Breaking Cybersecurity Threats Targeting the Construction Industry: November 2025 Update

By Charles Swihart, Founder and CEO of Preactive IT Solutions,

November 21, 2025

The construction and engineering sectors continue to face escalating cybersecurity risks in late 2025, with ransomware and supply chain vulnerabilities emerging as dominant threats. Recent reports from government agencies, cybersecurity researchers, and industry surveys highlight a surge in targeted attacks that disrupt operations, compromise sensitive project data, and exploit interconnected IT/OT environments and third-party relationships.

Construction firms—often managing complex projects with subcontractors, suppliers, and digital tools like Building Information Modeling (BIM) and IoT devices—are particularly vulnerable. These attacks go beyond data theft, frequently halting on-site operations, delaying timelines, and inflating costs. Below are the most critical developments from November 2025.

1. Akira Ransomware Group Intensifies Attacks on Construction and Engineering

The Akira ransomware operation remains one of the most active threats to critical infrastructure, with construction and engineering consistently ranking among its top-targeted sectors.

• On November 13, 2025, the FBI, CISA, and international partners released an updated joint advisory on Akira, revealing evolved tactics including faster encryption variants (Akira_v2) and new command-and-control tools like Ngrok and SystemBC malware.
  • Google Threat Intelligence and other sources note manufacturing, legal/professional services, and construction/engineering as the most impacted industries, with a noticeable uptick in construction victims in recent months.
• Initial access frequently exploits vulnerabilities in edge devices (e.g., SonicWall VPNs via CVE-2024-40766) or compromised credentials on systems lacking multi-factor authentication (MFA). Akira has claimed over $244 million in ransom payments as of late 2025, primarily from small- to medium-sized businesses but increasingly from larger organizations.

This persistence underscores why construction sites, with remote access needs and legacy systems, are prime targets.

2. OT/ICS Incidents Highlight Detection-Recovery Gaps and Remote Access Risks

The SANS Institute’s 2025 State of ICS/OT Cybersecurity Report, released in November 2025 and sponsored by OPSWAT, surveyed hundreds of industrial professionals and revealed persistent challenges in converged IT/OT environments everyday in construction and heavy industry:

• 21.5% of organizations reported an ICS/OT cybersecurity incident in the past year.
• 40% of those incidents caused operational disruption, while nearly 20% required over a month for full recovery—despite almost half being detected within 24 hours.
• Unauthorized remote external access was the leading incident vector (around 50% of cases), yet only 13% of organizations have implemented advanced controls like session recording or real-time approvals for remote connections.

These findings align with broader trends: regulated entities experience similar incident rates but far fewer safety or financial impacts thanks to stronger controls.

3. Supply Chain and Third-Party Attacks Escalate

Attackers increasingly exploit the fragmented vendor ecosystems inherent to construction projects:

• Supply chain compromises allow entry through weaker partners. A notable example from September 2025 involved the Volvo Group (a major construction equipment manufacturer), which was hit by a ransomware attack on third-party HR software provider Miljödata, exposing employee data across multiple organizations.
• The ongoing “TamperedChef” malvertising campaign, detailed in November 2025 reports from Acronis and others, distributes trojanized installers for everyday tools (e.g., PDF editors, manual readers). It disproportionately affects healthcare, construction, and manufacturing due to frequent searches for specialized equipment documentation. Signed with abused certificates, these installers establish remote access and persistence.

Broader 2025 data from Dragos, Honeywell, and others show that ransomware incidents in industrial sectors (including construction) are rising sharply, with supply chain and remote access as the primary entry points.

Why Construction Firms Must Act Now

These threats are not abstract: a successful breach can encrypt project files, disrupt equipment controls, leak bids or blueprints, or halt job sites for weeks. The financial and reputational damage often far exceeds ransom demands.

Construction leaders should prioritize:

• Enforcing MFA everywhere, especially on VPNs and remote access tools.
• Segmenting IT/OT networks and deploying ICS-aware monitoring.
• Vetting third-party vendors rigorously and requiring cyber incident notification clauses.
• Testing incident response plans with tabletop exercises focused on ransomware and supply chain scenarios.
• Investing in threat intelligence tailored to ICS/OT environments.

As the industry continues to digitize in 2026, cybersecurity is no longer optional—it’s a core component of project delivery and risk management.

Charles Swihart has over 30 years of experience in IT and cybersecurity, is the author of the Amazon best-selling book “On Thin Ice,” and was named MSP Titan of the Industry in 2024 for leadership in construction and engineering IT services.