Full Report
New research from Forescout Technologies disclosed that in 2024, there was a 71 percent increase in threat actors... The post Hacktivists, state-sponsored groups step up cyberattacks targeting manufacturing operations and OT systems appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: RansomHub
## Attribution & Identity
Primarily identified as a cybercriminal group, RansomHub is noted as the most active threat actor documented in the manufacturing sector between 2024 and Q1 2025, responsible for 78 victims with large data thefts. Associated with the use of ransomware tactics, which is also being adopted by hacktivist groups.
## Activity Summary
RansomHub has been highly active in targeting the manufacturing sector, leading data theft operations. They were linked to the two largest data exfiltration events uncovered in the research, stealing 2 terabytes and 487 gigabytes of data respectively. They employ custom malware and living-off-the-land techniques.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting vulnerabilities in VPNs, remote access solutions, and file transfer applications. Increased reliance on Initial Access Brokers (IABs).
- **Persistence/Execution/C2:** Marked rise in abusing legitimate Remote Monitoring and Management (RMM) tools to launch commands (e.g., shell access). Continued use of user account creation, scheduled tasks, and web shells.
- **Defense Evasion:** Shift from traditional obfuscation to deploying EDR bypass tools such as KillAV, TrueSightKiller, and EDR Kill Shifter. Standardized use of Bring-Your-Own-Vulnerable-Driver (BYOVD).
- **Discovery:** Increased preference for Active Directory Service Interfaces (ADSI) over PowerShell-based reconnaissance.
- **Post-Exploitation:** Cobalt Strike is still used for credential dumping and access token manipulation, although its use has slightly declined.
- **Exfiltration:** Increased use of legitimate cloud services for data exfiltration to evade security controls.
- **General Trend:** Increased attacker dwell time, indicating longer periods maintaining access before detection.
## Targeting
- **Sectors:** Manufacturing (ranked 4th most targeted critical infrastructure sector).
- **Geography:** Not specifically detailed, but observed within the scope of the Forescout analysis (implied global scope).
- **Victims:** 78 victims mentioned; involves organizations suffering from large-scale data theft. Stolen data includes Intellectual Property (IP), Social Security numbers, bank account details, and passport scans.
## Tools & Infrastructure
- **Malware families used:** Betruger backdoor (custom tool).
- **Other Techniques/Tools:** Cobalt Strike, KillAV, TrueSightKiller, EDR Kill Shifter, legitimate RMM tools, EDR bypass tools.
- **Infrastructure (C2, domains, IPs):** Use of legitimate cloud services for C2/exfiltration.
## Implications
RansomHub represents a significant financial threat due to its high volume of victims in the manufacturing sector and its focus on maximizing data exfiltration (totaling over 3.3 TB across analyzed incidents). Their sophisticated TTPs, especially the use of EDR bypasses and cloud services for exfiltration, allow them to evade traditional security measures and maintain lengthy dwell times.
## Mitigations
- Enforce strong passwords and Multi-Factor Authentication (MFA).
- Improve visibility by enabling logging across assets and utilizing SIEM/detection tools to flag living-off-the-land techniques and anomalies.
- Segment IT and OT networks and strictly monitor traffic at the boundary for suspicious activity.
- Maintain immutable, offline backups and regularly test recovery procedures.
- Prioritize patching for exposed systems like VPNs and RDP.
- Implement targeted threat intelligence to build OT-specific threat models and response playbooks.
- Assess risks thoroughly before deploying new technologies (e.g., IoT, AI integration).