Self Assessment

CYFIRMA INDUSTRY REPORT : REAL ESTATE & CONSTRUCTION

Published On : 2025-01-23
Share :
CYFIRMA INDUSTRY REPORT : REAL ESTATE & CONSTRUCTION

EXECUTIVE SUMMARY

The CYFIRMA Industriy Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the real estate & construction industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the real estate & construction industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the real estate & construction industry.
 
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation, based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

  • Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors, both nation-state and financially motivated.
  • Each attack campaign may target multiple organizations across various countries.
  • Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
  • Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

  • Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
  • Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

  • The victim data presented in this report is directly sourced from the blogs of respective ransomware groups. However, it’s worth noting that certain blogs may provide limited victim information, such as only names or domains, while others may be entirely obfuscated. These limitations can impact the accuracy of victimology during bulk data processing.
  • In some cases, multiple companies share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was compromised. In such a case, we count the country of the company’s HQ.
  • During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
  • Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
  • Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Real estate & construction organizations featured in 1 out of the 7 observed campaigns, which is a presence in 14% of all campaigns.

OBSERVED CAMPAIGNS PER MONTH

A single observed campaign occurred in January 2025. Real Estate & Construction in general is not a frequent target of APT campaigns.

SUSPECTED THREAT ACTORS

The single observed campaign is attributed to Salt Typhoon – an advanced persistent threat (APT) actor operated by China’s Ministry of State Security (MSS). This threat actor has conducted high-profile cyber espionage campaigns, with a focus on counterintelligence and data theft of key corporate intellectual property. The group has infiltrated targets in dozens of countries across nearly every continent.

GEOGRAPHICAL DISTRIBUTION

The recorded victims of the observed campaign span 10 countries. Listed countries mostly align with known strategic interests of Chinese government.

TOP ATTACKED TECHNOLOGY

The observed campaign utilized the exploitation of multiple vectors.

APT CAMPAIGNS EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

In the past 90 days, real estate & construction organizations have been only mildly impacted by advanced persistent threat (APT) campaigns. 14% of observed APT campaigns recorded real estate & construction industry victims, with 1 out of 7 total campaigns.

Monthly Trends
A single observed campaign occurred in January 2025. Real Estate & Construction in general is not a frequent target of APT campaigns.

Key Threat Actors
The real estate & construction industry is mostly highly fragmented and localized and generally does not have significant strategic value for nation states. As such it attracts mostly financially motivated cybercrime.

However, the observed campaign is linked to the Chinese Ministry of State Security (MSS), suggesting that the MSS was possibly looking for information about the real estate of its own citizens abroad.

Geographical Impact
The campaign has affected a total of 10 countries, mostly aligned with the strategic interests of the Chinese government.

Targeted Technologies
Four different vectors were utilized in this campaign – Web Applications, Operating Systems, Routers, and Network Monitors Tools.

PHISHING ATTACKS IN THE REAL ESTATE & CONSTRUCTION INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry detected 2 instances of related phishing campaigns themed around real estate & construction out of a total of 218,061.

The chart below illustrates the global distribution of observed themes. Due to very low counts of real estate & construction-related phishing, we do not track it as a category.

GLOBAL DISTRIBUTION OF PHISHING THEMES

PHISHING EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

CYFIRMA telemetry identified only two genuine impersonations of real estate and construction entities, both of which are associated with US-based casino properties.

However, this does not imply that these impersonations do not appear more frequently. They are certainly employed in spear-phishing campaigns when appropriate.

The highly localized and fragmented nature of the real estate and construction industry does not present an ideal target for widespread “spray and pray” campaigns. Furthermore, monetization for local cybercrime is more intricate than for more prevalent scams such as typical banking or courier and delivery themes.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 125 verified ransomware victims in the real estate & construction industry. This accounts for 7.6% of the overall total of 1,646 ransomware victims during the same period, placing the real estate & construction industry as the 6th most frequent victim of ransomware.

GLOBAL DISTRIBUTION BY INDUSTRY

VICTIMS PER INDUSTRY SECTORS

Construction Services and various contracting and sub-contracting services are the most frequent ransomware victims in this industry.

INDUSTRY MONTHLY ACTIVITY CHART

Over the past 90 days, we’ve observed a significant peak in activity during November. Even adjusted for nearly evenly split months of October and January, the spike stands out. Post-November lull inactivity is at least partially due to even cybercriminals observing the holiday season, rather than the downward trend of ransomware in general.

BREAKDOWN OF ACTIVITY PER GANG

All 32 gangs’ breakdown of the monthly activity provides insights into which gangs were active each month. For example, RansomHub was active across months with most victims in November, while Nitrogen was active only in December.

INDUSTRY RANSOMWARE VICTIMS PER GANG

In total 32 out of 61 active groups recorded real estate & construction organizations victims in the past 90 days. Notable is the relatively high distribution among many groups in this period.

ALL RANSOMWARE VICTIMS PER GANG

When comparing the real estate & construction industry to all recorded victims, RansomHub emerges with the highest number of victims overall and a significant share of 10% of victims (24 out of 239). Qilin and Safeplay show the highest targeting of this industry, with 15% (9 out of 61, 7 out of 47) of their victims respectively.

GEOGRAPHIC DISTRIBUTION OF VICTIMS

The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.

INDUSTRY VICTIMS PER COUNTRY

In total 40 countries recorded ransomware victims with the US alone accounting for 62% of all victims with identified geography.

RANSOMWARE EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

The real estate & construction industry is placed as the 6th most frequent victim. It faced a varied ransomware threat, with attacks affecting mostly the US and spiking during November.

Monthly Activity Trends
Ransomware activity in the real estate & construction industry was mixed. Even with evenly split months of October and January, the November spike stands out. The post-November lull in activity may be partly due to cybercriminals observing the holiday season, rather than the general decline in ransomware.

Ransomware Gangs
A total of 32 out of 61 active ransomware groups targeted the real estate & construction industry in the past 90 days:

RansomHub: Recorded the most victims (24 out of 239 victims), mostly due to the sheer volume, but they also show significant focus on this industry with a 10% share of victims.

Qilin and Safeplay: The highest share of their victims were from this industry with 15% (9 out of 61 victims, 7 out of 47).

Geographic Distribution
The geographic distribution of ransomware victims in the real estate & construction industry reflects the US as the largest real estate market and industry.

61% of all victims with identified geography are located in the US.

After the US, Canada, the UK, France, and Germany recorded the most victims. This also correlates with large real estate markets and industries.

In total, 24 countries recorded ransomware victims in the real estate & construction industry.

For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

Over the past 90 days, Real Estate & Construction organizations faced low to moderate cyber risks across monitored categories.

APT Campaigns (Low): Only 14% of observed campaigns (1 out of 7) targeted the sector, occurring in January 2025. While generally not a common APT focus, the detected campaign was linked to China’s Ministry of State Security (MSS), likely seeking information on citizens’ real estate holdings abroad. Ten countries were impacted, aligning with Chinese strategic interests. Attacks exploited web applications, operating systems, routers, and network monitoring tools.

Phishing (Low): Only two genuine impersonations—both tied to U.S.-based casino properties—were identified. Due to the industry’s localized nature and complex monetization pathways, large-scale “spray and pray” phishing campaigns are uncommon, though spear-phishing can occur for targeted attacks.

Ransomware (Moderate): Ranked 6th in victim frequency, the sector saw varied activity with a notable spike in November. Of 61 active ransomware groups, 32 targeted Real Estate & Construction. RansomHub recorded the most victims (24 out of 239), while Qilin and Safeplay each had 15% of their victims in this sector. The U.S. led with 61% of identified victims, followed by Canada, the U.K., France, and Germany, altogether spanning 24 countries.