Executive Summary
In previous years, cyber security threats centered around industries such as healthcare, retail, finance, and energy. Manufacturing was rarely included in the conversation, simply because there was a lack of understanding and communication within the industry. The manufacturing industry is different from other industries who have a direct connection with the outside world. Before technology evolved, manufacturing companies were only connected within a network of a single organization with limited internet – making it difficult to connect with organizations or people in general. Organizations within the medical and financial industries don’t have the same barrier due to their public-facing nature. Additionally, the manufacturing companies didn’t believe they were appealing to threat actors – they merely didn’t believe they had much to offer.
However, technology has evolved, and the archaic ways of communicating within the manufacturing industry are obsolete. When communication channels change, so does the cyber threat landscape. Now that the manufacturing industry has no choice but to utilize internet connectivity in a variety of ways, they are faced with the harsh reality that they were unprepared to handle the security challenges that come with having so many vulnerable endpoints.
Also, the idea that the manufacturing industry didn’t have much to offer threat actors is not true. In fact, companies within the industry have a vast amount of information that attackers are just waiting to use as extortion. Companies like Nissan and Norsk Hydro learned the hard way that the industry is not exempt from cyber attacks. Let’s take a look at the top 5 cyber threats within manufacturing and how you can help prevent your organization from becoming another victim.
Although various industries fall victim to phishing attacks, phishing attacks within the manufacturing industry are very common and it’s one of the industries that receives the most phishing attacks per year. Since 2020, threat actors have exploited several vulnerabilities for financial gain, and they have even exploited vulnerabilities for brand impersonation purposes.
Phishing attacks involve a target opening a malicious email attachment or spoofed website. The attachments and websites compromise the target’s browser settings and use whatever data is available for financial gain. The main way the manufacturing industry falls victim to phishing attacks is through web-based malware downloads that contain trojans or other malicious content. Vulnerabilities are discovered on systems via the malware and the information is transferred to the attacker. The data that’s collected by the threat actor is used to demand ransom or it’s sold on the dark web.
Why is the manufacturing industry especially vulnerable to phishing attacks? There are several reasons.
In 2018, Kaspersky Lab reported that more than 400 manufacturing companies became phishing targets. At the time, there was a phishing campaign geared toward stealing money from corporate accounts. The attackers used a variety of tools and standard phishing techniques to distribute harmful software via emails disguised as commercial offers. The threat actors also used legitimate software (TeamViewer or Remote Manipulator System) to orchestrate their attacks. The programs helped the threat actors gain access to devices, scan for information on current purchases and financial software. Additional tools were used to get higher-level permissions and steal data.
Kaspersky Lab observed that in some cases, the threat actors sent out malicious email attachments, but in others they sent their victim’s links to sites. In both instances, the emails persuaded the target to download the tools used by the threat actors on his or her own initiative. The report acknowledged that using modern technology and educating staff about phishing exploits have kept organizations safe.
In 2021, the manufacturing industry endured the brunt of cyber attacks in general. IBM published a report (X-Force Threat Intelligence Index) in 2021 and unveiled how ransomware and other vulnerabilities affected supply chains, with manufacturing being the most targeted industry. In the past, the financial services and insurance industry experienced the most ransomware attacks, but in 2021 manufacturing dethroned those industries and has become the most attacked industry via ransomware.
“For the first time in five years, manufacturing outpaced finance and insurance in the number of cyberattacks levied against these industries, extending global supply chain woes. Manufacturers have a low tolerance for downtime, and ransomware actors are capitalizing on operational stressors exacerbated by the pandemic. “ IBM
Attackers relied on the ripple effect that takes place when manufacturing organizations have their production flow disrupted. The threat actors knew the attacks would cause their downstream supply chains to force them into paying a ransom. The report further stated that 47% of the attacks within the manufacturing industry were due to vulnerabilities that companies didn’t patch – this highlights the need for all manufacturing companies to include vulnerability management in their security plans.
Avertium published a Threat Intelligence Report in April 2022 featuring Bridgestone Corp. In March 2022, Bridgestone Corp. notified the public that they were hit by a ransomware attack. Bridgestone is a tire supplier for Toyota vehicles. Initially, it was suspected that Pandora ransomware was behind the attack because it happened shortly after the gang attacked Denso Corp., (another car parts supplier) however, it turned out to be the work of LockBit ransomware.
Bridgestone’s breach impacted several cities and plants were inoperable for days. LockBit gave Bridgestone a timeframe to pay their demanded ransom before they released the company’s data. Like other ransomware groups, LockBit removed information from Bridgestone’s systems and threatened to disclose the information to the public. Bridgestone was the second auto parts supplier attacked by a ransomware gang in a very short span of time.
Intellectual property (IP) theft is a type of information theft that can severely damage a company, yet it’s often overlooked. Now that attackers have figured out new ways to infiltrate a network and move laterally within a system discreetly, the potential for IP theft has grown. Over time, threat actors can enter a system without being detected, move laterally, mine information, and leave a system before anyone even realizes they were there.
The data that is accessed by the attackers can be stolen or altered. You may not even realize anything happened until you see your company’s trade secrets used elsewhere. This is particularly dangerous for the manufacturing industry because it can be difficult to protect company information that is needed to create products. Now that threat actors can transfer information in seconds, it would be easy for trade secrets, copyrighted information, and contracts to be stolen. Some manufacturing companies have contracts with government agencies and are at risk of APT (nation-state) attacks. The motivation for these attacks can be anything from pure cyber espionage or a desire to gain military secrets.
The Chinese government-linked hacking group named Winnti is an example of how APTs focus on stealing IP to further their goal of cyber espionage. The group runs a massive Chinese government-linked hacking operation that’s worth billions of dollars. They specialize in stealing intellectual property and other data from the U.S. and foreign companies. The group has existed since 2010 and researchers believe they operate on behalf of Chinese state interests. In 2019, Winnti was able to infiltrate corporate computer networks within the technology and manufacturing industry – targeting companies in North America, East Asia, and Western Europe. So far, the group has stolen sensitive documents, blueprints, diagrams, formulas, and manufacturing-related data. They have also stolen source code and research and development documents.
Unfortunately, Winnti had years to conduct reconnaissance and identify valuable data due to the group not being discovered in company systems until 2021. As a result, the group was able to collect hundreds of gigabytes of information that could be used in future cyber attacks. The information stolen includes credentials, employee emails, network architecture, and customer data. The value of the stolen data was not mentioned, however Chinese cyber espionage in general costs the U.S. between $180 billion and $540 billion annually.
The motivation for an intellectual property theft attack has less to do with financial gain and more to do with stealing data. Also, IP theft is difficult for cyber security specialists to detect because the threat actors are simply stealing data as discreetly as possible with no plans for monetary gain. Ransomware attacks are much easier to detect because the threat actors are seeking to gain something financially – often leaving ransomware notes and other evidence that they were in their target’s systems.
Supply chain attacks are a serious issue for security regardless of the industry, but in recent years, supply chain attacks within the manufacturing industry have become more prominent. A supply chain attack happens when threat actors access an organization’s network via a third-party vendor or supplier. Access can be gained through viruses or malicious software, giving the attacker keys to sensitive information, customer records, and payment information.
Because a supply chain can be large in scope, the attack itself can be difficult to trace. Naturally, manufacturing organizations and businesses work with dozens of suppliers. Any disruption to the manufacturing process causes a ripple effect and severe delays. It’s important for manufacturing organizations to protect their supply chain and make sure the companies they do business with are equally committed to security. There are three types of supply-chain attacks:
A great example of a successful supply attack against a manufacturer is February 2022’s attack on Nvidia, the largest microchip manufacturer within the U.S. Avertium published a Threat Intelligence Report featuring Lapsus$’ attack on the microchip giant. Lapsus$ attacked Nvidia and caused outages within their internal network, taking 1TB of schematics, driver and firmware code, documentation, and SDKs. Lapsus$ also leaked a 19GB archive of those files online. Lapsus$ also stole Nvidia’s driver signing certificate, which can be used to sign malware.
As we previously stated, for decades the manufacturing industry didn’t believe threat actors were interested in targeting them. They assumed that the Industrial IoT (Internet of Things) devices that they use for daily operations and processes served no purpose for an attacker, therefore developers spent little time ensuring that their IoT devices had basic firewalls or other security controls. When you have little to no concern for security, exploits will happen.
In February 2020, three of the largest manufacturers had their Industrial IoT devices infected with malware. TrapX Security discovered a cryptocurrency miner on several IoT devices including a printer, a smart TV, as well as an automatic guided vehicle manufacturer (AGV). The attacks were a part of a campaign in which attackers embedded systems running Windows 7 with malware. At the time, Windows 7 had reached end-of-life, but millions of PCs worldwide still ran the operating system.
According to Security Week, the malware was a self-spreading downloader that ran on malicious scripts associated with a cryptocurrency miner named Lemon_Duck. The malware spread so quickly on the AGV manufacturing site that it disrupted vehicle communications. AGVs are used to deliver materials or execute certain tasks in a manufacturing plant. If the communications are disrupted or if the commands are generated by malware, it can cause the vehicle to go off track and cause physical damage to things or people.
The vulnerability also affected a smart TV that had a built-in PC running Windows 7. The smart TV was connected to a manufacturing network and the TV provided data to employees in charge of the production line. Because of the Windows 7 vulnerability, an attacker was able to install malware on the TV and deployed a crypto-miner several months prior. This kind of threat could have compromised the entire network, as well as other companies that had assets within the enterprise and manufacturing networks.
In the past, cybersecurity was primarily a critical focus for large enterprises, but things have changed. The engineers who design the devices for manufacturers need to implement strong cyber security features into the devices they design. Vulnerabilities on Industrial IoT devices are often related to issues that are introduced by the user during the operation or installation phase of the device.
Not changing default passwords, not enabling security features, and a lack of firewalls provide entry points for threat actors. Simply eliminating passwords and user controls that welcome weak security options can help keep manufacturing companies safe and help prevent the deployment of vulnerabilities.
The manufacturing industry has a lot of catching up to do when it comes to security. However, it’s not too late for organizations within the industry to take action and start securing their cyber environments. Avertium has advanced services that can help keep your organization safe:
Winnti
Lapsus$
LockBit
Winnti
Lapsus$
LockBit
Top 7 Cyber Threats for Manufacturing Companies (bitlyft.com)
IBM Security X-Force Threat Intelligence Index | IBM
Inside the Ring: Report details massive Chinese IP theft - Washington Times
How manufacturers can protect IoT products from cyberattacks (designworldonline.com)
IoT Devices at Major Manufacturers Infected With Malware via Supply Chain Attack | SecurityWeek.Com
Five ransomware attacks in 2022 so far you should know about | Cyber Security Hub (cshub.com)
An In-Depth Look at Pandora Ransomware (avertium.com)
Manufacturing is the ‘Most Targeted’ Industry for Cyber Attacks | Datamation
400 manufacturing companies attacked using TeamViewer and RMS | Kaspersky official blog
What is a Supply Chain Attack? Solutions & Examples | Keeper (keepersecurity.com)
IT, healthcare and manufacturing facing most phishing attacks: report | ZDNet
2021 Manufacturing and Supply Chain Security Roundup (securityintelligence.com)
Manufacturers are bombarded with phishing attacks - Graphus
Why Manufacturing IP is So Susceptible to Cyber Theft - Security Boulevard
An In-Depth Look at Data Extortion Group, Lapsus$ (avertium.com)
An In-Depth Look at Pandora Ransomware (avertium.com)
Inside the Ring: Report details massive Chinese IP theft - Washington Times
What is Intellectual Property Theft and How to Prevent It | Ekran System
The Importance of Securing the Manufacturing Supply Chain (finextra.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.