The CYFIRMA Industries Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the consumer goods & services industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the energy industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the consumer goods & services industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
OBSERVED ATTACK CAMPAIGNS
Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.
PHISHING
Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.
RANSOMWARE
Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.
Consumer goods & services organizations featured in 5 out of the 10 observed campaigns, which is a presence in 50% of campaigns.
We observe consistent moderate activity across the months with no discernable trends.
Chinese APT groups as the most common suspected threat actors. Additionally, we’ve noticed activities attributed to the North Korean Lazarus Group and the Iranian US17RGCorp.
Recorded victims of observed attack campaigns span 26 different countries. Japan stands out with presence in 4 out of 5 campaigns observed.
Web Applications were targeted 4 out of 5 campaigns. Then each campaign focused on Cloud Services, Operating systems and IaaS.
Risk Level Indicator: Medium
In the past 90 days, the consumer goods and services industry has experienced a moderate volume of detections. The overall presence of victims from this industry in observed campaigns has decreased from 61% to 50% since the last 90-day period.
The 5 campaigns were observed and were attributed mostly to the Chinese Mustang Panda APT the North Korean Lazarus group. We also observed Iranian APT US17RGCorp.
Geographically, Japan recorded victims in 4 out of 5, with 25 other countries also recording victims. Specifically, the APAC region is the most affected.
Web applications remain the most frequently targeted technology across various industries and were attacked 4 out of 5 observed campaigns. Additionally, cloud services, operating systems and Infrastructure-as-a-Service were also targeted.
Over the past 3 months, CYFIRMA’s telemetry recorded 8,656 phishing campaigns out of a total of 324,694 that impersonated the consumer goods & services industry organizations.
Combined categories of e-Commerce, Gambling and Retail/Service make up 2.66% of all observed phishing themes.
Bet365, Mercari and Amazon are the top 3 impersonated brands responsible for the majority of observed consumer goods and services themes.
Hong Kong and the US are the source of the majority of observed campaigns.
Risk Level Indicator: Low
The consumer goods & services industry is a relatively frequent theme for phishing campaigns, often involving spear-phishing attacks by geopolitically motivated Advanced Persistent Threats (APTs) and ransomware affiliates.
However, constitutes only 2.66% of all observed phishing. Therefore, we maintain overall risk factor remains low, particularly since a small number of brands are responsible for the majority of these instances.
Interestingly, the primary source of consumer goods & services-themed phishing originates from Hong Kong. We attribute this to Chinese threat actors utilizing Hong Kong as a proxy for conducting these end-user-oriented phishing campaigns. Notably, phishing campaigns themed around Amazon are particularly popular and frequent, especially in targeting users in Japan.
In the past 90 days, CYFIRMA has identified 150 verified ransomware victims within the consumer goods & services industry sectors. This accounts for 12.8% of the overall total of 1,168 ransomware incidents during the same period.
The monthly activity chart shows a spike in March, which stands out even when adding up the partial months of January and early April. January is typically a lower activity month as even cybercrime takes holidays.
A breakdown of monthly activity offers insights into group-specific patterns. Notably, Blackbasta surpassed Lockbit3 after the law enforcement takedown in February.
In total 32 out of 50 active groups recorded consumer goods & services organization victims in the past 90 days. The top 4 are responsible for half of them.
Comparing the consumer goods & services industry to all recorded victims, Blackbasta stands out with a relatively high share of victims 25 out of 74 (33.8%). Akira as well with 14 out of 59 (23.7%)
The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.
In total 29 countries recorded ransomware victims with the US alone accounting for ~47% of all victims with identified geography. Followed by the UK and Canada.
Food & Beverage, Retail Fashion and Hospitality stand out as the top 3 sectors with the most victims in consumer goods & services.
Risk Level Indicator: High
The consumer goods & services industry receives high-risk indicator for ransomware. In the last 90 days, victims from the consumer goods & services industry accounted for 12.8% of all victims, an increase from the previous 9.2% share. Monthly activity recorded a spike in March (62 victims), following generally low volumes in January, and returning to numbers observed in the previous 90-day period.
Breaking down victimology by ransomware group, Blackbasta (25) emerges as the most active, primarily driving the March spike and responsible for 15.8% of the total 150 victims. Additionally, Akira (14), the third most active gang, exhibits a notable focus on this industry, representing 23.7% of their respective total victims.
The trend of high involvement from mid- to small-sized ransomware groups continues, with 32 out of 50 active groups in the last 90 days having victims in this industry—a trend first noticed in September of the previous year and likely to increase after the law enforcement disruption of Lockbit.
Analyzing the 150 victims across 29 different countries, the United States bears the highest impact with 71 victims (47% of all), followed by the UK (9) and Canada (8).
Examining specific sectors reveals that Food & Beverage, Retail Fashion, and Hospitality were the most frequent victims.
For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.
In the external threat landscape of the consumer goods & services industry, we observe a mixed risk across monitored categories.
Observed Advanced Persistent Threat (APT) campaigns have decreased to a medium-risk level, as the past 90 days were relatively quiet, with consumer goods & services victims detected in 5 out of 10 campaigns (50%). Campaigns were mostly attributed to the Chinese nation-state APT Mustang Panda and the North Korean Lazarus Group.
Phishing received a low-risk indicator, as this industry represents only 2.66% of all observed phishing attempts, with only a few brands behind the majority of impersonations. Notable are Amazon-themed campaigns originating from Hong Kong and targeting Japan.
Ransomware remains a significant concern, with consumer goods & services companies vulnerable to operational disruptions. This industry comprised 12.8% of all victims in the last 90 days, a slight increase from 9.2% in the previous period. Blackbasta (25 victims) and Lockbit3 (24 victims) were the two most active gangs.