A new Cyfirma report delved into the external threat landscape of the manufacturing industry over the past three months, providing insights and data-driven statistics covering attack campaigns, phishing telemetry, and . Observed campaigns are conducted by a diverse range of threat actors, Chinese nation-state groups and unidentified Vietnamese, Thai, and English-speaking groups, suggesting financial motivations are still prevalent in the manufacturing industry.
In an industry report ‘Manufacturing Industry 2025,’ Cyfirma disclosed that, by leveraging the Early Warning platform data set, known attack campaigns conducted by advanced persistent threat actors, both nation-state and financially motivated, are presented. Each attack campaign may target multiple organizations across various countries. Campaign durations can vary from weeks to months or even years. They are sorted by the ‘last seen’ date of activity to include the most relevant ones. This may result in campaigns stacking up on later dates, affecting time-based trends.
Over the past 90 days, Cyfirma identified that manufacturing organizations have been significantly impacted by advanced persistent threat (APT) campaigns. All observed APT campaigns during this period targeted the manufacturing industry, indicating a 100 percent presence. This is a decrease from the previous 90-day period, where six out of 10 campaigns targeted the manufacturing industry. However, the in presence is more concerning. Approximately half of the activity is attributed to Chinese threat actors, Salt Typhoon and Volt Typhoon. Additionally, financially motivated groups from Thailand, Vietnam, and English-speaking regions have been observed.
The firm said that attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, the potential for inaccuracy is acknowledged. Moreover, the observed campaigns mostly targeted web applications, followed by operating systems. Furthermore, database management software, , network monitoring tools, and application infrastructure software were also targeted.
“Manufacturing organizations featured in 5 of the 5 observed campaigns, which is a presence in 100% of all campaigns. This is a decrease from 6 observed campaigns in the previous 90-day period,” the report revealed.”After a calm January, campaigns spiked in February and continued in March.”
Also, victims of the observed attack campaigns have been recorded in 20 different countries. “Japan and Thailand recorded the most victims. Since there is significant financial motivation for these campaigns, we can see a quite scattered geography, which is in line with the opportunistic nature of financially motivated cybercrime.”
Over the past three months, Cyfirma’s telemetry has identified 1,562 mentions of manufacturing out of a total of 56,661 industry mentions. This is from a total of 523,813 posts across various underground and dark web channels and forums. Manufacturing ranked 10th out of 13 industries in the last 90 days, with a share of 2.76 percent of all detected industry chatter. Data breaches, data leaks, and ransomware were the top three categories of recorded cyber threats for the manufacturing industry.
During the same period, the telemetry identified 79 mentions of manufacturing out of a total of 4,677 industry mentions. This is from a total of 11,222 CVEs published in 90 days. The manufacturing industry ranked 11th out of 13 industries in the last 90 days, with a share of 1.69 percent of detected industry chatter. Remote and Arbitrary Code Execution are the most common vulnerabilities, along with denial of service, resource exhaustion, and memory and buffer vulnerabilities. Later, they recorded a notable increase in the middle of the last 90-day period, while the former was in the last 30 days.
In the past 90 days, CYFIRMA has identified 265 verified in the manufacturing industry. This accounts for 12.5 percent of the overall total of 2,123 ransomware victims during the same period, placing the manufacturing industry 3rd out of 13 industries. Furthermore, a reveals an increase of 31 percent in interest in the manufacturing industry from 201 to 238 victims. The overall share increased from 12.1 percent to 12.5 percent.
Cyfirma observed fluctuating activity over the past 180 days, with a significant increase in February and only a slight decline in March. “A breakdown of the top 20 gangs’ monthly activity provides insights into which gangs were active each month. For example, the third most active gang, Cl0p has nearly all victims in February. On the other hand, Akira and RansomHub were active across all three months.”
In total, 40 out of 69 gangs were active in the last 90 days. Akira gang recorded the most victims (39), followed by RansomHub (33) and Cl0p (29).
The share of all victims for most gangs in this industry is relatively high. Out of the top 10 gangs, only two have a share of below 10 percent of victims in the manufacturing industry. Akira, Play, Qilin, Lynx, and Cactus recorded around 20 percent of all their victims in this industry. Sarcoma has the highest share of 37.5 percent among top gangs. Machinery and industrial equipment are by far the most frequent victims in the manufacturing industry. Second and third are electronics and semiconductors, and metal products.
Over the past 90 days, Cyfirma disclosed that the manufacturing industry has been significantly impacted by APT campaigns, ransomware, and vulnerabilities. All observed APT campaigns targeted manufacturing, with Chinese groups Salt Typhoon and Volt Typhoon leading many incidents. These attacks affected 20 countries, including Japan and Thailand, exploiting various technologies.
Also, manufacturing accounted for 2.76 percent of dark web chatter, with a notable increase in mentions of ransomware and data breaches. The industry ranked 11th in vulnerabilities, with remote code execution posing the greatest risk. Manufacturing was the third most frequent target for ransomware, with 265 victims, primarily in the U.S., Germany, and Canada.
