Self Assessment

CYFIRMA INDUSTRY REPORT : MANUFACTURING

Published On : 2024-06-24
Share :
CYFIRMA INDUSTRY REPORT : MANUFACTURING

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the manufacturing industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the manufacturing industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the manufacturing industry.

We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

  • Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
  • Each attack campaign may target multiple organizations across various countries.
  • Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
  • Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

  • Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
  • Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

  • The victim data presented in this report is directly sourced from the blogs of respective ransomware groups. However, it’s worth noting that certain blogs may provide limited victim information, such as only names or domains, while others may be entirely obfuscated. These limitations can impact the accuracy of victimology during bulk data processing.
  • In some cases, multiple companies share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was compromised. In such a case, we count the country of the company’s HQ.
  • During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
  • Data related to counts of victims per ransomware group and respective dates is 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
  • Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Manufacturing organizations featured in 7 out of the 12 observed campaigns, which is a presence in 58.3% of all campaigns.

OBSERVED CAMPAIGNS PER MONTH

We are observing a fluctuating trend, mostly dependent on the overall volume of observed campaigns. Nonetheless, manufacturing continues to be targeted in about half of all observed campaigns.

SUSPECTED THREAT ACTORS

We observed a varied mix of the suspected threat actors. Two campaigns were attributed to Mustang Panda from China, as well as another Chinese group, TICK. Additionally, we identified Vietnamese CoralRaider, Russian Sandworm, North Korean Lazarus Groups, and yet unknown Thai-speaking cybercriminals.

GEOGRAPHICAL DISTRIBUTION

Recorded victims of observed attack campaigns span 20 different countries across continents. Most targeted countries correlate with the origins of the threat actors – East and Southeast Asia. Especially, Japan and Singapore appear to be highly targeted as local manufacturing powerhouses.

TOP ATTACKED TECHNOLOGY

Web applications continue to rank as the most targeted technology across industries. Additionally, compromises were observed in operating systems and IaaS solutions.

APT CAMPAIGNS

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

In the past 90 days, manufacturing organizations have been moderately impacted by advanced persistent threat (APT) campaigns. Just 58.3% of observed APT campaigns targeted the manufacturing sector, with 7 out of 12 total campaigns affecting this industry.

Monthly Trends
An analysis of monthly trends shows a fluctuation in APT activity from late March to mid-June. Manufacturing, however, is targeted by around half of all the observed campaigns, regardless of the total numbers observed.

Key Threat Actors
The most active threat actors identified were the Chinese APT Mustang Panda with two attributed campaigns. One detection came from another Chinese group, TICK. Additionally, we identified Vietnamese CoralRaider, Russian Sandworm, North Korean Lazarus Groups, and yet unknown Thai-speaking cybercriminals, each responsible for one campaign.

Geographical Impact
The campaigns affected a total of 20 countries, with Japan being the hardest hit (7 out of 7 campaigns). Singapore was the second most impacted (5 out of 7 campaigns). Despite its small size, Singapore’s status as a regional powerhouse, particularly in manufacturing, makes it a logical target. Given that, all but one of the threat actors is from East and Southeast Asia, the concentration of attacks in the region is understandable.

Targeted Technologies
Web applications emerged as the most targeted technology within these campaigns. Additionally, operating systems and Infrastructure-as-a-Service solutions were also compromised.

PHISHING ATTACKS IN THE MANUFACTURING INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry detected 208 phishing campaigns themed around manufacturing out of a total of 263,432.
 
The chart below illustrates the global distribution of observed themes. Manufacturing accounts only for 0.07% of all captured phishing attempts and therefore is not tracked as a category.

GLOBAL DISTRIBUTION OF PHISHING THEMES

TOP IMPERSONATED BRANDS

Most of the detections are for the organization “Made-in-China”, which is an international organization certifying various Chinese manufacturers and suppliers. Lojas Renner is a Brazilian retailer with some manufacturing overlap. Falabella is similar but headquartered in Chile. Otsuka is a pharma manufacturer from Japan.

TOP COUNTRIES OF ORIGIN (ASN)

The geographical sources of the observed phishing campaigns show that the “Made-in-China” organization is being exploited from China itself, likely as a theme to exploit international entities.

PHISHING

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

The manufacturing warrants a low-risk factor.

As established in previous manufacturing industry reports, it does not present an attractive lure for wider “spray and pray” types of phishing campaigns.

The data indicates that Made-in-China is the most impersonated organization related to manufacturing, though it is a certification organization for manufacturers and suppliers. Apart from that, Japanese Otsuka is a pharma manufacturer, and other companies are retailers with some manufacturing overlap.

ASN-origin data reveals that the Made-in-China certification organization seems to be exploited from inside of China, most likely as a lure for targeting international companies.

Generally speaking and excluding spear-phishing attacks by geopolitically motivated APTs and ransomware affiliates, the manufacturing industry is not typically considered as an attractive target for phishing campaigns for several reasons.

Primarily, the industry relies on specialized machinery, production processes, and proprietary technologies that are difficult to understand and may not be as valuable or easily monetizable for cybercriminals compared to sectors like finance.

Moreover, manufacturing companies usually have less direct access to high-value personal or financial information, such as credit card data or social security numbers, which cybercriminals often target. This reduces the potential rewards for phishing attacks on these organizations. Additionally, the absence of extensive PII databases in manufacturing serves as a deterrent for cybercriminals, who often prefer sectors with larger troves of personal information to exploit.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 128 verified ransomware victims in the manufacturing industry. This accounts for 10% of the overall total of 1,274 ransomware victims during the same period. Overlapping automotive and materials sectors are separated for standalone reports.

GLOBAL DISTRIBUTION BY INDUSTRY

VICTIMS PER INDUSTRY SECTORS

Electronics with Industrial machinery and components are the most frequent victims of ransomware in the manufacturing industry.

INDUSTRY MONTHLY ACTIVITY CHART

Adjusting for partial March and June months, we can see remarkably consistent numbers of victims across the months.

BREAKDOWN OF ACTIVITY PER GANG

A breakdown of the monthly activity provides insights into which gangs were active each month. For example, LockBit3 came back in May and Play, 8base, Hunters and Black Suit were behind most victims in April.

INDUSTRY RANSOMWARE VICTIMS PER GANG

In total 29 out of 54 active groups recorded manufacturing organizations victims in the past 90 days. Notable is the high distribution among a large number of groups in this period.

ALL RANSOMWARE VICTIMS PER GANG

Comparing the manufacturing industry to all recorded victims, gangs with the highest share of manufacturing victims are 8base with 9 out of 50 (18%), Hunters with 9 out of 52 (17.3%) and Blackbasta with 10 out of 62 (16.1%) victims.

GEOGRAPHIC DISTRIBUTION OF VICTIMS

The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.

INDUSTRY VICTIMS PER COUNTRY

In total 23 countries recorded ransomware victims with the US alone accounting for 57% of all victims with identified geography.

RANSOMWARE

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

The manufacturing industry is the most frequent victim of ransomware. However, it is only within 1% of 2nd and 3rd place and we exclude overlapping automotive and materials sectors for standalone reports. It faces a significant ransomware threat, with attacks affecting a wide range of sub-sectors and a broad geographic distribution. The steady monthly activity, coupled with the involvement of numerous ransomware groups, highlights the pervasive and ongoing risk.

Monthly Activity Trends
Ransomware activity in the manufacturing industry has shown relatively consistent numbers of victims each month. However, there was a small uptick in May:

LockBit3 had returned in May and Medusa gangs recorded nearly all their victims in May, contributing to the spike in activity during this month.

Ransomware Gangs
A total of 29 out of 54 active ransomware groups targeted the manufacturing industry in the past 90 days:

8base: 18% of their victims were from this industry (9 out of 50 victims).

Hunters: 17.3% of their victims were from this industry (9 out of 52 victims).

The distribution of attacks among many groups indicates no single gang dominated the ransomware landscape in the manufacturing sector.

Geographic Distribution
The geographic distribution of ransomware victims in the manufacturing industry highlights the widespread nature of these attacks:

57% of all victims with identified geography were located in the US.

In total, 23 countries reported ransomware victims in this industry.

For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

In the past 90 days, manufacturing organizations have faced low to high risks across monitored categories.

APT campaigns: Over the past 90 days, the manufacturing sector has been moderately impacted by APT campaigns, with 58.3% of observed campaigns targeting this industry. Despite fluctuations in monthly activity, manufacturing remains a consistent target. Notable threat actors include Chinese groups Mustang Panda and TICK, as well as Vietnamese, Russian, North Korean, and Thai-speaking cybercriminals. Geographically, Japan and Singapore were the hardest hit, reflecting the strategic importance of these regions in the manufacturing landscape. Web applications, operating systems, and Infrastructure-as-a-Service solutions were the primary technologies targeted.

Phishing: The risk level for phishing in the manufacturing sector remains low, constituting only 0.07% of observed phishing. The industry’s reliance on specialized machinery and proprietary technologies, which are less valuable to cybercriminals, makes it an unattractive target for broad phishing campaigns. Additionally, manufacturing companies typically lack direct access to high-value personal or financial information, further reducing the incentive for such attacks. Notably, the Made-in-China certification organization has been impersonated, likely as a lure for targeting international companies, though phishing remains a limited threat overall.

Ransomware: Remains a significant and pervasive threat to the manufacturing industry. With attacks affecting a wide range of sub-sectors and geographic regions, the industry consistently faces high risk. Monthly activity trends indicate steady numbers of victims, with a notable uptick in May due to increased activity from groups like LockBit3 and Medusa. Ransomware gangs with the highest share of manufacturing victims were 8base, Hunters and Blackbasta. Furthermore, the high participation of 29 out of 54 active gangs spread over 23 countries underscored the widespread nature of this threat. The majority of victims are located in the US, however, other known manufacturing powerhouses like Germany, Mexico, Japan and India also recorded notable numbers.