CYFIRMA Industry Report : Manufacturing

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the manufacturing industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the energy industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the manufacturing industry.

We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

• Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
• Each attack campaign may target multiple organizations across various countries.
• Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
• Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

• Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
• Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

• Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
• In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations, where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
• During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
• Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
• Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

PAST 90 DAYS IN NUMBERS

Advanced Persistent Threat Attack Campaigns
Manufacturing organizations featured in 6 out of the 12 observed campaigns, which is a presence in 50% of campaigns.

Observed Campaigns per Month

The monthly chart shows a significant drop in active campaigns since the spike in July.

Suspected Threat Actors

Accounting for overlaps between Mission2025, APT41 and Stone Panda, nation-state threat actors are more represented in long-term attack campaigns over financially motivated groups.

GEOGRAPHICAL DISTRIBUTION
Europe is again taking the lead as the most attacked region. Our hypothesis is related to Russian linked threat actors aiming at energy utilities in relation to war with Ukraine.

Web applications continue to be the most attacked technology across industries. While application infrastructure and databases are of high interest in the manufacturing industry.

TOP ATTACKED TECHNOLOGY

Web applications continue to be the most attacked technology across industries. While application infrastructure is of high interest in energy industry.

APT CAMPAIGNS EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

Monthly activity has witnessed a significant decline since the surge in the summer attributed to North Korean and Chinese threat actors. Subsequently, only a limited number of new campaigns have been uncovered. Our telemetry data reveals a cyclical pattern in which the discovery of new Tactics, Techniques, and Procedures (TTPs) leads to a surge in campaign identification, followed by a period of relative calm. However, we presume that threat actors remain active, potentially in a state of temporary withdrawal or employing as-yet-undetected TTPs.

When it comes to suspected threat actors targeting manufacturing organizations, the data suggests continued interest from nation-state actors in China and Russia. The low numbers of financially motivated threat actors may be linked to the recent and still ongoing restructuring and rebranding of some ransomware groups linked to groups such as FIN7, FIN11, or TA505.

In terms of geographical impact, Japan remains the most frequently targeted country, closely followed by the USA and the UK. Represented countries correlate with the geopolitical interests of Chinese and Russian Advanced Persistent Threat (APT) groups, as well as those with strong manufacturing industries, including aerospace and defense.

Web applications remain the most commonly targeted technology for cyberattacks across various industries, with application infrastructure following closely in terms of vulnerability. Additionally, we have also observed a higher frequency of attacks on database software in the manufacturing sector.

PHISHING ATTACKS IN THE MANUFACTURING INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry recorded only 3 phishing campaigns out of a total of 209,896 that impersonated the manufacturing industry. Excluding Automotive and Pharma manufacturing, as those will have their own dedicated reports.That equals 0.001% of observed campaigns and as such manufacturing sector is not tracked as a category.

Global Distribution of Phishing Themes per Sector

Impersonated Manufacturing Industry Brands

Xiaomi Electronics and Hermes luxury goods maker are the only two manufacturing brands impersonated with 2 and 1 campaigns respectively.

PHISHING EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

Excluding spear-phishing attacks by geopolitically motivated APTs and ransomware affiliates. The manufacturing industry is generally not considered an attractive lure or even a target for phishing campaigns for several reasons. First and foremost, the nature of their operations typically involves specialized machinery, production processes, and proprietary technologies that are hard to understand and may not be as valuable or easily monetizable for cybercriminals, when compared to other sectors like finance or healthcare.Moreover, manufacturing companies typically have less direct access to high-value personal or financial information that cybercriminals typically target, such as credit card data or social security numbers. This limits the potential rewards for phishing attacks on these organizations. The lack of extensive customer databases in manufacturing can also be a deterrent for cybercriminals, as they prefer sectors with more substantial troves of personal information to exploit.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 189 verified ransomware victims within the manufacturing industry sectors. This accounts for 11.5% of the overall total of 1,641 ransomware incidents during the same period.

The Monthly Activity Chart

Monthly trends show a gradual decline in manufacturing victims since August.

Breakdown of Monthly Activity by Gang

A breakdown of the monthly activity shows the Lockbit3, Cl0p with Blackbasta and Cloak gangs with their summer rampage behind the August spike. While ALPHV, Play, 8base, Bianlian and other smaller gangs were highly active in September and October.

Ransomware Victims in Manufacturing Industry per Group

In total 36 out of 52 groups recorded manufacturing organization victims in the past 90 days. The top 4 are responsible for half of them.

Comparison to All Ransomware Victims by Group (Top 25)

Compared to all recorded victims in the same time period, some groups; Noescape or Ransomed, have a comparatively low share of manufacturing victims, suggesting a lower interest.

Geographic Distribution Of Victims

The heatmap of geographic distribution illustrates the global reach of ransomware across continents and is considerably correlated with strong manufacturing economies.

Total Victims per Country

In total 33 countries recorded manufacturing industry ransomware victims with the US alone accounting for ~38.9% of all.

Sectors Distribution

Listing all sectors matched under the manufacturing industry umbrella shows victims across sectors, including many niches.

RANSOMWARE EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

The manufacturing industry is the most attacked industry by ransomware. With one out of every ten ransomware victims in the last 90 days being manufacturing businesses. Monthly cyberactivity consistently reveals a significant volume of cyberattacks, with a notable peak in August. A closer look at the responsible groups highlights the Lockbit3 and Cl0p gangs’ August rampage. In September, the ALPHV group, along with 8Base, Play, and several mid-sized and smaller gangs, contributed to an increased number of victims.

Data on the total number of victims per group indicates that the manufacturing industry is predominantly targeted by larger gangs, with the top four accounting for half of all victims. However, starting in September, we observed a growing share and the emergence of many new or rebranded mid-sized groups with a significant number of victims.

Out of the 52 active gangs in the past 90 days, 36 have specifically targeted the manufacturing industry. Notably, Lockbit3, Cl0p, ALPHV, 8Base, Play, and Cloak have shown a keen interest in this sector.

Among the 189 victims with identified locations across 33 different countries, the United States stands as the most affected, with 67 victims, followed by Germany and the UK. While the United States remains the most targeted country across various industries, its share of manufacturing victims compared to other industries is significantly lower, illustrating the big gangs’ ability to strike globally if they find targets lucrative enough.

For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

The manufacturing industry, especially in strategically vital sectors like defence and cutting-edge technology, faces significant risks from advanced threat actors. Our data underscores a persistent campaign of cyberattacks by Chinese and Russian Advanced Persistent Threat (APT) groups across diverse regions, with a specific focus on their geopolitical rivals and neighboring nations. Despite a decline in the detection of APT campaigns, a strong correlation persists between the current geopolitical landscape and the most targeted countries.

The manufacturing industry is not an attractive target for phishing cybercriminals due to the complexity of its operations and the lack of easily monetizable data. Manufacturing businesses often lack direct access to high-value personal or financial information, and they typically have limited customer databases.

At the same time, manufacturing remains the most attacked industry by ransomware gangs, with one in ten ransomware victims in the last 90 days belonging to this industry. The Lockbit3 and Cl0p gangs have been particularly active, and data shows a growing number of victims, both from larger and mid-sized ransomware groups, targeting manufacturing companies.