Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Vertical Target Series: Industrials and Industrial Sub-Verticals
Critical verticals, such as industrials, are attractive targets for cybercriminals and advanced persistent threat (APT) groups. The industrials vertical includes the manufacturing, construction and engineering, professional and commercial services, legal services, and transportation verticals.
Adversaries often target these industries for numerous reasons, including the type and amount of sensitive information that they can obtain, the amount of money that they perceive these organizations to have available, and the impact that these attacks have.
This blog post leverages the Threat Actor Metric™ developed by Optiv’s Global Threat Intelligence Center (gTIC) - a qualitative approach to determine an adversary or campaign’s potential risk to an organization or industry on a scale of 0 to 100. The metric considers known and assessed non-technical capabilities and intentions.
The industrials vertical is critical to the economy. Threat actors perceive that valuable organizations within this vertical host important data that could benefit competitors and other economies. This data includes sensitive information related to products and employees, which are often interconnected with suppliers, customers, and partners. Personally identifiable information (PII) of employees, suppliers, and customers are likely attractive targets for both APT and cybercriminal groups. APT groups can leverage product designs, blueprints, supply chains, and processes to further production within their sponsored country. Cybercriminal groups can also hold this information for ransom, target additional organizations, or sell the information.
Companies in the industrials vertical cannot afford to be out of service for a significant period, as these downtimes will have direct and secondary impacts on their customers and vendors. This likely results in a perception that organizations in this vertical are more inclined to pay a ransom. Additionally, their systems are often in constant use, which can create a problem because operators may be reluctant to take them offline for routine maintenance and patch applications. Organizations in this vertical are often heavily reliant on systems that are outdated and thus require significant efforts to maintain vulnerability management. Taking these systems offline is likely a significant undertaking. Industrial organizations have been most often targeted by the LockBit, Alphv, Royal, Black Basta, and Cl0p ransomware operations.
Royal ransomware operators have been observed gaining initial access via phishing attacks, RDP compromises, credential abuse, vulnerability exploitation, malicious downloaders, and malvertising on Google ads. In March 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a #StopRansomware alert providing details of the group and their operations. Of the 199 victims listed on Royal’s data leak site from August 1, 2022, - July 31, 2023, 93 of them (46.7%) are in the industrials vertical.
As technology has evolved, manufacturing organizations have become increasingly interconnected with other organizations. This has increased the ability for threat actors to target these organizations. Manufacturing organizations host a great deal of intellectual property (IP) data that could be used to further the manufacturing processes in other organizations and countries. Similar to other industrial organizations, manufacturing organizations often rely on outdated and legacy systems that can open them up to cyberattacks and vulnerabilities. Manufacturing organizations have deadlines, contracts to fulfill, and minimum number units to make. These factors require their equipment to be up and running nearly 24/7, which can hinder the ability to take systems offline to apply patches and updates. If a manufacturing organization has government contracts, they are likely to be targeted by APT groups in espionage attacks. This is because the threat group will Likely be able to obtain IP from the manufacturer and compromise the government agencies at the same time. APT groups observed targeting the manufacturing vertical include APT33 (aka Elfin, Holmium, Refined Kitten, Magic Hound), APT32 (aka OceanLotus, SeaLotus, Bismuth Tin, Tin Woodlawn), and APT41 (aka Wicked Panda, Barium, Double Dragon, Brass Typhoon).
APT33 (aka Elfin, Holmium, Refined Kitten, Magic Hound) is attributed to Iran and has been active since at least 2013. The group has utilized several off-the-shelf toolsets, in addition to custom malware. APT33 has not had any new, publicly reported activity since 2019. This is Likely due to the group’s extensive use of open-source, publicly available malware and tools that can make it difficult to distinguish between cybercriminal and APT activity. It is likely that APT33 has continued to conduct campaigns, but attacks are often reported much later than the attacks occur. Moreover, the use of publicly available tools allows the threat actors to remain anonymous.
Legal services organizations are often attractive targets for threat actors due to the amount of information hosted, the impact an attack could have, and the access to potential client data. Legal services organizations connect with and support clients, including other organizations, which could give threat actors access to a significant amount of data. As law firms often deal with confidential and time sensitive business, threat actors can use their access to victims’ networks to send phishing emails to other organizations. Not only do legal services organizations have to worry about their reputation, but they also must be concerned with compliance mandates and confidentiality laws. Legal services organizations, especially smaller firms, are Unlikely to have a significant security budget, which could lead to opportunistic attacks.
Of the 140 victims listed on 8Base’s data leak site from August 1, 2022 - July 31, 2023, 11 of them (7.9%) are in the legal services vertical.
Ransomware groups often target construction and engineering organizations due to the perceived profits and impact of an attack. Ransomware attacks that shut down a company’s network often delay projects and risk data being stolen, which impacts the victims’ reputation. Construction and engineering organizations that maintain government and military contracts are Likely to be targeted due to the type of information that they host related to the agency. The construction and engineering vertical often has limited industry regulations and guidelines, especially related to cybersecurity measures. Employees in this vertical are often part of a distributed workforce spread across different job sites. This type of work environment can lead to an increased attack surface and a bigger opportunity for successful social engineering attacks. Ransomware operators observed targeting the construction and engineering vertical include LockBit, Alphv, Black Basta, Royal, and Play.
Play ransomware was first identified in June 2022 and participates in double extortion tactics, where sensitive data is stolen and leaked on the group’s data leak site if the ransom demand is not paid. Play gained a reputation within the first few months of operations, indicating that the group is comprised of developers and operators with previous ransomware experience. Of the 172 victims listed on Play’s data leak site from August 1, 2022 - July 31, 2023, 16 of them (9.3%) are in the construction and engineering vertical.
Despite high-profile ransomware incidents and government/law enforcement attention on ransomware operations and facilitators, there is currently little motive for ransomware operations to cease. Ransomware operators have continued to operate and adapt throughout 2023 and are assessed to focus on continuing to build infrastructure and capabilities around themselves as a one-stop shop, with less reliance on marketplaces and forums. This includes a shift from encryption to data theft that is stolen and held for ransom. Both Cl0p and BianLian operators have been observed conducting attacks in this manner, which makes the attack faster and still gives the threat actors leverage to begin negotiations.
Optiv’s gTIC assesses with Moderate Confidence that state-sponsored adversaries will increase the use of destructive wiper malware and ransomware as part of their campaigns over the next 12 months. Although the overall probability of a targeted state-sponsored attack across all verticals and organizations is Unlikely, the industrials vertical and sub-verticals have a historical record of being targeted by state-sponsored APT groups.
If you’re interested in learning more about how these APT and cybercriminal groups overlap, as well as how protecting your organization from these threats helps mitigate the threat from the others, check out our white paper: Vertical Target Series: Industrial and Industrial Sub-Vertical Threats.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.