Supply Chain Attacks Surge in 2025, Exposing Thousands of Unnamed Victims
A new report from cyber risk management firm Black Kite reveals a sharp escalation in supply chain attacks, with 136 major incidents in 2025 affecting 719 officially named companies and an estimated 26,000 additional unnamed victims. The average number of downstream victims per third-party breach has reached 5.28, more than double the 2024 figure (2.56) and the highest on record. This surge reflects a strategic shift by threat actors, who increasingly target shared platforms, centralized services, and high-dependency vendors to maximize disruption.
The report highlights a systemic failure in traditional third-party risk management, with supply chain vulnerabilities now concentrated at critical connection points rather than isolated weak links. Ferhat Dikbiyik, Black Kite’s chief research and intelligence officer, warns that these risks have evolved from isolated incidents into a "systematic crisis," requiring organizations to adopt active intelligence and systematic awareness to track risk propagation.
A persistent "silent window" exacerbates the problem: while the median time to detect an intrusion is 10 days, the median delay in public disclosure stretches to 73 days, leaving downstream customers exposed. Despite an average Cyber Grade of 90.27 (A) across nearly 200,000 monitored organizations, failure signals are widespread 53.77% have at least one critical vulnerability, and 23.34% have corporate credentials circulating on the dark web.
Sector disparities are stark: manufacturing and professional services face high ransomware susceptibility and weak patch discipline, while finance maintains a more controlled risk profile. The report also underscores the threat to the top 50 vendors shared by the Forbes Global 2000, which serve as "master keys" for attackers targeting major enterprises. As reliance on third parties grows, so does the incentive for threat actors to exploit these high-value targets.
Forbes Marshall cybersecurity rating report: https://www.rankiteo.com/company/forbesmarshall
Black Kite cybersecurity rating report: https://www.rankiteo.com/company/blackkite
"id": "FORBLA1772542192",
"linkid": "forbesmarshall, blackkite",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Estimated 26,000 unnamed '
'victims',
'name': '719 officially named companies',
'type': 'Various'},
{'name': 'Forbes Global 2000 (top 50 vendors)',
'size': 'Large enterprises',
'type': 'High-value vendors'}],
'attack_vector': 'Third-party vendors, shared platforms, centralized services',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, credentials)',
'type_of_data_compromised': 'Corporate credentials, sensitive '
'data'},
'date_publicly_disclosed': '2025',
'description': 'A new report from cyber risk management firm Black Kite '
'reveals a sharp escalation in supply chain attacks, with 136 '
'major incidents in 2025 affecting 719 officially named '
'companies and an estimated 26,000 additional unnamed victims. '
'The average number of downstream victims per third-party '
'breach has reached 5.28, more than double the 2024 figure '
'(2.56). Threat actors increasingly target shared platforms, '
'centralized services, and high-dependency vendors to maximize '
'disruption. The report highlights systemic failures in '
'traditional third-party risk management and a persistent '
"'silent window' of 73 days for public disclosure, leaving "
'downstream customers exposed.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Corporate credentials, sensitive data',
'identity_theft_risk': 'High',
'operational_impact': 'High disruption to downstream victims',
'systems_affected': 'Shared platforms, centralized services, '
'high-dependency vendors'},
'initial_access_broker': {'data_sold_on_dark_web': 'Corporate credentials '
'(23.34% of monitored '
'organizations)',
'entry_point': 'Third-party vendors, shared '
'platforms',
'high_value_targets': 'Forbes Global 2000 vendors'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Traditional third-party risk management is insufficient. '
'Organizations must adopt active intelligence and '
'systematic awareness to track risk propagation. The '
"'silent window' between detection and disclosure leaves "
'downstream customers vulnerable.',
'motivation': 'Maximize disruption, financial gain, data exfiltration',
'post_incident_analysis': {'corrective_actions': 'Adopt active intelligence, '
'systematic risk tracking, '
'reduce disclosure delays, '
'enhance patch discipline',
'root_causes': 'Critical vulnerabilities (53.77% '
'of organizations), unpatched '
'systems, dark web credentials '
'(23.34%), systemic failures in '
'third-party risk management'},
'recommendations': 'Enhance monitoring of third-party vendors, prioritize '
'patch management, adopt systematic risk tracking, and '
'reduce the disclosure delay for breaches.',
'references': [{'date_accessed': '2025', 'source': 'Black Kite Report'}],
'response': {'third_party_assistance': 'Black Kite (cyber risk management '
'firm)'},
'title': 'Supply Chain Attacks Surge in 2025, Exposing Thousands of Unnamed '
'Victims',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Critical vulnerabilities, unpatched systems, dark '
'web credentials'}