Vertical Target Series: Industrials and Industrial Sub-Verticals

Critical verticals, such as industrials, are attractive targets for cybercriminals and advanced persistent threat (APT) groups. The industrials vertical includes the manufacturing, construction and engineering, professional and commercial services, legal services, and transportation verticals.


Adversaries often target these industries for numerous reasons, including the type and amount of sensitive information that they can obtain, the amount of money that they perceive these organizations to have available, and the impact that these attacks have.


This blog post leverages the Threat Actor Metric developed by Optiv’s Global Threat Intelligence Center (gTIC) - a qualitative approach to determine an adversary or campaign’s potential risk to an organization or industry on a scale of 0 to 100. The metric considers known and assessed non-technical capabilities and intentions.



The industrials vertical is critical to the economy. Threat actors perceive that valuable organizations within this vertical host important data that could benefit competitors and other economies. This data includes sensitive information related to products and employees, which are often interconnected with suppliers, customers, and partners. Personally identifiable information (PII) of employees, suppliers, and customers are likely attractive targets for both APT and cybercriminal groups. APT groups can leverage product designs, blueprints, supply chains, and processes to further production within their sponsored country. Cybercriminal groups can also hold this information for ransom, target additional organizations, or sell the information.


Companies in the industrials vertical cannot afford to be out of service for a significant period, as these downtimes will have direct and secondary impacts on their customers and vendors. This likely results in a perception that organizations in this vertical are more inclined to pay a ransom. Additionally, their systems are often in constant use, which can create a problem because operators may be reluctant to take them offline for routine maintenance and patch applications. Organizations in this vertical are often heavily reliant on systems that are outdated and thus require significant efforts to maintain vulnerability management. Taking these systems offline is likely a significant undertaking. Industrial organizations have been most often targeted by the LockBit, Alphv, Royal, Black Basta, and Cl0p ransomware operations.



Royal ransomware operators have been observed gaining initial access via phishing attacks, RDP compromises, credential abuse, vulnerability exploitation, malicious downloaders, and malvertising on Google ads. In March 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a #StopRansomware alert providing details of the group and their operations. Of the 199 victims listed on Royal’s data leak site from August 1, 2022, - July 31, 2023, 93 of them (46.7%) are in the industrials vertical.


  • In November 2022, Royal ransomware listed a U.S.-based organization on their data leak site. The organization remains on the site at the time of writing, and the post contains one link to purported data leaked from the organization.
  • In January 2023, Royal ransomware listed a U.S. organization on their data leak site and claimed to have stolen data on 3,200 employees, 30,000 customers, and 125 key boarder entry points. The ransom demand was likely not paid because the organization is still listed on the data leak site with one link to purported stolen data.
  • In May 2023, Royal ransomware listed a U.K. organization on their data leak site and claimed to have stolen 3GB of data from the organization. The post states that 10% of the stolen data has been published, with one link included in the post.



Figure 1: Threat Actor Metric for Royal Ransomware




As technology has evolved, manufacturing organizations have become increasingly interconnected with other organizations. This has increased the ability for threat actors to target these organizations. Manufacturing organizations host a great deal of intellectual property (IP) data that could be used to further the manufacturing processes in other organizations and countries. Similar to other industrial organizations, manufacturing organizations often rely on outdated and legacy systems that can open them up to cyberattacks and vulnerabilities. Manufacturing organizations have deadlines, contracts to fulfill, and minimum number units to make. These factors require their equipment to be up and running nearly 24/7, which can hinder the ability to take systems offline to apply patches and updates. If a manufacturing organization has government contracts, they are likely to be targeted by APT groups in espionage attacks. This is because the threat group will Likely be able to obtain IP from the manufacturer and compromise the government agencies at the same time. APT groups observed targeting the manufacturing vertical include APT33 (aka Elfin, Holmium, Refined Kitten, Magic Hound), APT32 (aka OceanLotus, SeaLotus, Bismuth Tin, Tin Woodlawn), and APT41 (aka Wicked Panda, Barium, Double Dragon, Brass Typhoon).



APT33 (aka Elfin, Holmium, Refined Kitten, Magic Hound) is attributed to Iran and has been active since at least 2013. The group has utilized several off-the-shelf toolsets, in addition to custom malware. APT33 has not had any new, publicly reported activity since 2019. This is Likely due to the group’s extensive use of open-source, publicly available malware and tools that can make it difficult to distinguish between cybercriminal and APT activity. It is likely that APT33 has continued to conduct campaigns, but attacks are often reported much later than the attacks occur. Moreover, the use of publicly available tools allows the threat actors to remain anonymous.


  • From 2016-2017, APT33 targeted multiple organizations with spear phishing emails with a malicious file attachment. Most of the organizations were located within the U.S. and were Likely committed to helping Iran enhance their industrial industry and operations.
  • In 2019, APT33 reportedly manipulated domain names associated with U.S.-based organization in phishing attacks to infect victims with malware. The emails were purportedly related to career opportunities to lure victims into downloading the malware.



Figure 2: Threat Actor Metric for APT33



Legal Services

Legal services organizations are often attractive targets for threat actors due to the amount of information hosted, the impact an attack could have, and the access to potential client data. Legal services organizations connect with and support clients, including other organizations, which could give threat actors access to a significant amount of data. As law firms often deal with confidential and time sensitive business, threat actors can use their access to victims’ networks to send phishing emails to other organizations. Not only do legal services organizations have to worry about their reputation, but they also must be concerned with compliance mandates and confidentiality laws. Legal services organizations, especially smaller firms, are Unlikely to have a significant security budget, which could lead to opportunistic attacks.



Of the 140 victims listed on 8Base’s data leak site from August 1, 2022 - July 31, 2023, 11 of them (7.9%) are in the legal services vertical.


  • In March 2023, 8Base ransomware operators named an Australia-based organization on their data leak site. The post includes one link to a third-party data hosting website that hosts the purported stolen data.
  • In June 2023, 8Base operators named a U.S.-based organization on their data leak site. The group claimed, via the post, to have obtained passports, checks, personal data, client data, and communications. While the company is still listed on the data leak site, the post is listed as “EXPIRED” and does not include any links or screenshots of purported data.
  • In July 2023, 8Base operators named a German-based organization on their data leak site. The group claimed to have stolen 200GB of data that included internal documents, customer data, tax documents, and client data. The post includes multiple links to a third-party data hosting site where the purported data is hosted.



Construction & Engineering

Ransomware groups often target construction and engineering organizations due to the perceived profits and impact of an attack. Ransomware attacks that shut down a company’s network often delay projects and risk data being stolen, which impacts the victims’ reputation. Construction and engineering organizations that maintain government and military contracts are Likely to be targeted due to the type of information that they host related to the agency. The construction and engineering vertical often has limited industry regulations and guidelines, especially related to cybersecurity measures. Employees in this vertical are often part of a distributed workforce spread across different job sites. This type of work environment can lead to an increased attack surface and a bigger opportunity for successful social engineering attacks. Ransomware operators observed targeting the construction and engineering vertical include LockBit, Alphv, Black Basta, Royal, and Play.



Play ransomware was first identified in June 2022 and participates in double extortion tactics, where sensitive data is stolen and leaked on the group’s data leak site if the ransom demand is not paid. Play gained a reputation within the first few months of operations, indicating that the group is comprised of developers and operators with previous ransomware experience. Of the 172 victims listed on Play’s data leak site from August 1, 2022 - July 31, 2023, 16 of them (9.3%) are in the construction and engineering vertical.


  • In March 2023, Play ransomware operators named a U.S.-based company on their data leak site. The group claimed to have stolen personal and corporate confidential information, IDs, passports, contracts, and more. The company is still listed on the data leak site, and the post includes one link and RAR password to download the purportedly stolen data.
  • In June 2023, Play ransomware operators named a U.S.-based organization on their data leak site and claimed to have stolen 33GB of data. The group claimed that the data included PII of staff, projects, passports, financial data, and client documentation. The company is still listed on the data leak site, with one link and a RAR password to the purportedly stolen data.



Despite high-profile ransomware incidents and government/law enforcement attention on ransomware operations and facilitators, there is currently little motive for ransomware operations to cease. Ransomware operators have continued to operate and adapt throughout 2023 and are assessed to focus on continuing to build infrastructure and capabilities around themselves as a one-stop shop, with less reliance on marketplaces and forums. This includes a shift from encryption to data theft that is stolen and held for ransom. Both Cl0p and BianLian operators have been observed conducting attacks in this manner, which makes the attack faster and still gives the threat actors leverage to begin negotiations.


Optiv’s gTIC assesses with Moderate Confidence that state-sponsored adversaries will increase the use of destructive wiper malware and ransomware as part of their campaigns over the next 12 months. Although the overall probability of a targeted state-sponsored attack across all verticals and organizations is Unlikely, the industrials vertical and sub-verticals have a historical record of being targeted by state-sponsored APT groups.



There’s More

If you’re interested in learning more about how these APT and cybercriminal groups overlap, as well as how protecting your organization from these threats helps mitigate the threat from the others, check out our white paper: Vertical Target Series: Industrial and Industrial Sub-Vertical Threats.

Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit