The CYFIRMA Industries Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the consumer goods & services industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the energy industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the consumer goods & services industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
OBSERVED ATTACK CAMPAIGNS
Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.
PHISHING
Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.
RANSOMWARE
Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.
While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
PAST 90 DAYS IN NUMBERS
Advanced Persistent Threat Attack Campaigns
Consumer goods & services organizations featured in 11 out of the 18 observed campaigns, which is a presence in 61% of campaigns.
Observed Campaigns per month
The monthly chart shows a resurgence in November and new spike in December after a period of generally low campaign detections in September and October.
Suspected Threat Actors
Suspected threat actors are divided between nation-state and financially motivated APTs. With Russian TAs being the most active.
GEOGRAPHICAL DISTRIBUTION
Victims of the observed attack campaigns were recorded in 20 different countries, split between Chinese and Russian national interests and with notably growing numbers in APAC region.
TOP ATTACKED TECHNOLOGY
Attack campaigns focused on attacking web applications, application security software, operating systems, remote access and infrastructure.
Risk Level Indicator: High
Following a quiet period in the summer months, a surge of new detections emerged throughout November and December. Among the affected sectors, the consumer goods & services industry reported victims in 11 out of 18 observed campaigns.
Notably, the majority of these campaigns appear to be orchestrated by financially motivated threat actors. Most consumer-oriented industries are not aligned with strategic nation-state interests for cyber-attacks.
Geographically, a significant presence of Asian countries has been observed, particularly appealing to Chinese APTs. This includes well-known regional counterparts such as India, South Korea, Japan, the Philippines, Australia, Vietnam, and Taiwan, alongside Singapore, Brunei and Malaysia. In contrast, Russian threat actors have targeted European countries amidst the ongoing Ukraine-Russia conflict.
The primary focus of these attacks has been on web applications, application security software, operating systems, and remote access.
Over the past 3 months, CYFIRMA’s telemetry recorded 3,556 phishing campaigns out of a total of 293,420 that impersonated the consumer goods & services industry brands which accounts for 1.2% of all campaigns.
Due to the variety of sectors under consumer goods & services, we do not track it as a category. On the pie chart, the included categories are e-Commerce, Payment Services and Retail/Services.
Global Distribution of Phishing themes per sector
Top Impersonated Brands
Global e-Commerce and Payment brands are among the most impersonated consumer services.
Top Countries of Origin based on ASN (Top 25)
Unlike other industries like Logistics or Telecommunications & Media, where we observed significant growth originating from Vietnam and Indonesia in terms of phishing and spam, the consumer goods & services industry shows a different trend. In this sector, the leading sources are the USA, Hong Kong, the Netherlands, and Japan.
Risk Level Indicator: Medium
In the consumer goods & services sector, prominent e-commerce and payment platforms have emerged as the primary targets for impersonation. These platforms boast expansive user bases, rendering them ideal for large-scale ‘spray and pray’ phishing campaigns. Furthermore, their direct monetization potential makes them lucrative for threat actors seeking immediate gains.
Interestingly, this sector diverges from others such as Logistics or Telecommunications & Media, where we witnessed substantial growth in phishing and spam originating from Vietnam and Indonesia. Contrarily, within consumer goods & services, the leading sources are the USA, Hong Kong, the Netherlands, and Japan.
Despite these trends, our overall risk assessment remains moderate. This moderation is attributed to the industry’s fragmented nature, wherein beyond the larger brand names, impersonation rates remain relatively moderate.
In the past 90 days, CYFIRMA has identified 124 verified ransomware victims within the consumer goods & services sectors. This accounts for 9,2% of the overall total of 1,346 ransomware incidents during the same period.
The monthly activity chart
Monthly trends show consistent numbers and considerable growth trend.
Breakdown of monthly activity by gangs
A breakdown of the monthly activity offers valuable insights into the behavior of distinct groups. Notably, Lockbit3 and 8Base exhibited heightened activity during November and December, accounting for the observed growing trend. In contrast, October’s figures were influenced by ALPHV alongside several smaller gangs.
Ransomware Victims in Consumer Goods & Services Industry per Group
In total 30 out of 49 groups recorded consumer goods & services organization victims in the past 90 days. The top 4 are responsible for half of them.
Comparison to All Ransomware Victims by Group (Top 25)
Compared to all recorded victims in the same time period Lockbit3 gang records a comparatively lower number of victims in this industry, suggesting lower interest.
Geographic Distribution Of Victims
The heatmap of geographic distribution shows concentration in North America and Western Europe. However, Russia and Singapore also recorded a substantial number of victims.
Total victims per country
In total 29 countries recorded ransomware victims with the US alone accounting for ~46% of all.
Sectors distribution
Listing consolidated sectors matched under the consumer goods & services umbrella shows Food & Beverages and Travel & Tourism as the most attacked sectors.
Risk Level Indicator: Moderate
Statistically consumer goods & services count for nearly every tenth of all ransomware victims. However, due to the diverse nature of this industry, our overall risk factor remains moderate. Yet, within this broad spectrum, we identify Food & Beverages, Travel & Tourism, and Fashion/Apparel retailers as particularly vulnerable, prompting an increased risk rating to high.
Although Lockbit3 accounted for the most victims in this industry, their share in comparison to overall activity is notably lower. The collective efforts of 8base, Blackbasta, Play, and ALPHV constitute the top 5 active gangs responsible for 60% of all victims.
As anticipated, top Western economies including Australia, along with Singapore and predominantly the USA, have recorded the highest number of victims due to their extensive consumer purchasing power and market size. Notably, we’re witnessing instances of ransomware impacting Russia and Iran, previously considered ‘immune’ as they hosted most of the the threat actors. This shift suggests evolving geopolitical events potentially dividing ransomware operators and their affiliates.
The consumer goods & services industry faced a notable surge in cyber threats, primarily via APT campaigns orchestrated by financially motivated actors warranting high risk rating. These attacks targeted web applications, security software, and remote access.
In the realm of phishing, prominent e-commerce and payment platforms within this sector became prime targets for large-scale phishing campaigns, primarily originating from the USA, Hong Kong, the Netherlands, and Japan. Despite this, the overall risk assessment for the industry remains moderate due to its fragmented nature, although prominent brands are particularly susceptible.
Regarding ransomware, while the consumer goods & services sector accounts for a significant number of victims, its diverse nature maintains a moderate overall risk factor. However, specific segments such as Food & Beverages, Travel & Tourism, and Fashion/Apparel face heightened vulnerability, leading to an increased risk rating. Notably, Western economies including Australia, Singapore, and led by the USA recorded the highest number of victims. Regions previously considered immune, like Russia and Iran, are now affected, indicating geopolitical shifts impacting ransomware activities.