionsmodelle überholen, und Fortschritte in der Quanteninformatik werden die Lage grundlegend verändern. Unternehmen sollten sich auf Malware einstellen, die von Haus aus KI nutzt, um der Erkennung zu entgehen und auf hochwertige Daten abzuzielen, sowie auf eine wachsende Zahl weniger erfahrener Angreifer, die KI einsetzen, um über ihre Verhältnisse zu agieren. Investitionen in KI-gestützte Abwehrmaßnahmen, die Einbindung entsprechender Rahmenwerke in die Bedrohungsmodellierung und die Vorbereitung auf die Post-Quanten-Ära werden unerlässlich sein, um Schritt zu halten.

Cyber-Risiken lassen sich nicht von Strategie trennen

KI-gesteuerte Bedrohungen könnten herkömmliche Erkennungs- und Reaktionsmodelle überholen. Fortschritte in der Quanteninformatik werden die Lage grundlegend verändern.
Unternehmen sollten sich auf Malware einstellen, die KI nutzt, um der Erkennung zu entgehen und auf hochwertige Daten abzuzielen, sowie auf eine wachsende Zahl weniger erfahrener Angreifer, die KI einsetzen, um über ihre Verhältnisse zu agieren.
Investitionen in KI-gestützte Abwehrmaßnahmen, die Einbindung entsprechender Rahmenwerke in die Bedrohungsmodellierung und die Vorbereitung auf die Post-Quanten-Ära werden unerlässlich sein, um Schritt zu halten.

Der Blick nach vorne

Kein Cyberangriff findet in einem Vakuum statt. Handelsstreitigkeiten, Wahlen, Konflikte und wechselnde Bündnisse werden auch weiterhin die Zielauswahl und das Tempo der Angreifer bestimmen. Unternehmen, die geopolitische Risiken und Risiken in der Lieferkette in ihre strategische Entscheidungsfindung einbeziehen – und dabei ihre Kompetenzen in den Bereichen Cybersicherheit, Recht, Personalwesen, Finanzen und Kommunikation aufeinander abstimmen – werden gut gerüstet sein, um die bevorstehenden Turbulenzen zu meistern.

Branchen

Cyberkriminelle unterscheiden sich hinsichtlich ihrer Motive und der Raffinesse ihrer Vorgehensweise und passen ihre Operationen sowie opportunistische Angriffe an die jeweiligen Branchen an. Im Folgenden werden die branchenspezifischen Motive dargestellt, die von PwC Threat Intelligence anhand von 2025 Fallstudien und internen Analysen zusammengefasst wurden.

Motive

Kriminalität
(Wirtschafts-)Spionage
Hacktivism
Sabotage

Auszüge aus dem Report (Englisch)

The aerospace and defence sector, considered critical national infrastructure in most countries, has been persistently targeted by threat actors for sensitive data concerning military operations, plans, and capabilities. Further, innovation like the advancement of AI, drone technologies, and space-based capabilities alongside the continued growth of defence contracting have expanded this sector’s attack surface, including for cyber crime. We observed threat actors targeting entities around the world, highly likely in response to geopolitical tensions and conflicts, with certain conflicts spreading and others not abating.

The asset and wealth management (AWM) sector plays a vital role in managing the world’s financial capital, dealing in significant transactions across many industries – with levels of wealth garnering much attention from threat actors of multiple motivations, particularly cyber criminals. The significant funds managed by the AWM sector, including in cryptocurrency, are likely to attract attempts at high-value, cyber-enabled fraud and theft, such as business email compromise (BEC), ransomware attacks, and heists targeting cryptocurrency and related platforms. As the sector innovates and leans into emerging technologies, including those powering fintech, the attack surface impacting AWM organisations will continue to expand.

The automotive sector continues to evolve with tech transformation and innovation permeating organisations and increasing competition for consumer demands. Operational technology (OT) environments and manufacturers have emerged as a particularly lucrative target for financially motivated threat actors, including those conducting ransomware attacks. As companies continue to invest in electric, AI, and autonomous vehicle technologies, espionage motivated threat actors will increasingly target this sector for intellectual property theft and surveillance operations.

Financially motivated threat actors, particularly those engaging in ransomware and BEC attacks, have capitalised on opportunities to target organisations in the construction sector, which maintains sensitive information, including the application of emerging technologies, financial and business information, infrastructure plans, and project schematics. Construction projects with links to government or other public interest entities, including critical national infrastructure or other strategic projects, make this sector attractive for espionage motivated threat actors as well, including those seeking to pre-position for future possible malicious activity, including sabotage attacks, or to address intelligence requirements.

The education sector continues to digitise its operations as academic institutions require a constant flow of digital communication and readily accessible information, typically achieved through large networks with thousands of connected devices across users, including administration, researchers, and students. With an ever-expanding attack surface and a philosophy of openness and ease of access, this sector has increasingly faced targeted and opportunistic cyber attacks. Espionage motivated threat actors target education organisations for access to sensitive data about academics and research projects, and financially motivated threat actors impacted school systems and operations, particularly through ransomware attacks.

The energy sector continues to evolve its OT and invest in renewable energy sources, driving innovation, investments, and the adoption of new technologies around the world, whilst cyber attacks targeting this sector are often aligned with evolving geopolitical tensions and intelligence requirements. Espionage motivated threat actors have taken an interest in the intellectual property and security implications of energy issues and technologies, whilst some threat actors have resorted to sabotage attacks and hacktivism to disrupt operations. Financially motivated threat actors and ransomware attacks remain a major concern to energy sector organisations around the world.

The financial services sector continues to face challenges from financially motivated threat actors seeking to steal customer credentials and conduct attacks, such as ransomware and BEC, to extort and steal from institutions. These attacks are growing in sophistication and prevalence due to threat actor adoption of AI to generate deepfakes and phishing lures. Threat actors of other motivations continue to target financial services organisations as the sector increasingly innovates, digitises its operations, and embraces fintech. Further, geopolitical issues and the growing adoption of AI remain top concerns for this sector’s threat landscape.

The food and agriculture sector has faced more advanced cyber threats, as well as an increasing number of financially motivated threat actors specifically, as organisations continue to digitise their operations. Further, food and agriculture organisations routinely intersect with other sectors for manufacturing, retail, and distribution operations. Cyber incidents involving food and agricultural organisations have broad-ranging effects across other sectors, exacerbating supply chain, pricing, sustainability, and food safety and security challenges.

Government sector entities, ranging from federal agencies to local levels and municipalities, continue to be a prime target for a range of threat actors seeking to fulfil intelligence requirements, respond to geopolitical shifts, and launch attacks alongside geopolitical tensions and conflict. We observed threat actors targeting entities around the world, highly likely in response to geopolitical tensions and conflicts, with certain conflicts spreading and others not abating. Threat actors also used AI to generate content for information operations targeting a range of government entities and political parties around the world.

The healthcare sector plays a vital role in society and is often focused on cutting edge innovation, which propagates across new equipment and treatments, making the attack surface increasingly populated with Internet of Things (IoT) devices and other emerging technologies. This sector is also impacted by rigorous regulatory standards and handles highly sensitive personal data, which is of interest to a range of threat actors. Ransomware remains a top concern, as these attacks can cause significant, life-threatening disruptions.

The hospitality and leisure sector has experienced significant growth in recent years as travel continues to expand around the world and organisations increasingly embrace digitisation and technological innovation. Espionage motivated threat actors have targeted the sector for sensitive information and intelligence collection, whilst financially motivated threat actors have conducted attacks against the sector to disrupt operations and extort companies for data theft, service degradation, and harming brand reputations. Ransomware attacks in particular have caused operational disruptions to hotel chains and remain a top concern for this sector.

The legal sector continues to face a variety of cyber threats, in part due to its adoption of various technologies, but also due to the inherent nature of dealing with sensitive legal information for a wide range of third parties. As the legal sector has transitioned to digital platforms for storing, managing, and transmitting confidential data, it has become more vulnerable to various cyber risks. Much of those risks are defined by likely threat scenarios which include compromising client confidentiality, jeopardising case integrity, stealing intellectual property, and incurring financial losses or reputational damages from data extortion attempts by cyber threats.

The manufacturing sector continues to face an increasing number of cyber attacks, particularly by ransomware threat actors and other cyber criminals employing schemes such as BEC, as organisations continue to integrate historically isolated OT environments into increasingly connected systems. Further, this sector underpins a wide tranche of other industries, and incidents involving manufacturing organisations have broad ranging effects across other sectors, exacerbating supply chain challenges and industries reliant upon manufacturing operations.

The media and entertainment sector faces a unique threat landscape consisting of a range of threat actors targeting reporters, artists, content creators, publishers, distributors, production studios and staff, consumers, and others. Espionage motivated threat actors in particular have targeted media and entertainment organisations and individuals, such as investigative journalists and entertainment studios, for intelligence collection against corporate networks as well as through the deployment of commercial spyware against mobile devices. Media and entertainment organisations have also been targeted by cyber criminals as well as hacktivism and sabotage motivated threat actors, particularly in the context of heightened geopolitical tensions seen around the world. Intellectual property and sensitive communications and data associated with media and entertainment organisations have been targeted by threat actors of multiple motivations. With technological developments, such as GenAI, threat actors are exploiting these tools to generate malicious content for information operations and other attacks (such as deepfakes for cyber criminal schemes) targeting or exploiting media and entertainment sector entities.

Pharmaceuticals and life sciences organisations experience particular security challenges due to the nature of the sector, such as research into lifesaving treatments, the production of medications, patented methods and data, cutting edge innovation, and intellectual property. The application of emerging technologies (such as AI) and this sector's growing reliance on third-party suppliers, increased digitisation, and a shift toward hybrid and multi-cloud environments, its cyber attack surface will also continue to expand. A range of threat actors have targeted this sector for intelligence collection, as well as for financial motivations through ransomware and extortion.

The professional services sector continues to integrate new technologies, such as cloud solutions and AI, as threat actors increasingly employ supply chain attacks, social engineering, and other tactics to circumvent identity and privileged access management and gain access to victim networks directly or through third parties. Certain industries within this sector face stricter requirements and regulations for data privacy and protection, making this sector a lucrative target for financially motivated threat actors. With vast amounts of commercially confidential data traversing professional services networks, espionage motivated threat actors have targeted these organisations for intelligence and intellectual property theft.

The resources and mining sector remains critical to a number of industries, particularly manufacturing and key technologies such as semiconductors, and is of interest to a range of threat actors. The attack surface continues to expand for this sector as systems are increasingly interconnected and OT bridges historically isolated systems. Espionage motivated threat actors have targeted the sector for intelligence collection and informing investments and trade concerning critical minerals. Financially motivated threat actors have targeted organisations in this sector as part of wider opportunistic campaigns that have had an outsized impact on manufacturing entities and their operations connected to resources and mining.

Numerous threat actors, varying in sophistication and motivation, have targeted the retail sector via identity-centric attacks to gather customer and other sensitive data for extortion, fraud, and theft. E-commerce remains a highly competitive space, requiring retailers to innovate and deploy new technologies at speed. To stay competitive, many retailers have developed and patented their own software and technologies. This type of intellectual property, as well as the data (including advertising data) gathered from customers, can be the target of espionage motivated threat actors to facilitate intellectual property theft or fingerprint users and their digital footprints and behaviours.

The technology sector remains a high value target for both financially and espionage motivated threat actors, as organisations within this sector drive cutting edge innovation (including advancements in AI quantum computing) and maintain sensitive user data and intellectual property. Whilst sensitive data is targeted for a number of motivations, intellectual property is valuable to those seeking to replicate products and services in a competitive market, or attempting to exploit common vulnerabilities in emerging technologies, such as those powering the growth of mobile applications. The technology sector also powers many industries and intersecting organisations, making it a strategic target for threat actors attempting to compromise supply chains and gain access to technology clientele and downstream environments. With more organisations adopting various technologies, such as cloud services and infrastructure, and more companies developing these solutions, the attack surface of the technology sector is expanding. Threat actors from a wide range of motivations are increasingly targeting the sector to compromise supply chains and developer ecosystems, target high value organisations and individuals, scale their access operations, and exploit AI tools.

The telecommunications sector includes companies involved with the long-distance transmission of information across various media, enabling communication services such as telephony and the internet. As such, the sector includes organisations providing broadband and mobile services through a physical medium which includes cables, telephone wires, satellites, and mobile networks. Financially motivated attacks against this sector continue to be prevalent in the form of ransomware and data extortion attacks. Considered a key component of critical infrastructure, this sector is also a high value target for espionage motivated threat actors due its unique, intelligence-rich data and telemetry, which can provide attackers with copious amounts of data and enable surveillance operations.

The transport and logistics sector continues to be a crucial component of the global supply chain and economy. Industries and organisations within this sector leverage OT and industrial control systems (ICS), leading to a broader attack surface across environments and increasing the potential for higher impact incidents to occur. Financially motivated threat actors have sought to compromise and monetise customer information or disrupt operations impacting client deliveries, such as rail and cargo transport. Other threat actors motivated by espionage, sabotage, and hacktivism have capitalised on geopolitical tensions and conflict in their targeting and attacks against this sector.