New research from Forescout Technologies has revealed a 71 percent surge in threat actors targeting manufacturing between 2024 and the first quarter of 2025.
Of the 29 active threat groups identified during this period, nearly 80 percent were cybercriminal organizations almost half of which operated as ransomware gangs, including the notorious RansomHub, which claimed 78 victims and orchestrated large-scale data exfiltration campaigns.
Analysis of multiple high-profile cyber incidents highlights that attacker dwell time within manufacturing networks has notably increased.
Threat actors are maintaining undetected access for longer durations, leveraging legitimate cloud services for data exfiltration to blend malicious activity with routine network traffic and bypass detection tools.
This strategic shift allows adversaries to evade traditional perimeter security measures and complicates post-incident forensic analysis.
Attackers are increasingly deploying custom toolsets in tandem with “living-off-the-land” tactics, exploiting native system utilities to avoid detection.
Notable examples include Black Basta’s BRUTED malware and RansomHub’s Betruger backdoor.
In addition to cybercriminal groups, hacktivist collectives have started to mirror ransomware operations, while state-sponsored actors have prioritized disruption and espionage within OT environments.
According to the Report, Deep-dive analysis into 17 manufacturing sector cyber incidents found attackers relying heavily on Initial Access Brokers to purchase access to vulnerable IT and OT networks, often exploiting flaws in VPN implementations, remote access platforms, and file transfer solutions.
There has been sustained misuse of remote monitoring and management (RMM) tools for command execution and lateral movement, as well as frequent creation of rogue user accounts, deployment of web shells, and scheduled tasks.
To bypass advanced endpoint defenses, adversaries are now favoring purpose-built EDR (Endpoint Detection and Response) bypass utilities including KillAV, TrueSightKiller, and EDR Kill Shifter over traditional malware obfuscators.
The “Bring Your Own Vulnerable Driver” (BYOVD) attack vector is now standard, replacing older log-purging methods.
Attackers also leverage Active Directory Service Interfaces (ADSI) for reconnaissance, taking advantage of improved detection rates against legacy PowerShell-based toolkits.
The manufacturing sector’s OT environments have become a preferred target for both financially motivated ransomware gangs and geopolitically driven state actors.
Groups such as APT28 and Volt Typhoon have systematically targeted OT and ICS layers, sometimes using ransomware as cover for broader espionage objectives.
Hacktivist groups like Handala and Cyber Army of Russia Reborn have conducted disruptive attacks resonating with ongoing geopolitical tensions, signaling that OT security is now a national security concern.
RansomHub has led the ransomware ecosystem in manufacturing, responsible for the two largest recorded data exfiltrations amounting to over 2.4 terabytes of sensitive data, including intellectual property and personal identifiers.
The persistent threat posed by ransomware-as-a-service (RaaS) operations like Akira, LockBit, Play, and Clop underscores the sector’s vulnerability, even as high-profile law enforcement takedowns prompt criminal groups to rebrand and recruit new affiliates.
The proliferation of digital twins, industrial IoT, 5G, and AI is rapidly expanding the manufacturing attack surface, introducing detection gaps and new risk vectors.
Forescout’s report predicts that targeting of OT systems will intensify as attackers gain deeper understanding of industrial architectures and the disruption potential of these environments.
To counter this evolving threat landscape, manufacturers are urged to adopt an adaptive, multilayered security strategy: conduct comprehensive asset inventories, enforce strong authentication and patch management, enable robust logging and SIEM monitoring, and segment IT from OT environments.
Strengthening supply chain due diligence, maintaining immutable offline backups, and developing OT-specific threat models are now mandatory to mitigate the impact of increasingly sophisticated and persistent cyber adversaries.
As the manufacturing sector’s digital transformation accelerates, the urgency for resilient and proactive cyber defense has never been greater.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post State-Sponsored Hackers Escalate Attacks on Manufacturing Sector and OT Systems appeared first on Cyber Security News.
Mother's Day is just around the corner. A craft-loving mom might be interested in experimenting…
The Capcom community is getting misty-eyed after one fan shared how Pragmata reminded him of…
The Dungeon Crawler Carl series has been seeing a lot of momentum this year with…
Mother's Day is just around the corner. A craft-loving mom might be interested in experimenting…
Battlefield 6 fans are divided after they noticed that publisher EA and developer Battlefield Studios…
The Capcom community is getting misty-eyed after one fan shared how Pragmata reminded him of…
This website uses cookies.