The CYFIRMA Industries Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the professional goods & services industry, presenting key trends and statistics in an engaging infographic format.
Threat landscape of the energy industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the professional goods & services industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
OBSERVED ATTACK CAMPAIGNS
Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.
PHISHING
Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.
RANSOMWARE
Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.
While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
Advanced Persistent Threat Attack Campaigns
Professional goods & services organizations featured in 8 out of the 18 observed campaigns, which is a presence in 42% of campaigns.
Observed Campaigns per month
The monthly chart shows a resurgence in November and December after a period of generally low campaign detections in September and October.
Suspected Threat Actors
The majority of suspected threat actors are nation-state APTs with TA505 also being known to collaborate with the Russian government.
GEOGRAPHICAL DISTRIBUTION
Victims of the observed attack campaigns were recorded in 16 different countries, split between Chinese and Russian national interests and with notably high Asian countries count.
TOP ATTACKED TECHNOLOGY
Attack campaigns focused on attacking web applications, application security software, operating systems and infrastructure.
Risk Level Indicator: Medium
Following a lull during the summer months, a wave of new detections emerged throughout November and December. Among the sectors affected, the professional goods & services industry reported victims in 8 out of 18 observed campaigns.
Remarkably, the majority of these incidents appear linked to suspected nation-state threat actors. Upon deeper analysis, it became evident that most affected entities are from the energy and telecommunications equipment and service sectors. These sectors hold strategic significance for nation-states and their Advanced Persistent Threats (APTs). Notably, both Russian and Chinese APTs have exhibited heightened activity, aligning with the prevailing geopolitical landscape, including the geographical distribution of observed victims.
Geographically, a substantial presence of Asian countries has been noted, countries of particular interest to Chinese APTs. This encompasses well-known regional counterparts such as India, Japan, the Philippines, Australia, Vietnam, and Taiwan, alongside Singapore, Brunei, Malaysia, and Thailand. In contrast, Russian threat actors have been observed targeting European countries in the context of the ongoing Ukraine-Russia conflict.
The focus of these attacks has primarily been on web applications, application security software, and operating systems. Notably, December witnessed Mustang Panda’s campaign employing USB drive-by attacks, exploiting legitimate software.
Over the past 3 months, CYFIRMA’s telemetry recorded 1,244 phishing campaigns out of a total of 286,812 that impersonated the professional goods & services industry brands which accounts for 0.4% of all campaigns.
Due to the variety of sectors under professional goods & services, we do not track it as a category. Furthermore, many fall into some of the other categories we have covered in respective industry reports.
Global Distribution of Phishing themes per sector
Top 25 Impersonated Brands
InterActiveCorp, LinkedIn and Rakuten are the only industry brands observed in our logs.
Risk Level Indicator: Low
Excluding spear-phishing attacks by geopolitically motivated APTs and ransomware affiliates. The professional goods & services is not an attractive phishing lure. The intricate web of relationships within the professional goods & services sector establishes an environment ripe for targeted attacks. The absence of broad consumer-facing branding reduces the efficacy of mass phishing “spray and pray” types of campaigns.
Yet, this specialized network presents an appealing landscape for threat actors seeking precise, tailored approaches—leveraging spear-phishing tactics to exploit trusted channels and supply-chain vulnerabilities for maximal impact.
In the past 90 days, CYFIRMA has identified 250 verified ransomware victims within the professional goods & services sectors. This accounts for 18,5% of the overall total of 1,346 ransomware incidents during the same period.
The monthly activity chart
Monthly trends show consistent numbers without a clear trend.
Breakdown of monthly activity by gangs
A breakdown of the monthly activity provides insights in per group activity. For example Lockbit3 and ALPHV has been consistently active, whereas Blackbasta recorded victims mostly in November and Noescape in October.
Ransomware Victims in Professional Goods & Services Industry per Group
In total 34 out of 49 groups recorded professional goods & services organization victims in the past 90 days. The top 4 are responsible for half of them.
Comparison to All Ransomware Victims by Group (Top 20)
Compared to all recorded victims in the same time period Play gang records a comparatively lower number of victims in this industry, suggesting low interest.
Geographic Distribution Of Victims
The heatmap of geographic distribution shows concentration in North America, Western Europe. However, India and Latin America also recorded significant numbers of victims.
Total victims per country
In total 33 countries recorded ransomware victims with the US alone accounting for ~53% of all.
Sectors distribution
Listing consolidated sectors matched under the professional goods & services umbrella shows Legal services and Consulting as the most attacked sectors.
Risk Level Indicator: Moderate
The professional goods & services emerges statistically as the most targeted industry with 18.5% of all ransomware victims being from this industry. However, we maintain overall moderate threat risk indicator due to high number of various sectors which are naturally overlapping with other industries. Overall, we identified 250 victims across 65 different sector, diluting the overall risk.
Conversely, law firms and legal services warrant a HIGH-risk designation, emerging as the most heavily targeted sector, closely followed by various consulting firms.
While Lockbit3, being the most dominant gangs recorded most victims in this industry, relative to all ransomware victims in the same period, ALPHV, BlackBasta and 8Base were highly active in this sector.
Geographically, the USA reported 53% of all known victims, primarily attributed to its robust professional services economy. Following closely is the UK, representing 9% of victims, notable for its professional legal, consulting, and accounting services industry.
In summary, the recent surge in APT campaigns during November and December highlighted a significant impact on the professional goods & services sector, revealing a concerning trend. Suspected nation-state threat actors, notably Russian and Chinese APTs, intensified their activities, targeting strategic sectors like equipment and servicing in energy and telecommunications industries across regions of their respective geopolitical interests.
While this sector didn’t attract phishing impersonation attacks due to its nuanced structure, it became the most targeted industry for ransomware incidents, accounting for 18.5% of victims. Nonetheless, the diverse landscape across 65 different sectors tempered the overall threat risk. However, law firms and legal services emerged as high-risk targets.
Lockbit3, ALPHV, BlackBasta, and 8Base were the most active ransomware gangs in this industry. Geographically, the USA and the UK faced substantial impacts, reflecting the robustness of their professional services economies.