The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the manufacturing industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the energy industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the manufacturing industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
Advanced Persistent Threat Attack Campaigns
Manufacturing organizations featured in 6 out of the 12 observed campaigns, which is a presence in 50% of campaigns.
Observed Campaigns per Month
The monthly chart shows a significant drop in active campaigns since the spike in July.
Suspected Threat Actors
Accounting for overlaps between Mission2025, APT41 and Stone Panda, nation-state threat actors are more represented in long-term attack campaigns over financially motivated groups.
GEOGRAPHICAL DISTRIBUTION
Europe is again taking the lead as the most attacked region. Our hypothesis is related to Russian linked threat actors aiming at energy utilities in relation to war with Ukraine.
Web applications continue to be the most attacked technology across industries. While application infrastructure and databases are of high interest in the manufacturing industry.
TOP ATTACKED TECHNOLOGY
Web applications continue to be the most attacked technology across industries. While application infrastructure is of high interest in energy industry.
Risk Level Indicator: Moderate
Monthly activity has witnessed a significant decline since the surge in the summer attributed to North Korean and Chinese threat actors. Subsequently, only a limited number of new campaigns have been uncovered. Our telemetry data reveals a cyclical pattern in which the discovery of new Tactics, Techniques, and Procedures (TTPs) leads to a surge in campaign identification, followed by a period of relative calm. However, we presume that threat actors remain active, potentially in a state of temporary withdrawal or employing as-yet-undetected TTPs.
When it comes to suspected threat actors targeting manufacturing organizations, the data suggests continued interest from nation-state actors in China and Russia. The low numbers of financially motivated threat actors may be linked to the recent and still ongoing restructuring and rebranding of some ransomware groups linked to groups such as FIN7, FIN11, or TA505.
In terms of geographical impact, Japan remains the most frequently targeted country, closely followed by the USA and the UK. Represented countries correlate with the geopolitical interests of Chinese and Russian Advanced Persistent Threat (APT) groups, as well as those with strong manufacturing industries, including aerospace and defense.
Web applications remain the most commonly targeted technology for cyberattacks across various industries, with application infrastructure following closely in terms of vulnerability. Additionally, we have also observed a higher frequency of attacks on database software in the manufacturing sector.
Over the past 3 months, CYFIRMA’s telemetry recorded only 3 phishing campaigns out of a total of 209,896 that impersonated the manufacturing industry. Excluding Automotive and Pharma manufacturing, as those will have their own dedicated reports.That equals 0.001% of observed campaigns and as such manufacturing sector is not tracked as a category.
Global Distribution of Phishing Themes per Sector
Impersonated Manufacturing Industry Brands
Xiaomi Electronics and Hermes luxury goods maker are the only two manufacturing brands impersonated with 2 and 1 campaigns respectively.
Risk Level Indicator: Low
Excluding spear-phishing attacks by geopolitically motivated APTs and ransomware affiliates. The manufacturing industry is generally not considered an attractive lure or even a target for phishing campaigns for several reasons. First and foremost, the nature of their operations typically involves specialized machinery, production processes, and proprietary technologies that are hard to understand and may not be as valuable or easily monetizable for cybercriminals, when compared to other sectors like finance or healthcare.Moreover, manufacturing companies typically have less direct access to high-value personal or financial information that cybercriminals typically target, such as credit card data or social security numbers. This limits the potential rewards for phishing attacks on these organizations. The lack of extensive customer databases in manufacturing can also be a deterrent for cybercriminals, as they prefer sectors with more substantial troves of personal information to exploit.
In the past 90 days, CYFIRMA has identified 189 verified ransomware victims within the manufacturing industry sectors. This accounts for 11.5% of the overall total of 1,641 ransomware incidents during the same period.
The Monthly Activity Chart
Monthly trends show a gradual decline in manufacturing victims since August.
Breakdown of Monthly Activity by Gang
A breakdown of the monthly activity shows the Lockbit3, Cl0p with Blackbasta and Cloak gangs with their summer rampage behind the August spike. While ALPHV, Play, 8base, Bianlian and other smaller gangs were highly active in September and October.
Ransomware Victims in Manufacturing Industry per Group
In total 36 out of 52 groups recorded manufacturing organization victims in the past 90 days. The top 4 are responsible for half of them.
Comparison to All Ransomware Victims by Group (Top 25)
Compared to all recorded victims in the same time period, some groups; Noescape or Ransomed, have a comparatively low share of manufacturing victims, suggesting a lower interest.
Geographic Distribution Of Victims
The heatmap of geographic distribution illustrates the global reach of ransomware across continents and is considerably correlated with strong manufacturing economies.
Total Victims per Country
In total 33 countries recorded manufacturing industry ransomware victims with the US alone accounting for ~38.9% of all.
Sectors Distribution
Listing all sectors matched under the manufacturing industry umbrella shows victims across sectors, including many niches.
Risk Level Indicator: High
The manufacturing industry is the most attacked industry by ransomware. With one out of every ten ransomware victims in the last 90 days being manufacturing businesses. Monthly cyberactivity consistently reveals a significant volume of cyberattacks, with a notable peak in August. A closer look at the responsible groups highlights the Lockbit3 and Cl0p gangs’ August rampage. In September, the ALPHV group, along with 8Base, Play, and several mid-sized and smaller gangs, contributed to an increased number of victims.
Data on the total number of victims per group indicates that the manufacturing industry is predominantly targeted by larger gangs, with the top four accounting for half of all victims. However, starting in September, we observed a growing share and the emergence of many new or rebranded mid-sized groups with a significant number of victims.
Out of the 52 active gangs in the past 90 days, 36 have specifically targeted the manufacturing industry. Notably, Lockbit3, Cl0p, ALPHV, 8Base, Play, and Cloak have shown a keen interest in this sector.
Among the 189 victims with identified locations across 33 different countries, the United States stands as the most affected, with 67 victims, followed by Germany and the UK. While the United States remains the most targeted country across various industries, its share of manufacturing victims compared to other industries is significantly lower, illustrating the big gangs’ ability to strike globally if they find targets lucrative enough.
For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.
The manufacturing industry, especially in strategically vital sectors like defence and cutting-edge technology, faces significant risks from advanced threat actors. Our data underscores a persistent campaign of cyberattacks by Chinese and Russian Advanced Persistent Threat (APT) groups across diverse regions, with a specific focus on their geopolitical rivals and neighboring nations. Despite a decline in the detection of APT campaigns, a strong correlation persists between the current geopolitical landscape and the most targeted countries.
The manufacturing industry is not an attractive target for phishing cybercriminals due to the complexity of its operations and the lack of easily monetizable data. Manufacturing businesses often lack direct access to high-value personal or financial information, and they typically have limited customer databases.
At the same time, manufacturing remains the most attacked industry by ransomware gangs, with one in ten ransomware victims in the last 90 days belonging to this industry. The Lockbit3 and Cl0p gangs have been particularly active, and data shows a growing number of victims, both from larger and mid-sized ransomware groups, targeting manufacturing companies.