APT Groups Target Construction Firms to Steal RDP, SSH, and Citrix Credentials

The construction industry has emerged as a primary target for sophisticated cyber adversaries in 2025, with threat actors including state-sponsored APT groups, ransomware operators, and organized cybercriminal networks actively targeting organizations across the building and construction sector.

Nation-state actors from China, Russia, Iran, and North Korea are leveraging the industry’s rapid digital transformation and security gaps to establish persistent network access and exfiltrate valuable data.

The escalating threat landscape stems from the construction sector’s increasing dependence on vulnerable IoT-enabled machinery, Building Information Modeling (BIM) systems, and cloud-based project management platforms.

These technologies, while enhancing operational efficiency, have created new attack surfaces that threat actors exploit with precision.

Ransomware campaigns designed to disrupt critical project timelines, supply chain attacks targeting third-party software and equipment vendors, and social engineering schemes directed at on-site personnel represent substantial operational and financial risks for construction enterprises.

Cybercriminals have identified initial ...