Threat Research

Major Manufacturing Industry Cyber Attacks of 2024 – SOCRadar® Cyber Intelligence Inc.

SocRadar

In 2024 the manufacturing sector experienced a surge in targeted cyber attacks—especially ransomware and supply-chain intrusions—that caused widespread data exfiltration and operational disruption. Prominent actors and incidents include LockBit 3.0, Akira, Cactus, RansomHub, and major breaches affecting organizations such as Schneider Electric and Nissan. #LockBit3 #SchneiderElectric

Keypoints

  • Manufacturing is a prime target in 2024, with ransomware groups like LockBit 3.0, Akira, Black Basta, ALPHV/BlackCat, Cactus, and RansomHub driving many attacks.
  • Supply chain compromises account for a significant share of incidents—“1 out of 5 breaches is caused by supply chain compromise.”
  • Common initial access and propagation methods include phishing, exploitation of external services (e.g., VPNs), and third‑party vendor compromises.
  • Attackers frequently exfiltrate large datasets (GBs to TBs) before encryption or publication on leak/tor sites, targeting both corporate and employee PII (passport scans, SSNs, DEA numbers).
  • Legacy systems and industrial control systems (ICS) increase risk; exploitation can cause operational shutdowns and long remediation times.
  • Detection and mitigation recommendations include credential/data leak monitoring, external attack surface management, asset discovery, supply chain intelligence, and robust incident response plans.

MITRE Techniques

  • [T1566] Phishing – Used as an initial access vector; ’employees understand common threats like phishing or social engineering.’
  • [T1195] Supply Chain Compromise – Adversaries exploited vendor/supplier relationships; ‘1 out of 5 breaches is caused by supply chain compromise.’
  • [T1059] Command and Scripting Interpreter – Attackers executed scripts/commands post-compromise; ‘Command and Scripting Interpreter (T1059)’.
  • [T1060] Registry Run Keys / Startup Folder – Persistence mechanisms noted in the MITRE mapping; ‘Registry Run Keys / Startup Folder (T1060)’.
  • [T1203] Exploitation for Client Execution – Exploited client-side vulnerabilities to escalate privileges; ‘Exploitation for Client Execution (T1203)’.
  • [T1027] Obfuscated Files or Information – Used to evade detection and hide payloads; ‘Obfuscated Files or Information (T1027)’.
  • [T1003] Credential Dumping – Post-compromise credential harvesting to move laterally; ‘Credential Dumping (T1003)’.
  • [T1046] Network Service Scanning – Discovery of network services and open ports for lateral movement; ‘Network Service Scanning (T1046)’.
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration via command-and-control channels and leak sites; ‘Exfiltration Over Command and Control Channel (T1041)’.
  • [T1486] Data Encrypted for Impact – Ransomware encryption used to disrupt operations and extort victims; ‘Data Encrypted for Impact (T1486)’.

Indicators of Compromise

  • [Domain] Alleged breached service domain – nissan-dubai.com (claimed source of >500,000 client records).
  • [Leak site / Tor] Published data on anonymous leak sites – Cactus published samples on a Tor leak site (URL not provided).
  • [Exfiltrated datasets] Large stolen data artifacts – examples: “110 GB” from Lush, “1.5 TB” from Schneider Electric (and other multi-GB/TB dumps).
  • [PII samples] Stolen personal identifiers used as proof – passport scans from Lush recruitment, Social Security numbers from Nissan, and 1.6M DEA numbers (Bausch Health samples).

Ransomware and data‑exfiltration campaigns in 2024 repeatedly followed a technical pattern: initial access via phishing and supply‑chain/vendor compromise, followed by execution of commands and scripts on compromised hosts (T1059), credential harvesting (T1003), and discovery of network services (T1046) to expand access. Attackers established persistence using standard mechanisms (e.g., registry run keys or startup entries, T1060), obfuscated payloads to evade detection (T1027), and exploited client‑side or service vulnerabilities to escalate privileges (T1203). Large volumes of sensitive data were exfiltrated—often to Tor or leak sites—and subsequently used for extortion or published, while ransomware actors executed encryption for impact (T1486) and maintained C2 channels to coordinate exfiltration (T1041).

On the defensive side, the recommended technical controls emphasize proactive detection and attack surface reduction: continuous credential and data leak monitoring across surface, deep, and dark web sources; automated asset discovery and exposure assessment to find and remediate vulnerable internet‑facing services and open ports; external attack surface management for vulnerable software and SSL certificate monitoring; and supply‑chain intelligence to score and prioritize third‑party risk. Incident response preparations should include rapid containment procedures for exposed VPNs and external services, forensic capture to identify lateral movement and credential dumping, and integration of custom IoC feeds into prevention tooling to block known C2, leak site indicators, and ransomware artifacts.

Operationally, manufacturers must harden legacy and ICS environments by segmenting OT from IT, applying compensating controls where patching is infeasible, enforcing least privilege, and running regular phishing‑resilience training. Combining these technical safeguards with timely threat intelligence (e.g., tailored IoC collections and supplier visibility) reduces the window for attacker maneuvering and limits the impact of exfiltration and encryption campaigns.

Read more: https://socradar.io/biggest-manufacturing-industry-attacks-2024/