

APT Campaigns – 6.9
20 of 42 campaigns (48%), down from 68% share despite higher volume. The broadest China-linked actor grouping observed across any sector this period, nine distinct groups. Operating systems targeted at a notably higher rate, pointing to OT and host-level exposure.
Cyber Incidents – 6.6
18 incidents, ranking 10th, but OT/ICS attacks sharply escalated in the final 30 days. FortiBleed harvested 110 million credentials from devices sitting at the IT/OT boundary. Foxconn ransomware hit illustrates the targeting of critical supply chain chokepoints.
Dark Web Chatter – 5.8
3.08% of all detected chatter, ranking 10th. Breach and leak mentions collapsed, consistent with forum disruption. Ransomware the only category sustained across all three periods. Hacktivism, DDoS, claimed hacks, and web exploits all rose in the final period.
Vulnerabilities – 6.4
4.32% of all industry-linked disclosures, ranking 6th. RCE more than quadrupled and stayed elevated rather than reverting. Breadth across multiple categories rising together mid-period is the primary driver of the score.
Ransomware – 9.0
279 victims, ranking 2nd across all industries at 12.48% share, the most concentrated ransomware exposure of any single coherent industry this quarter, unlike higher-volume categories that aggregate many distinct sub-sectors. Activity climbed steadily from September to a March peak, then stabilized at a new elevated baseline rather than reverting. 62% gang participation, with Akira directing over 25% of its global activity at this sector.
The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the manufacturing industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the manufacturing industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, public reports, underground & dark web chatter, vulnerabilities, and ransomware incidents targeting manufacturing organizations.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA delivers pre-emptive cybersecurity, cyber threat intelligence, and external threat landscape management through its platforms, DeCYFIR and DeTCT. These platforms have been purpose-built over many years to continuously collect, correlate, and analyse large volumes of external threat data, combining proprietary intelligence automation with deep, hands-on cyber threat research.
For the purpose of this report, the analysis draws on intelligence generated from CYFIRMA’s platforms. The data referenced has been processed through automated correlation and enrichment mechanisms, informed and validated by human-led research and investigative expertise, and sourced from both structured and unstructured external intelligence channels.
While this report contains data collected and processed by our in-house AI and ML, all charts, statistics, and analyses are done by human CYFIRMA CTI analysts to ensure the highest quality and provide accurate insights.
Manufacturing organizations featured in 20 out of the 42 observed campaigns, which is a presence in 48% of all campaigns. An increase from the previous period, where manufacturing organizations were present in 13 out of 19 campaigns. However a decline in presence in 68% of observed campaigns.


APT activity targeting Manufacturing has been continuous. Most of the campaigns remain active and have been updated with new detections as recently as June.

Observed APT campaigns are dominated by suspected China-linked, state-sponsored actors, with Stone Panda recording the highest number of observed campaigns, followed closely by MISSION2074. Leviathan, TICK, Hafnium, Volt Typhoon, Emissary Panda, APT27, Earth Estries, Salt Typhoon, and Lotus Blossom provide additional China-aligned representation, the broadest such grouping observed across sectors this period.
North Korea-associated Lazarus Group also features prominently. Iran-linked OilRig and Fox Kitten both appear, alongside Russia-linked Gamaredon and Pakistan-linked Transparent Tribe. Financially motivated actor TA505 rounds out the profile, reflecting the sector’s exposure to both espionage-driven and regional state-aligned targeting.

Victim distribution spans 31 countries, with the United States recording the highest victim count by a considerable margin, more than double the United Kingdom’s total. Japan follows as the second highest, with India and Taiwan also recording strong victim counts, reflecting manufacturing’s concentration across major Indo-Pacific economies.
South Korea and the United Kingdom feature closely behind, with Australia, Thailand, the Philippines, and Germany also recording multiple victims. Middle Eastern presence is led by Saudi Arabia and the UAE, consistent with Iran-linked Fox Kitten and OilRig activity in the region.
Remaining victims are spread across Southeast Asia, continental Europe, and isolated cases, including Ukraine, consistent with Russia-linked Gamaredon’s known regional targeting focus.

Web applications and operating systems account for the majority of observed attacks this period, with operating systems recording a notably higher share than in most other sectors, reflecting the manufacturing sector’s exposure to operational technology and host-level systems. Database management software also features prominently, recorded across multiple campaigns and suggesting data exfiltration as a likely objective.
Remote desktop software appears across two campaigns, alongside single instances of application infrastructure software, VPN solutions, routers, network monitoring tools, and application security software. The presence of remote desktop software, VPNs, and routers points to threat actor interest in gaining persistent remote access to distributed manufacturing infrastructure.

Based on observed trajectory across the two reporting periods, the manufacturing sector external threat landscape is expected to remain at Elevated through the next 90 days. Manufacturing was present in 48% of all observed campaigns this period, a decline from 68% previously, even as the absolute campaign count grew from 13 to 20.
Sustained volume: While the monthly distribution shows campaign counts concentrated in April and June with no new campaigns recorded in May, this reflects platform updates and stacking patterns rather than activity pauses. Most campaigns remain active and have received new detections as recently as June. 14 to 19 manufacturing sector campaigns over the next 90 days is a plausible baseline estimate, consistent with sustained rather than intermittent targeting.
Dominant actor continuity: Stone Panda and MISSION2074 recorded the highest campaign counts by a wide margin and show no indicators of reduced tempo. The sector also recorded the broadest China-linked actor grouping observed across all sectors this period, spanning Leviathan, TICK, Hafnium, Volt Typhoon, Emissary Panda, APT27, Earth Estries, Salt Typhoon, and Lotus Blossom.
Host-level and infrastructure exposure: Operating systems recorded a notably higher share of targeted technology than in most other sectors, alongside database management software, remote desktop software, VPNs, and routers. This combination points to threat actor interest in both host-level compromise and persistent remote access to distributed manufacturing infrastructure, including operational technology environments. Organizations with unpatched host systems or exposed remote access points face the highest immediate risk.
Geographic targeting: The United States leads in victim count by a considerable margin, more than double the United Kingdom’s total, followed by Japan, India, and Taiwan. The Indo-Pacific corridor and North America are expected to remain primary target zones, with continued Middle East exposure given Fox Kitten and OilRig activity.
Actor profile breadth: North Korea-associated Lazarus Group, Iran-linked OilRig and Fox Kitten, Russia-linked Gamaredon, and Pakistan-linked Transparent Tribe all feature alongside the dominant China-linked cluster, the most diverse actor mix observed across sectors to date. Defenders should prioritize TTP-based detection over actor-specific IOC tracking given this breadth.
Over the past 90 days, DeCYFIR and DeTCT platforms tracked 781 cyber incidents reported publicly. We could identify the industry for 572 of these incidents (73%).
The manufacturing industry was detected in 18 incidents, which equals 2.98% of the incidents where we knew the industry, ranking 10th out of 14 industries.

Manufacturing this quarter is dominated by OT/ICS exposure rather than data theft, though several high-profile extortion and ransomware hits punctuate the picture, alongside a major cross-sector infrastructure vulnerability worth attention given how widely Fortinet devices sit in industrial environments.
OT/ICS exposure is the persistent baseline. A recurring quarterly “industrial automation threat landscape” series tracked exposure across nearly every region: Africa, Russia, the Middle East, Asia, Europe, the Americas, Australia/NZ, and a global Q1 2026 rollup, consistently flagging worms, ransomware, and cryptominers as the dominant payload types hitting industrial control systems. None of these regional reports named specific attackers, reflecting how OT compromise tends to surface through telemetry rather than incident disclosure. A critical flaw in OT Robot OS (May 20) gave attackers direct control over industrial robotics, and researchers pushed for Zero Trust principles adapted specifically for OT (Apr 29), both signs the sector’s control-system attack surface is widening faster than its defensive posture.
FortiBleed is a significant cross-sector exposure manufacturers should treat as directly relevant. Starting mid-June, a credential leak affecting roughly 73,000-74,000 FortiGate devices escalated into an active campaign, with attackers building a custom Golang sniffer that harvested 110 million credentials by late June. This isn’t manufacturing-targeted; it’s infrastructure-targeted, but FortiGate appliances are heavily deployed at the IT/OT boundary specifically for network segmentation. A credential-harvesting campaign against that device class is a direct pathway into OT networks regardless of sector. CISA issued an urgent advisory; any manufacturer running FortiGate should treat patching and credential rotation as immediate priorities.
Iran’s CyberAv3ngers remain the most concrete nation-state threat to manufacturing OT. Nearly 4,000 US industrial devices were found exposed to their campaigns in mid-April, part of the sustained fuel/energy-adjacent OT targeting running throughout the quarter’s broader threat picture.
Ransomware caused the most visible operational disruption. Foxconn, the world’s largest electronics contract manufacturer, was hit by the Nitrogen ransomware gang in mid-May, a significant target given Foxconn’s centrality to global electronics supply chains, with coverage explicitly framing it as illustrative of “manufacturing’s cyber crisis.” West Pharmaceutical, sitting at the healthcare-manufacturing boundary, disclosed a ransomware attack affecting operations in May. Both remain attributed only at the ransomware-brand level.
Data extortion reached manufacturing via the same actors hitting other sectors. ShinyHunters claimed Kodak in mid-June, and Tata Electronics confirmed a breach with data leaked in late June (attribution unconfirmed). Neither reflects manufacturing-specific targeting; these are the same opportunistic extortion campaigns sweeping every sector this quarter.
Espionage targeting aviation manufacturing is a threat worth watching. Two reports (May 1, May 11) described cyber-espionage against Russian aviation firms aimed at satellite, GPS, and mapping data, likely tied to the Russia-Ukraine conflict’s intelligence dimension. The China-attributed Shadow-Earth-053 campaign (Apr 30) targeted government and defense sectors across Asia, with manufacturing touched via defense-adjacent industrial targets.

OT/ICS attacks dominated observed activity, accounting for the majority of identified techniques and sharply concentrated in the last 30 days (8 of 10 incidents). Ransomware appeared twice, both in the previous 30 days, with no activity in the most recent period. Credential theft and insider threat each appeared once, in the first and last 30 days, respectively. The sharp escalation of OT/ICS attacks in the last 30 days is the most significant pattern, suggesting either an emerging campaign or increased public reporting of OT-targeted activity against manufacturing organizations.

No attacking country was identified in any incidents during this period. Victim attribution showed Taiwan and Russia as the most affected, each with 2 incidents, followed by isolated cases in Australia, the United States, and Europe. The complete absence of attacker attribution is a notable limitation, preventing any assessment of actor origin or motivation behind the OT/ICS-heavy activity observed in this sector.

Threat level for the manufacturing sector over the next 90 days is assessed as elevated risk.
The following developments are anticipated based on current trends, actor capabilities, and operational patterns:
FortiGate Credential Harvesting at the IT/OT Boundary. The FortiBleed campaign harvested 110 million credentials from FortiGate devices, appliances heavily deployed at the IT/OT segmentation boundary. While not manufacturing-targeted specifically, this represents a direct pathway into OT networks for any manufacturer running affected devices. Patching and credential rotation should be treated as immediate priorities given CISA’s urgent advisory.
Sustained Iranian OT Reconnaissance. CyberAv3ngers activity, with nearly 4,000 US industrial devices found exposed in mid-April, remains the most concrete nation-state threat to manufacturing OT. This fits the actor’s broader fuel and energy-adjacent targeting pattern and is unlikely to decrease given current geopolitical conditions.
Ransomware Against High-Value Supply Chain Nodes. The Nitrogen ransomware attack on Foxconn, the world’s largest electronics contract manufacturer, illustrates continued targeting of critical supply chain chokepoints. West Pharmaceutical’s disclosure at the healthcare-manufacturing boundary reinforces this pattern. Both incidents remain attributed only at the ransomware-brand level, limiting deeper actor insight.
Opportunistic Data Extortion Overlap. ShinyHunters’ claim against Kodak and the unconfirmed Tata Electronics breach reflect the same opportunistic extortion campaigns sweeping multiple sectors this quarter rather than manufacturing-specific targeting. This trend is likely to continue as a background risk rather than an escalating one.
Widening Control-System Attack Surface. A critical flaw in OT Robot OS granting direct attacker control over industrial robotics, combined with regional reporting consistently flagging worms, ransomware, and cryptominers across nearly every geography, indicates the sector’s attack surface is expanding faster than its defensive posture. Researchers’ push for OT-adapted Zero Trust principles signals that this gap is recognized but not yet closed.
Over the past 90 days, CYFIRMA’s telemetry has identified 1,037 mentions of manufacturing organizations out of a total of 33,702 industry-linked mentions. This is from a total of 300k+ posts across various underground and dark web channels and forums.
Manufacturing organizations placed 10th out of 14 industries in the last 90 days with a share of 3.08% of all detected industry-linked chatter.
Below is a breakdown by 30-day periods of all mentions.


Underground & dark web chatter related to the manufacturing sector over the last 90 days shows a sharp decline in data breach and data leak discussions in the final period, dropping from 244 to 56 and 210 to 40, respectively. Consistent with patterns observed across other sectors, this likely reflects BreachForums’ disruptions and migration of threat actor activity to harder-to-monitor surfaces rather than reduced actual threat activity. Ransomware mentions show a mid-period elevation followed by a decline in the final period. Hacktivism, DDoS, and claimed hacks all show notable increases in the final period despite remaining at comparatively low absolute volumes. Web exploits show a steady upward trend across all periods.

Manufacturing shows a comparatively low overall share of underground chatter relative to higher-volume sectors, but the consistency of ransomware activity across all three periods, combined with steady growth in web exploits, hacktivism, DDoS, and claimed hacks despite an overall declining trend, suggests diversifying rather than diminishing attacker interest.
Data Breach and Data Leak: The sharp decline in the final period is consistent with the broader BreachForums disruption and forum migration pattern observed across other sectors. Given manufacturing’s lower baseline chatter volume, this decline should be read with some caution rather than as a confirmed drop in actual targeting activity.
Ransomware: Mid-period elevation followed by decline in the final period, but ransomware remains the only category to register meaningfully across all three periods without collapsing to near zero. Manufacturing’s low tolerance for production downtime continues to make it a structurally attractive ransomware target, and this category is the most reliable signal in the dataset.
Web Exploit: Steady and uninterrupted increase across all periods, the only category showing a clean upward trend throughout the full window. This consistency, despite low absolute numbers, suggests sustained rather than opportunistic probing of manufacturing systems.
Hacktivism, DDoS, and Claimed Hacks: All three show notable proportional increases in the final period despite remaining low in absolute terms. The simultaneous rise across multiple secondary categories, even as primary breach and leak chatter declines, suggests broadening attacker interest in the sector rather than isolated activity.
Sector context: The pattern here differs from sectors where decline is concentrated in breach and leak chatter alone. In manufacturing, nearly every secondary category trends upward in the final period, which is a more notable signal than the headline decline in breach and leak volume might suggest on its own.
Over the past 90 days, CYFIRMA’s telemetry has identified 171 mentions of manufacturing organizations out of a total of 3,959 industry mentions. This is from over 10k CVEs reported and updated in the last 90 days.
Manufacturing organizations ranked 6th out of 14 industries in the last 90 days with a share of 4,32% of all detected industry-linked vulnerabilities.
Below is a breakdown by 30-day periods of all mentions.


Reported CVEs in the manufacturing sector over the last 90 days show sharp mid-period elevation across most vulnerability categories. Remote and arbitrary code execution vulnerabilities spike mid-period dramatically and remain elevated, more than quadrupling from initial levels. Injection attacks show a similar pattern, spiking mid-period before declining. Denial of service and privilege-escalation vulnerabilities show mid-period elevation followed by a modest decline. Cross-site scripting emerges in the mid-period and persists at low levels. Memory vulnerabilities and information disclosure remain minimal but present, while directory traversal and security misconfigurations show negligible and sporadic activity.

Manufacturing shows a moderate concentration of reported vulnerabilities relative to its size, with mid-period escalation across nearly every category rather than a single isolated spike. The sustained elevation of RCE and ACE vulnerabilities through the final period, rather than a return to the initial baseline, is the primary driver of the elevated score.
Remote & Arbitrary Code Execution: The dominant vulnerability category, more than quadrupling from initial levels and remaining substantially elevated in the final period rather than reverting. Direct compromise potential is particularly concerning given the exposure of industrial control systems and operational technology common in manufacturing environments.
Injection Attacks: Sharp mid-period spike followed by decline, but final-period levels remain above the initial baseline. The pattern suggests a discrete wave of disclosure activity rather than a sustained campaign, though residual exposure likely persists.
Denial of Service and Privilege Escalation: Both show mid-period elevation with only partial decline in the final period. In a sector where production downtime carries direct operational and financial cost, even modest sustained DoS-enabling disclosures warrant attention.
Cross-Site Scripting: Emergence mid-period with persistence into the final period is notable since this category registered zero in the initial window. New vulnerability classes appearing partway through the period can indicate growing research attention on manufacturing-specific platforms.
Memory, Information Disclosure, Directory Traversal, and Misconfigurations: All remain minimal throughout, with no category showing a trend that would independently raise the risk profile.
Sector context: The defining feature of this dataset is breadth rather than a single dominant spike; multiple categories rose together mid-period, and several remain elevated in the final period rather than fully reverting, which is a more durable risk signal than a single-category anomaly would be.
In the past 90 days, CYFIRMA has identified 279 verified ransomware victims in manufacturing organizations. This accounts for 12.48% of all 2,235 ransomware victims during the same period. Placing this sector 2nd out of 14 industries.

Furthermore, a quarterly comparison shows that the number of victims in manufacturing organizations has been sustained. It went from 283 to 279 victims, a -1.4% decline. The overall interest, represented by share, also dropped more significantly from 13.35% to 12.48% of all victims.


Monthly activity has been growing steadily since September 2025, with 66 victims up to December 2025 and 98 victims. February showed a minor dip to 78 victims; however, following March spiked up to 6 months high of 115 victims. Since April, the number of victims has stabilized in the lower 90s.

A breakdown of monthly activity per gang reveals which gangs were most active each month. For instance, gangs The Gentleman, Akira, and Qilin were highly active every month.
On the other hand, Payoutsking recorded nearly all victims during April, and alongside many smaller gangs recording victims only in April, contributed to the April numbers.
Threeam appeared in late May and recorded many victims in June.

Out of the 87 gangs, 54 recorded victims in manufacturing organizations in the last 90 days, representing a disturbing 62% participation. The chart has been trimmed to gangs with 2+ victims.
Thegentlemen, Akira and Qilin, had the highest numbers of victims and a sizeable share of their victims in this industry, especially Akira, which recorded 25.8% of all their victims in manufacturing.
Akira, Lamashtu and Theeam stand out as gangs with the highest shares of manufacturing victims.
Among gangs with more than 10 total victims, on average, 12.95% of their victims are from this industry. That is about 1 in 8 victims.

Food & Beverage Production and Machinery & Heavy Equipment led victim counts, with Metal Fabrication & Forging and Electronic Components & Devices also well represented. This spread reflects the breadth of manufacturing operations targeted, from production-critical supply chains to specialized component makers.
Electrical Equipment, Precision Instruments, and Furnishing & Home Goods recorded moderate activity, while Aerospace & Defense and Textile & Apparel formed a consistent mid-tier. The remaining subsectors saw fewer incidents, though victims appeared across nearly every category tracked.

The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.

Manufacturing victimology shows the USA being the most targeted, accounting for 33% of all victims. Remaining activity is distributed among 48 countries for 188 victims.
Germany, China, Turkey, and the UK recorded the highest elevations in the last 90 days.
The USA, Italy, France, and the Czech Republic saw the largest declines.
In the last 90 days, 49 countries recorded manufacturing victims, 4 more than the 45 countries in the previous period.

The Manufacturing sector threat landscape is expected to remain at high through the next 90 days. Manufacturing now ranks as the second most targeted industry overall, accounting for 12.48% of all ransomware victims, and the steady upward trend from September through March indicates sustained rather than opportunistic interest in this sector.
Volume outlook: Monthly activity climbed consistently from 66 victims in September to a six-month high of 115 in March, before stabilizing in the low-to-mid 90s through April, May, and June. This plateau after the March peak suggests the sector has settled into a new, elevated baseline rather than reverting to earlier levels. A range of 270 to 300 victims over the next 90 days is plausible if this baseline holds, with risk skewed toward the upper end given the sector’s overall growth trajectory since September.
Actor behaviour: Thegentlemen, Akira, and Qilin maintained consistent activity across every month, indicating manufacturing is a deliberate and ongoing target for these groups rather than an opportunistic one. Payoutsking drove a concentrated spike in April, while Threeam emerged in late May and quickly became a significant contributor to June volume, demonstrating that new entrants can rapidly escalate sector-specific targeting. This pattern of rotating high-output actors is likely to continue, sustaining volume even as individual gangs cycle in and out of peak activity.
Geographic targeting: The USA remains the dominant target, accounting for 33% of all victims, though its volume declined the most of any country in the current period. Germany, China, Turkey, and the UK recorded the sharpest elevations, pointing to a broadening of attacker focus into European and Asian manufacturing bases. Geographic spread increased from 45 to 49 countries, the widest coverage seen in recent periods, suggesting threat actors are diversifying targets rather than concentrating on a shrinking set of high-value regions.
Subsector risk: Food & Beverage Production and Machinery & Heavy Equipment lead subsector exposure, with Metal Fabrication and Electronic Components also heavily represented. The breadth of victims across nearly every manufacturing subsector indicates limited safe harbour within the vertical, with operational disruption risk compounding the data exposure risk typical of other sectors.
APT Campaigns (Elevated): Manufacturing featured in 20 of 42 observed campaigns (48%), up from 13 of 19 last period, though overall share declined from 68%. This period recorded the broadest China-linked actor grouping observed across all sectors, spanning nine distinct groups including Volt Typhoon, Salt Typhoon, and Earth Estries. Operating systems recorded a notably higher targeted share than in most other sectors, reflecting exposure to operational technology and host-level systems. Victim distribution spans 31 countries, with the US leading by more than double the UK’s total.
Reported Cyber Incidents (Elevated): 18 incidents recorded, ranking 10th across industries, though OT/ICS attacks dominated and sharply escalated in the final 30 days. FortiBleed, a credential-harvesting campaign against FortiGate devices, harvested 110 million credentials and represents a direct pathway into OT networks given FortiGate’s common deployment at the IT/OT boundary. Iran’s CyberAv3ngers found nearly 4,000 US industrial devices exposed. Ransomware hit Foxconn, the world’s largest electronics contract manufacturer, illustrating continued targeting of critical supply chain chokepoints.
Underground & Dark Web Chatter (Elevated): Manufacturing ranked 10th at 3.08% of detected chatter. Breach and leak mentions collapsed in the final period, consistent with broader forum disruption patterns. Ransomware was the only category to register meaningfully across all three periods without collapsing, making it the most reliable signal in the dataset. Notably, hacktivism, DDoS, claimed hacks, and web exploits all trended upward in the final period, suggesting diversifying rather than diminishing attacker interest.
Vulnerabilities (Elevated): Manufacturing ranked 6th at 4.32% of industry-linked disclosures. RCE vulnerabilities more than quadrupled and remained substantially elevated in the final period rather than reverting to baseline. The defining feature is breadth: multiple vulnerability categories rose together mid-period, and several stayed elevated, a more durable risk signal than any single-category spike.
Ransomware (High): 279 victims, ranking 2nd across all industries at 12.48% of all ransomware victims. Victim count has been broadly sustained, down just 1.4% from 283 prior, though the share declined more notably from 13.35%. Monthly activity climbed steadily from September through a March peak of 115, then stabilized in the low-to-mid 90s. Food & Beverage Production and Machinery & Heavy Equipment led sub-sector victim counts. 62% of active gangs recorded manufacturing victims, with Akira directing 25.8% of its total global activity at this sector specifically. Geographic spread widened from 45 to 49 countries.