TL;DR: Government agencies and their contractors are facing more frequent attacks driven by nation-state activity, AI-assisted social engineering, and supply-chain exposure, with one report citing 88% of security leaders worried about state-sponsored attacks and a 51% year-over-year rise in government-sector targeting. The governance gap is not just more threats, but slower containment, weaker supplier controls, and identity assumptions that attackers are actively exploiting.
At a glance
What this is: This is a Secureframe analysis of current government cyber attacks and the trends behind them, with the key finding that AI, supply chains, and nation-state pressure are combining to raise both volume and impact.
Why it matters: It matters to IAM, NHI, PAM, cloud, and GRC teams because public-sector compromise increasingly reaches through contractors, credentials, and delegated access rather than direct perimeter failure.
By the numbers:
- 88% of cybersecurity and information security leaders surveyed at UK and US organizations said they’re worried about state-sponsored cyber attacks.
- The government sector was the second most targeted sector, averaging 2,678 attacks per organization per week, a 51% increase from the previous year.
- The UK NCSC managed 204 significant or highly significant cyber incidents in the year leading up to September 2025, about one every two days.
👉 Read Secureframe's analysis of government cyber attacks, trends, and prevention tips
Context
Government cyber attacks are no longer isolated incidents aimed only at ministries and agencies. They now reach contractors, service providers, and critical infrastructure operators, which means identity, access, and supplier governance have become part of the same risk surface as network and endpoint defence.
The primary issue is that public-sector security programmes are often forced to manage fast-moving threat activity while also dealing with legacy systems, fragmented procurement, and delegated access chains. For identity teams, that creates a direct governance problem: attackers increasingly exploit trust relationships, exposed credentials, and weak third-party controls rather than only technical vulnerabilities.
Key questions
Q: What breaks when government contractors keep standing access after projects end?
A: Standing access turns a temporary business relationship into a persistent attack path. If contractor credentials, service accounts, or API tokens remain valid after offboarding, an attacker who compromises the supplier can still reach agency data or communications. The control failure is lifecycle governance, not just authentication. Organisations need ownership, expiry, and revocation to prevent inherited access from surviving the work it was created for.
Q: Why do public-sector attacks so often combine phishing with credential theft?
A: Phishing is effective because it creates a trusted interaction that can be converted into valid access. Once the attacker has credentials, they no longer need to rely on suspicious malware activity alone. In government environments, this is especially dangerous because email, inter-agency communication, and vendor workflows already create high-trust channels. The result is a cleaner path to privilege abuse and lateral movement.
Q: What do security teams get wrong about AI-generated impersonation?
A: They often treat synthetic media as a content problem when it is really a verification problem. Better-looking phishing, cloned voices, and fabricated documents can defeat human intuition, so manual review alone is not enough. Teams need step-up verification for sensitive actions, especially when a request would change access, move money, or expose regulated data.
Q: Who is accountable when supplier access is abused in a breach?
A: Accountability sits with the organisation that granted the access and with the supplier governance process that failed to constrain it. If a third-party platform can be abused to expose customer data, then access scope, offboarding, and monitoring were not aligned to the relationship. IAM and third-party risk teams should review supplier access as a lifecycle control, not a one-time approval.
Technical breakdown
Nation-state intrusion paths and why identity controls fail
Government-targeted attacks often begin with phishing, exploited software flaws, or supplier compromise, then move into credential theft and privilege abuse. Once attackers obtain valid access, they can blend into normal administrative traffic, which makes detection harder than perimeter-based models assume. In public-sector environments, that problem is amplified by long-lived accounts, shared administrator access, and inconsistent offboarding across agencies and contractors. The real weakness is often not the initial exploit but the trust granted after login. Identity governance has to account for where trust is inherited, not just where authentication succeeds.
Practical implication: Map privileged and third-party access paths to identify where valid credentials would let an attacker bypass normal security controls.
AI-assisted phishing and deepfake impersonation in government operations
AI changes the economics of social engineering by making emails, voice messages, and fake documents more convincing at scale. In government settings, where inter-agency communication and public service workflows are routine, a realistic impersonation can create a high-trust entry point. This is not simply a content problem. It is a verification problem. Identity verification, step-up checks, and out-of-band confirmation become more important when messages look and sound legitimate enough to defeat human judgment alone.
Practical implication: Require secondary verification for unusual requests, especially where payments, credentials, or sensitive data could be exposed.
Supply-chain exposure and contractor access governance
Public-sector incidents increasingly start in vendors that hold data, manage notifications, or operate shared services. That makes supplier identity, credential lifecycle, and access scoping central to resilience. If a contractor account remains active after a contract ends, or if secrets are reused across environments, the government agency inherits the blast radius. This is where NHI governance intersects with broader cyber resilience: service accounts, API keys, and delegated tokens need the same lifecycle discipline as human privileged accounts.
Practical implication: Treat third-party service accounts and machine credentials as governed assets with defined ownership, expiry, and revocation checkpoints.
Threat narrative
Attacker objective: The attacker aims to convert trusted access into operational disruption, intelligence collection, and downstream compromise of additional government or contractor systems.
- Entry commonly begins through phishing, exposed software vulnerabilities, or compromise of a supplier that already has trusted access to public-sector systems.
- Escalation follows when attackers harvest valid credentials, reuse delegated access, or exploit overly broad permissions to move beyond the initial foothold.
- Impact appears as service disruption, data exposure, and follow-on phishing that weaponises stolen communications against other agencies and contractors.
NHI Mgmt Group analysis
Government cyber defence is now an identity and supplier governance problem, not only a perimeter problem. The article’s examples show that compromise often lands through trusted relationships, contractor systems, and credential misuse rather than direct agency compromise alone. That means public-sector resilience depends on how access is issued, monitored, and revoked across the whole ecosystem, not just on incident response. Practitioners should treat identity governance as a core element of national cyber resilience.
AI-assisted impersonation is widening the verification gap faster than policy teams are adapting. Deepfakes and synthetic messaging reduce the reliability of human judgment as a control. That shifts weight toward stronger identity verification, step-up approval, and transaction-level confirmation for sensitive requests. For government programmes, trust must be continuously revalidated when communications cannot be assumed authentic on appearance alone. Practitioners should build verification into the workflow, not as an exception.
Supply-chain access is becoming a standing exposure surface for government contractors. The article repeatedly points to vendors, shared services, and contracts as both operational dependencies and attack paths. Trust inheritance gap: when agencies assume vendor access is safe because it was once approved, they miss the lifecycle risk created by stale credentials and incomplete offboarding. That is a governance failure, and it belongs squarely in IAM, PAM, and NHI controls. Practitioners should audit every inherited access path for expiry, ownership, and revocation.
AI is not the only accelerant here, but it is changing the speed and quality of attacks. The article’s references to AI-generated deepfakes and AI-enabled offensives show that attackers can now scale persuasion and reconnaissance more efficiently. That does not replace classic intrusion paths. It amplifies them. Security teams should assume higher-quality social engineering and adjust detection, verification, and user reporting accordingly.
Compliance is being used as a forcing function because governance gaps have become contract risks. The article notes stronger enforcement across federal contracts, including CMMC and FedRAMP-related pressure. That indicates a market shift toward provable controls rather than policy statements. Practitioners should expect procurement to demand evidence of access governance, supplier assurance, and resilience testing, not just narrative attestations.
What this signals
Verification trust gaps will keep widening unless governments and contractors move more of their high-risk workflows into controlled identity checks. The operational lesson is that stronger email filtering alone will not offset AI-assisted impersonation or synthetic requests. Teams should expect step-up verification, transaction approval, and delegated access review to become baseline requirements in public-sector procurement and assurance.
Contractor access is the pressure point that will force better machine identity governance. Many public-sector environments already rely on service accounts, API tokens, and shared platforms that outlive the project they support. That creates a strong case for continuous offboarding, tighter scoping, and lifecycle evidence across both human and non-human access paths.
From our research, 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface. That matters here because supplier and integration accounts often sit at the centre of public-sector service delivery, yet they are reviewed far less consistently than human accounts. The next maturity step is to bring NHI entitlement review into the same governance cycle as contractor and privileged user review.
For practitioners
- Tighten third-party access lifecycle controls Inventory contractor, supplier, and shared-service accounts, then define clear owners, expiry dates, and revocation triggers for each access path. Prioritise accounts that can reach sensitive communications, emergency systems, or regulated data.
- Add verification steps for high-risk requests Require a second channel of confirmation for credential resets, payment changes, emergency notifications, and unusual data requests. Use a control that does not depend only on the apparent authenticity of email or voice content.
- Review standing privilege in public-sector integrations Identify where vendor accounts, service accounts, or API tokens can still reach agency systems after contracts change or projects end. Remove persistent access where the business need is no longer current and replace it with scoped, time-bound access.
- Test supplier failure scenarios Run exercises that assume a contracted platform is compromised and ask what services, data sets, and communication channels would be affected. Use the results to update offboarding, segmentation, and notification plans.
Key takeaways
- Government cyber attacks increasingly exploit trust relationships, contractor access, and identity verification gaps rather than only technical vulnerabilities.
- The article’s examples show a clear escalation from phishing and supplier compromise into service disruption, data exposure, and follow-on targeting.
- Public-sector defenders need lifecycle control over human and non-human access, because inherited access and stale credentials now sit inside the attack path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0001 , Initial Access; TA0006 , Credential Access; TA0008 , Lateral Movement | The article centres on phishing, supplier compromise, and movement through trusted access. |
| NIST CSF 2.0 | PR.AC-4 | Supplier and delegated access governance are central to the incidents and prevention advice. |
| NIST SP 800-53 Rev 5 | AC-2 | Account management is directly relevant to offboarding, contractor access, and standing privilege. |
| CIS Controls v8 | CIS-5 , Account Management | The article repeatedly highlights access governance failures across government and supplier environments. |
| NIST AI RMF | GOVERN | AI-assisted impersonation and AI-enabled attacks require explicit oversight and accountability. |
Use CIS-5 to inventory privileged and third-party accounts, then remove accounts that no longer have a business purpose.
Key terms
- Trust Inheritance: The condition where one credential or integration is allowed to carry trust into multiple connected systems. It is often invisible until a token is replayed from outside the intended context. In practice, trust inheritance is what turns a valid login event into a cross-platform compromise.
- Step-Up Verification: Step-up verification is a stronger identity check applied when risk increases, such as during password reset, device change, or privileged access request. It uses higher-assurance signals than a static question, such as device possession, authenticated context, or approved administrative review.
- Standing Privilege: Access that remains continuously active instead of being created only when needed. It expands the attack window because any account, token, or integration with persistent rights can be reused by an attacker long after the original business need has changed.
- Supplier Access Lifecycle: Supplier access lifecycle is the end-to-end handling of third-party credentials from issuance to revocation. It covers approval, expiry, monitoring, offboarding, and proof of removal. Weak lifecycle control is a common reason supplier access persists after the business need has ended.
What's in the full article
Secureframe's full blog covers the operational detail this post intentionally leaves for the source:
- Per-incident breakdowns of the five government cyber attacks discussed in the article, including the specific attack sequence and impact.
- Secureframe's commentary on federal contract enforcement, including CMMC, FedRAMP High, and related compliance pressure.
- The article's prevention checklist for public-sector organisations and vendors that need to harden supply-chain and incident-response controls.
- Secureframe's examples of how its platform maps assets, vendors, and frameworks for compliance reporting.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives practitioners a structured way to connect access lifecycle controls to broader identity and security programmes.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org