Self Assessment

CYFIRMA INDUSTRY REPORT – MATERIALS

Published On : 2024-03-25
Share :
CYFIRMA INDUSTRY REPORT – MATERIALS

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the materials industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the materials industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the materials industry.

We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.

Each attack campaign may target multiple organizations across various countries.

Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.

Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.

Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.

In some cases, multiple companies share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.

During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.

Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.

Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Materials, including mining organizations featured in 3 out of the 17 observed campaigns, which is a presence in 18% of campaigns.

Observed Campaigns per Month

Suspected Threat Actors

1 out of 3 campaigns is attributed to Chinese nation-state APTs, overlapping TTPs were observed between MISSION2025 (APT41 nexus) and Stone Panda. The other 2 campaigns are attributed to Russian nation-state APTs. One has overlapping TTPs between fancy Bear and TA505 and the other is attributed to Cozy Bear.

GEOGRAPHICAL DISTRIBUTION

Recorded victims of observed attack campaigns span 14 different countries, with South Korea, the US, Japan and India having the highest number of victims.

TOP ATTACKED TECHNOLOGY

Attack campaigns focused on Web Applications and Application Security Software bypassing.

APT CAMPAIGNS EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Medium

In the past 90 days, our observations indicate three instances of cyberattacks targeting victims within the materials industry. This represents a decrease from four incidents recorded in the previous period. However, the overall presence of materials industry victims in observed campaigns has declined from 57% to just 18%.

Our analysis suggests a shift away from industrial espionage and intellectual property theft, previously associated with prolific nation-state APTs (Advanced Persistent Threats), towards objectives with geopolitical implications. This shift aligns with recent events and developments.

Nonetheless, data indicates continuous activity from Chinese nation-state APTs. Specifically, activity from APT41, tracked as MISSION2025 by CYFIRMA, and Stone Panda remains prominent. Russian Bears and cybercrime syndicate TA505 also remain active, especially across Europe.

The most targeted regions include South Korea, the USA, Japan, and India, reflecting the significance of their respective materials industries. Furthermore, there’s a discernible and increasing presence in the APAC region, notably Southeast Asia, which correlates with Chinese strategic interests.

Web applications remain the primary target across various industries, followed by efforts to bypass application security software.

PHISHING ATTACKS IN THE MATERIALS INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry recorded only 1 phishing campaign out of a total of 357,282 that impersonated the materials industry organizations.

Due to a lack of materials industry detections in phishing themes, we do not track this industry as a category.

Global Distribution of Phishing Themes per Sector

Top Impersonated Brands

The only campaign was observed under the Generic/Spear phishing category and appears to be aimed at commodity/materials traders leveraging the Chinese Kuaiqian payment processing platform.

Top Countries of Origin based on ASN

ASN origin of the observed campaign is from China.

PHISHING EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

Similar to the manufacturing industry, the materials sector is typically not a prime target for phishing campaigns, except for instances involving spear-phishing attacks by geopolitically motivated Advanced Persistent Threats (APTs) and ransomware affiliates. There are several reasons for this. Primarily, the intricacies of material operations, including specialized machinery, production processes, and proprietary technologies, make them less comprehensible and potentially less valuable or easily monetizable for cybercriminals compared to sectors like finance or healthcare.

Consequently, threat actors or more precisely cybercriminals responsible for the majority of phishing campaigns, focus on consumer brands and services rather than industrial organizations.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 98 verified ransomware victims within the materials industry sectors. This accounts for 8.9% of the overall total of 1,100 ransomware incidents during the same period.

The Monthly Activity Chart

The monthly activity chart shows a spike in February, which stands out even when adding up the partial months of December and March.

Breakdown of Monthly Activity by Gangs

A breakdown of the monthly activity provides insights into the February spike. LockBit3 has added 14 victims in February alone. Furthermore, Cactus, Play and Hunters groups also added most victims in the same month.

Ransomware Victims in the Materials Industry per Group

In total, 24 out of 48 active groups recorded materials organization victims in the past 90 days. The top 3 are responsible for half of them.

Comparison to All Ransomware Victims by Group

Geographic Distribution of Victims

The heatmap of geographic distribution shows a truly global reach of ransomware

Total Victims per Country

In total 22 countries recorded ransomware victims with the US alone accounting for ~48% of all victims with identified geography, followed by Canada and the UK.

Sectors Distribution

RANSOMWARE EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

The materials industry, closely linked to manufacturing, shares vulnerabilities with the most targeted industry by ransomware attacks due to known and exploited business continuity weaknesses. Over the past 90 days, materials industry victims represented 8.9% of all ransomware victims, a slight decrease from the previous 10.5% share. February notably saw a sharp increase in activity.

Analyzing ransomware groups, LockBit3 stands out as the most active, driving the surge in February and accounting for 22% of the total 98 victims. Additionally, the Blackbasta and 8base gangs demonstrate a significant focus on the materials sector, representing 19% and 16% of their respective total victims.

The trend of mid to small-sized ransomware groups targeting this industry persists, with 24 out of 48 active groups in the past 90 days having victims in the materials sector—an observation initially noted in September of the preceding year, likely to intensify following law enforcement action against LockBit.

Among the 98 victims across 22 countries, the United States bears the brunt with 47 victims (48% of all), followed by Canada and the UK, each with 5 victims.

Sector-specific analysis reveals that combined metals processing and production, followed by concrete, building materials, and textiles, are the most frequent victims.

For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

In the materials industry’s external threat landscape, we observe mixed risk factors.

The presence of materials businesses in observed Advanced Persistent Threat (APT) campaigns has decreased from 4 to 3 and the overall share dropped from 54% to just 18%. Yet we maintain a medium risk factor as specific sectors within the materials industry remain of high interest, such as aerospace and other cutting-edge sectors.

Phishing remains a low risk in the materials industry. The intricacies of materials processing and production operations and the absence of easily monetizable data make it an unsuitable theme for broad phishing campaigns. Materials businesses generally lack direct access to high-value personal or financial information, and their customer databases are typically limited. As a result, cybercriminals focus on consumer brands and services.

Ransomware remains a high threat, with materials organizations accounting for 8.9% of all victims in the last 90 days, a decrease from 10.5% in the last period. The most active groups include Lockbit3, 8base and Blackbasta. However, participation by small to mid-sized groups adds up to a substantial share of all victims as well. The US is by far the most targeted with 47 out of 52 victims, followed by Canada and the UK (5 victims each).