Cybersecurity Threats Impacting Real Estate & Construction Industry

Thailand, August 12, 2025

News Summary

The construction and real estate sectors are grappling with rising cybersecurity threats such as phishing, ransomware, and data breaches. A recent report highlights a decline in attack campaigns targeting these industries, with a noted increase in ransomware victims. The report stresses the need for enhanced cybersecurity strategies as digital integration grows, as well as the importance of leveraging emerging technologies to safeguard sensitive information against evolving threats.

 

Real estate and construction sector faces steady ransomware pressure despite fewer large campaigns

New industry data shows the real estate and construction sector was involved in a smaller share of high-level attack campaigns over the past 90 days but continued to see elevated ransomware activity and underground chatter. The sector was linked to 2 out of 16 observed attack campaigns (12.5%), registered 1,176 mentions in underground and dark web channels, and recorded 121 verified ransomware victims during the same period.

Top takeaways

• Campaign involvement dropped. The sector’s share of observed campaigns declined from 25% in the prior 90 days to 12.5%.
• Ransomware remains a core threat. There were 121 verified victims in the sector, a 16% drop in raw victim numbers from the previous quarter (from 144 to 121), but the sector’s share of total victims rose from 7.2% to about 8.4–8.7%.
• Underground chatter grew. Mentions about the industry totaled 1,176 (1.9% of all industry chatter), with spikes in data leaks, ransomware talk, and reported data breaches.
• Geography and threat actors varied. Two campaigns were seen in May and July, with suspected actors including a China-linked group and Thai-speaking cybercriminals; victims appeared across 10 countries in those campaigns, and the United States accounted for the largest share of ransomware victims overall.

Observed attack campaigns and techniques

Two named campaigns were detected during the period. One campaign is associated with a China-linked group that targeted victims across multiple continents and attacked web applications, operating systems, routers, and network monitoring tools. The other came from a Thai-speaking threat actor and focused exclusively on victims in Thailand, targeting web applications and operating systems. Thailand was the only country with victims recorded in both campaigns.

Overall, the sector was only minimally targeted by advanced persistent threat (APT) style campaigns in this window, appearing in just 2 of the 16 campaigns listed in the report.

Underground chatter and trends

The industry ranked near the bottom for dark web chatter, 13th out of 14 industries monitored, with 1,176 mentions and 1.9% of total detected industry chatter. Topics that increased most in the last 30 days included:

• Data leaks: mentions rose from 105 to 171, often tied to exposed cloud storage or third-party breaches.
• Ransomware: mentions jumped sharply from 77 to 172, signaling more attention on property management and construction IT targets.
• Data breaches: mentions grew from 86 to 134, reflecting continued targeting of corporate networks.
• Claimed hacks and web exploits: also rose, indicating more publicized incidents and attacks against property portals or SaaS tools.

At the same time, distributed denial-of-service activity nearly disappeared from the discussion, suggesting attackers are shifting from noisy disruption to more targeted intrusions and data theft.

Vulnerabilities and technical patterns

The sector ranked 12th out of 14 industries for detected vulnerabilities, accounting for about 2.6% of industry-linked CVEs. Notable technical trends in vulnerability types during the period included a change in injection-related findings (from 3 to 5), a notable rise in Cross-Site Scripting (XSS) and clickjacking reports (from 1 to 13), continued presence of Remote Code Execution risks, and low rates of Denial of Service vulnerabilities.

Ransomware detail: who and where

The report verified 121 ransomware victims in the sector, representing roughly 8.7% of total ransomware victims in the observed window. Although the absolute number of victims fell by about 16% compared with the prior quarter, the industry’s share of all victims rose. Monthly victim counts across the quarter were steady at about 50, 39, and 40, showing ongoing attacker interest.

Forty-two of 72 tracked ransomware groups (about 58%) targeted the sector. Several larger groups showed repeated impacts, with a few named gangs each linked to a dozen victims and certain smaller gangs showing a high focus on this industry. The United States accounted for the majority of recorded victims (around 57%); other nations saw declining incidents but the overall reach expanded to 29 countries, three more than in the prior period.

Why the industry remains attractive

Real estate and construction businesses often rely on a complex ecosystem of contractors, property managers, listing portals, and third-party service providers. That complexity creates many access points for attackers and increases the chance of data exposure through misconfigured cloud storage or vendor breaches. Property data, tenant details, financial records, and operational controls are all valuable to cybercriminals.

Steps forward

The data underscores a clear need to prioritize cybersecurity across the sector. Short-term actions include tightening web application security, enforcing stronger access controls for cloud storage, and improving patching for operating systems and network equipment. Over the medium term, organizations should consider adopting advanced defenses such as AI and machine learning–based detection, stronger vendor risk programs, and incident response playbooks that reflect ransomware realities.

Bottom line

Attack campaigns directly tied to the sector fell in share, but the steady level of ransomware victims, growing underground chatter, and increasing web-based exploit reports show that real estate and construction firms remain high-value targets. The sector must treat cybersecurity as a core operational priority to protect sensitive data and sustain trust with clients and partners.

Frequently Asked Questions

1. Was the real estate and construction industry heavily targeted by advanced threat campaigns?

No. The industry appeared in 2 of 16 observed campaigns during the period, indicating limited involvement in large APT-style campaigns. However, it remains a clear target for ransomware groups and opportunistic attackers.

2. How many ransomware victims were confirmed in the sector?

There were 121 verified ransomware victims during the 90-day window. While this is a decrease in raw numbers from the previous quarter, the industry’s share of all ransomware victims rose slightly.

3. What drove the increase in dark web mentions?

Most of the increase was driven by mentions of data leaks, ransomware, and data breaches. This points to both real incidents and increased discussion or advertising of stolen data and attack results.

4. Which countries were most affected?

The United States accounted for the largest share of ransomware victims (about 57%). Campaign victims were recorded across multiple countries, with Thailand notable for being targeted in both observed campaigns.

5. What immediate actions should companies take?

Basic steps include securing web applications, auditing cloud storage permissions, patching systems and routers, strengthening vendor controls, and preparing an incident response plan specific to ransomware and data theft.

Deeper Dive: News & Info About This Topic

Additional Resources

• Clark Hill: 2025 Commercial Real Estate Outlook
• RSM: 2025 Cybersecurity Snapshot
• WTW: Cybersecurity in Real Estate
• Marsh: Cyber Threats in Real Estate
• HousingWire: How Gen AI is Impacting Cybercrime
• Wikipedia: Cybersecurity
• Encyclopedia Britannica: Cybersecurity
• Google Search: Cybersecurity in Real Estate
• Google Scholar: Cybersecurity Real Estate
• Google News: Cybersecurity Real Estate