Threat Landscape Report: Uncovering Critical Cyber Threats to Manufacturing Sector

Key Findings

During the reporting period (August 1, 2024–January 31, 2025), the manufacturing sector faced a turbulent threat landscape: Attackers ramped up their abuse of remote external services software, used impersonating domains for targeted spearphishing attacks, and continued to target the sector with ransomware. In this report, we’ll cover:

• Threat actors increasingly exploiting external remote services, with alerts surging by 130%.
• Our original research into open ports and insecure port protocols.
• Predictions on how the shift to a smart factories model will affect cybersecurity considerations.

We’ll also detail the tactics and tools attackers are using to target manufacturing and actions organizations can take to stay resilient against emerging threats in 2025.

External Remote Service Abuse Rises 130% but Spearphishing Still Top Tactic

Figure 1: Top attack techniques in true-positive customer incidents for manufacturing sector, August 1, 2024–January 31, 2025

As highlighted in our previous report, spearphishing remains a favored tactic for attackers targeting manufacturing companies—and it’s easy to see why. It preys on the everyday flow of business; attackers send spearphishing emails that look routine—like a supplier requesting payment—and wait for a misstep. And when that happens, the consequences are stark. Take the chemical manufacturer that lost $60 million in August 2024 after an employee fell for a business email compromise (BEC) scam. Data from the GreyMatter Phishing Analyzer shows phishing email subject lines commonly contain words like “request,” “account,” “invoice,” “payment,” and “action.” These everyday terms are designed to feel urgent, familiar, and harmless, encouraging targets to click malicious links. To protect against spearphishing, empower employees to report suspicious emails and let tools like the GreyMatter Phishing Analyzer do the heavy lifting, because wasting time on low-level threats is a luxury no security team can afford.

Threat Actors Zero In on External Remote Services

The rise in external remote service abuse isn’t limited to manufacturing—it’s part of a broader trend, with a 70% increase across all sectors from 2023 to 2024. But why is manufacturing seeing such a big spike? Blame the rise of the smart factory model.

Over the past decade, manufacturing has embraced smart factories. To boost productivity, the sector has turned to automation and digitization through the Industrial Internet of Things (IIoT). But in doing so, once air-gapped, locked-down factory systems have been replaced with hyper-connected operational technology (OT) and IT environments. Remote services like virtual private networks (VPNs) and remote desktop protocol (RDP), meant for real-time monitoring and remote access, have become the perfect entry points for cybercriminals. Unsecured systems are a goldmine for initial access brokers (IABs), who profit by selling compromised access on the dark web (see Figure 2). Threat actors leveraging the offerings of IABs can achieve breakout times (initial access to lateral movement) in as little as 27 minutes. In that time, they can disrupt production lines, compromise supply chains, or exfiltrate sensitive data.

Figure 2: Threat actor on Russian-language cybercriminal forum advertising VPN access to manufacturing company

Take Action

To prevent threat actors from abusing external remote services, companies should take the following steps:

• Deploy deceptive remote-access points to set up fake RDP or VPN endpoints that lure attackers. These decoys monitor malicious activity, gather intelligence on attacker methods, and prevent access to systems.
• Adopt dynamic access policies (DAP)that adjust permissions in real time based on user behavior, geolocation, and device posture. This ensures only legitimate users stay connected while suspicious attempts are blocked.
• Introduce time-limited access tokensfor remote services. Replace static credentials with these single-use, time-sensitive tokens that expire quickly to prevent attackers from using stolen credentials for long-term access.

Domain Impersonation Made Easy with Phishing Kits

Impersonating domains are the persistent pebble in the shoe for manufacturers. These low-cost, high-impact attacks are likely fueled by phishing kits that enable attackers to easily flood targets with fake domains. Our research shows a 136% surge in dark-web chatter since 2023 around these plug-and-play tools, which often have automated setup and churn out unlimited fake domains. To combat this threat, leverage GreyMatter Digital Risk Protection (DRP) to spot and take down fake domains before they cause damage.

That said, impersonating domains are nothing new. Instead, let’s focus on a risk far more specific to manufacturing: open ports.

Figure 3: Top true-positive alerts for manufacturing sector, August 1, 2023–January 31, 2024, vs. August 1, 2024–January 31, 2025

Open Ports Alerts More than Double, Exposing a Major Criminal Target

Open ports, essential for communication between OT systems or remote maintenance, can become entry points for attackers if left unmonitored. During the reporting period, GreyMatter DRP alerts for open ports in the manufacturing sector rose to 12% compared to the previous period, far outpacing the increases for utilities (4%) and construction (2%). Detection alerts for rules like “Network Recon Tool” and “Port Scan – Internal”—indicators of attackers scanning for open ports—also jumped by 89% in 2024 compared to 2023. These trends highlight a growing focus by attackers on exploiting unprotected ports to infiltrate manufacturing networks.

Manufacturing organizations are particularly prone to leaving ports open, especially on OT systems, for several reasons:

• Outdated technology: Many OT systems rely on legacy technology built for functionality, not security. Ports like 502, commonly used by Modbus devices, are often left open by default for communication and control.
• Third-party access: Vendors often need remote access for maintenance, so ports are left open for convenience without adequate configurations or controls.
• Cybersecurity gaps: Limited cybersecurity awareness among OT personnel can result in hesitancy to secure systems, fearing disruptions to complex, mission-critical operations.

As far back as 2023, we’ve seen threat actors on Russian-language cybercriminal forums sharing Shodan “dorks” (specialized search queries) to locate OT devices based on criteria like country, port number, or device type—such as Unitronics Supervisory Control and Data Acquisition (SCADA) devices on port 502 (see Figure 4).

Figure 4: Threat actor offers advice on locating internet-exposed OT devices

Two years later, our own Shodan search revealed more than 30,000 exposed Unitronics devices on port 502—most of them Modbus Industrial Control System (ICS) devices critical to manufacturing operations. Exposed open ports give attackers a direct line to exploit ICS and OT environments. For instance, once attackers locate vulnerable Modbus devices, they can exploit the protocol’s inherent lack of security. Many Modbus devices lack encryption, authentication, and integrity checks, allowing attackers to sniff traffic, send malicious commands, or trigger denial-of-service (DoS) attacks with malformed packets.

Take Action

To prevent threat actors from discovering open ports with tools like Shodan, manufacturing companies should:

• Deploy port-knocking or single packet authorization: Instead of simply closing open ports, use these techniques to make them invisible until a specific “knock” or packet sequence is sent, dramatically reducing visibility to tools like Shodan.
• Use honeypots: Set up honeypots to detect, analyze, and gain insights into unauthorized access attempts, facilitating the identification of potential attackers.
• Encrypt OT communications: Implement application-layer encryption or a VPN overlay to secure all OT communications to ensure attackers can’t sniff traffic even if they find an exposed port.

Manufacturing Ransomware Trends Echo All-Sector Patterns

Figure 5: Top ransomware groups targeting the manufacturing sector, August 1, 2024–January 31, 2025

Ransomware attacks are surging across all sectors, but manufacturing is a prime target. Over the reporting period:

• Ransomware groups hit 2,999 organizations across all industries, a sharp 33% increase from 2,250 the previous reporting period.
• In manufacturing, the number of active ransomware groups rose from 46 in 2023 to 57 this year—a 24%
• In Q4 alone, manufacturing companies accounted for 370 victims, trailing just behind professional, scientific, and technical services (PSTS) with 375

But here’s the kicker: PSTS spans a massive footprint, covering industries from think tanks to pharmaceuticals and everything in between. Manufacturing, in contrast, operates under a much narrower scope. Yet, ransomware attacks on manufacturing are nearly tied with PSTS, with just a five-victim difference in Q4.

So, why is manufacturing such a prime target? Downtime is devasting—but that’s also true for sectors like health care. What sets manufacturing apart is its operational scale. One production line being compromised can disrupt entire supply chains and cause huge financial losses. And as organizations increasingly adopt IIoT devices to improve OT visibility, the risks grow exponentially. Many IIoT devices are tied to legacy OT systems that can’t be updated, creating vulnerabilities that are magnets for attackers. The combination of large-scale operations, legacy vulnerabilities, and open supply chains makes manufacturing a goldmine for attackers—and the statistics show they’re cashing in.

Take Action

• Implement microsegmentation for IIoT and OT networks: Severing connectivity between IIoT devices and legacy OT systems isn’t feasible due to operational requirements. Use microsegmentation to create isolated zones, limiting access to what’s absolutely needed by devices and users.
• Adopt SBOMs to secure supply chains: Make Software Bills of Materials (SBOMs) a requirement for software used in production systems. These “ingredient lists” help to spot vulnerabilities in industrial applications, providing the visibility to fix risks before attackers exploit them.
• Leverage GreyMatter for threat detection and response: Detect threats others miss—like unauthorized communication crossing IT/OT boundaries (Rule 003091)—before they can cause issues. GreyMatter’s AI-powered capabilities don’t just monitor threats; they connect the dots between IT and OT data, providing a unified approach to log analysis.

The One to Watch: Play Ransomware

“Play” (aka PlayCrypt) has quietly cemented itself as one of the most dangerous ransomware groups targeting manufacturing. While groups like “RansomHub” have made headlines amidst the shakeup in the ransomware landscape, Play has taken a more discreet but equally devastating approach. Play has consistently held the second spot for ransomware attacks on manufacturing—trailing “LockBit” in 2023 and RansomHub in 2024. In one incident, Play targeted a US semiconductor manufacturer, disrupting operations, stealing sensitive data, and leaking it when the ransom wasn’t paid—causing $21.4 million in losses. Analysis of Play’s targeting patterns reveals a focus on industries like manufacturing, construction, and utilities. In these sectors, it ranks as the second-most active ransomware group, highlighting its preference for large organizations, and manufacturing companies, by nature, often fall into this category.

Play’s Approach to Manufacturing

Play capitalizes on key features of the sector—legacy systems, reliance on operational continuity, interconnected supply chains, and minimal downtime tolerance—turning these critical dependencies into opportunities for exploitation.

Post-Compromise Frameworks: Tools like Cobalt Strike let Play establish command-and-control (C2) infrastructure, allowing attackers to move laterally through IT and OT systems. In manufacturing, this could mean infiltrating IT systems like enterprise resource planning (ERP) platforms to access OT networks. Once inside, attackers could manipulate production schedules, disable monitoring systems, or even shut down machinery by interfering with programmable logic controllers (PLCs). This, in turn, leads to halted production lines, delayed supply chains, and significant financial and reputational damage.

Remote-Access Trojans (RATs): Play uses SystemBC to maintain persistence and establish communication with its C2 servers while exploiting IT-OT convergences. SystemBC allows attackers to create encrypted tunnels to evade detection, giving them a stealthy way to move laterally from IT systems—such as employee workstations or shared drives—into OT environments. Unlike other sectors, where attacks often remain confined to IT systems, manufacturing’s interconnected IT-OT environments allow attacks to directly disrupt physical operations, amplifying the damage.

Living off the Land Binaries (LOLBins): Play uses native Windows processes like PowerShell to avoid detection when executing commands, downloading payloads, and escalating privileges. This tactic is especially dangerous in manufacturing, as uptime is prioritized over cybersecurity. As a result, attackers blend in with legitimate activity, enabling them to map networks, access critical systems, and prepare for ransomware attacks or data theft without raising alarms.

Step Up Your Defense Against Play

ReliaQuest’s Approach

Threat Hunting: Proactively defend against Play activity with these GreyMatter Hunt packages:

• Remote Desktop Protocol (RDP) Audit: RDP is one of the most common vectors Play uses for initial access and lateral movement. This Hunt analyzes deviations in RDP activity, like unusual session durations, off-hours logins, or connections from unexpected IP ranges. It also examines event logs, registry changes, and session activities to uncover stealthy attempts to exploit RDP.
• Initial Access via Remote User VPN: Play often exploits remote VPN sessions to infiltrate environments. This Hunt studies VPN traffic, analyzing source IPs for anomalies like unusual geolocations, unexpected internet service providers (ISPs), or anomalous login patterns. It flags suspicious activity that could indicate an attacker masquerading as a legitimate user. By running this Hunt, customers can detect and block attackers early, preventing them from pivoting deeper into the network.

Threat Intelligence: ReliaQuest customers can explore the MITRE ATT&CK tactics linked to the group in the “Techniques and Associations” section of the Play threat profile in GreyMatter. The “ReliaQuest Detection Capabilities” section outlines both deployed and undeployed detection rules, allowing you to identify and rectify any security gaps.

Enable GreyMatter Automated Response Playbooks along with the above detection rules for rapid threat containment and remediation. These Playbooks can drive your mean time to contain (MTTC) threats down from hours to minutes, minimizing damage and reducing the risk of ongoing compromise.

• Isolate Compromised Host: Isolates an infected host from the network, severing connections to C2 servers and preventing ransomware from spreading to other systems. This is especially critical in environments with interconnected IT and OT systems to contain threats before they cascade across the network.
• Ban Hash: Integrates unique ransomware file hashes into Endpoint Detection and Response (EDR) and internet prevention system (IPS) tools, blocking malicious file execution across network hosts. By preventing ransomware payload execution, this Playbook stops further compromise and minimizes damage to critical systems.
• Active Sessions and Reset Passwords: Immediately terminates sessions tied to compromised user accounts and enforces a password reset to lock attackers out. By cutting off access, it disrupts Play’s activity and prevents reentry into the environment.

Your Action Plan

To effectively defend against the tactics used by Play, we recommend the following measures:

• Deploy DLP software: Use Data Loss Prevention (DLP) software to detect and block unauthorized access and exfiltration of sensitive data. Implementing these tools helps safeguard corporate information from exfiltration. Specifically look for the exfiltration of files archived using WinRAR.
• Implement GPOs: Play frequently uses tools like SystemBC for persistence and enables RDP to move laterally within networks. Use Group Policy Objects (GPOs) to globally disable or restrict remote-access software like RDP and SystemBC.
• Monitor and mitigate LOLBins activity: Play weaponizes native Windows tools like PowerShell to quietly map networks and evade detection. By actively monitoring for unusual LOLBins activity, manufacturers can detect and stop attackers before they reach critical systems.

Top Lessons and What’s Next

The manufacturing sector remains a top cybercriminal target, driven by its critical role in global supply chains and reliance on interconnected IT-OT environments. The 130% increase in abuse of external remote services, phishing kit-fueled spearphishing campaigns, and persistent ransomware operations by groups like Play demonstrate how attackers exploit the sector’s unique vulnerabilities. These tactics increasingly focus on leveraging open ports, legacy systems, and IT-OT convergence to disrupt operations.

Looking ahead, these trends are only set to intensify. Here are three key predictions to help you stay ahead.

OT Intrusions to Outpace Detections by 40% in 2025: If current trends persist, OT intrusions will surpass detections by as much as 40% in 2025. OT visibility has already dropped by 50% year-over-year (from 10% in 2023 to 5% in 2024), while intrusions have risen by 41% (from 17% to 24%), highlighting the rapidly widening gap between what’s being attacked and what’s being detected. This decline in visibility is likely driven by the growing complexity of interconnected IT-OT systems and insufficient investment in specialized OT monitoring tools. To close this gap, deploy specialized OT monitoring tools integrated with security operations platforms like GreyMatter to restore visibility, detect threats in real time, and close critical blind spots.

Smart Factories Become Battleground for State-Sponsored Espionage: State-sponsored cyber-espionage will escalate as smart factories expand, creating vast attack surfaces through interconnected systems and IoT devices. Geopolitical tensions, such as restrictions on chipmaking and AI investments, will drive adversaries like China to ramp up attacks, as seen in thousands of incidents targeting a Dutch photolithography machine maker. To protect against these threats, manufacturers must secure systems with strict access controls, advanced encryption, and digital signatures to safeguard critical data.

Phishing Kits Will Lead to Increased Spearphishing: Spearphishing attacks on manufacturing are set to double in 2025, driven by the increasing use of phishing kits and nation-state interest in industries like defense and aerospace. Discussions about phishing kits on cybercriminal forums surged by 136% in 2024, allowing attackers of all skill levels to exploit manufacturing’s reliance on email for supply-chain and financial transactions. Attacks like the “Kimsuky” group’s 2024 compromise of a German defense manufacturer highlight this threat. Manufacturers can implement phishing-resistant multifactor authentication (MFA) (e.g., hardware tokens) to protect sensitive communications and block attackers.