{ "id": "c3a0a27e-dd85-4f4b-9bf6-f386324d2b40", "created_at": "2026-04-06T00:21:33.151592Z", "updated_at": "2026-04-10T03:34:16.755859Z", "deleted_at": null, "sha1_hash": "22a138c89aaa5863b6c32a8c74e0b30b639ec717", "title": "The Manufacturing Threat Landscape in 2020 | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 96975, "plain_text": "The Manufacturing Threat Landscape in 2020 | CrowdStrike\r\nBy falcon.overwatch.team\r\nArchived: 2026-04-05 14:50:02 UTC\r\nSince January 2020, the CrowdStrike® Falcon OverWatch™ managed threat hunting team has observed an\r\nescalation in hands-on-keyboard activity. The COVID-19 pandemic has fundamentally shifted the way businesses\r\nare working, and adversaries are taking full advantage of businesses that fail to adapt their security postures in\r\nresponse. In just the first six months of 2020, OverWatch has tracked more intrusions than were seen throughout\r\nall of 2019. The top industries impacted have been manufacturing, technology, finance, telecommunications and\r\nhealthcare. This blog is part of a series from the Falcon OverWatch team, and each will be a deep dive into the\r\ntypes of targeted intrusions being observed in these industries.\r\nIncreases in Intrusion Numbers and Sophistication\r\nIn the manufacturing industry in particular, it is notable that an escalation in activity has occurred both in terms of\r\nthe quantity and sophistication of these intrusions. The number of targeted intrusions against the manufacturing\r\nindustry in just the first half of 2020 was more than triple what was observed by OverWatch throughout 2019.\r\nAnother feature of the manufacturing threat landscape is that it is one of only a handful of industries that\r\nOverWatch routinely sees targeted by both state-sponsored and eCrime adversaries.The often-critical nature of\r\nmanufacturing operations and the valuable data that many manufacturing businesses hold make them an enticing\r\ntarget for adversary groups seeking to extract value and further their strategic objectives. CrowdStrike Intelligence\r\nhas identified 10 distinct adversary groups — encompassing both state-sponsored and eCrime actors — known to\r\nintentionally target the manufacturing industry. And there are many other opportunistic adversaries that could also\r\nreasonably be expected to target the industry should the chance arise.\r\nBig Game Hunting on the Rise\r\nAmong the intrusions uncovered this year, Overwatch has recently observed astate-sponsored actor employing\r\nnovel techniques to deploy tooling within a victim environment. It is also clear that eCrime actors are continuing\r\nto adapt and evolve big game hunting (BGH) activities. Notably, the first half of 2020 has seen more BGH\r\nadversary groups adopt data exfiltration techniques and threaten data leaks to reinforce ransom demands. Further,\r\nnew BGH campaigns have emerged employing ransomware capable of killing industrial control system processes\r\n(among a range of other processes). Examples of current adversary activity targeting the manufacturing industry\r\nare explored below. Now more than ever, there is a clear impetus for defenders in the manufacturing industry to be\r\nprepared to respond to a diverse range of adversary tactics, techniques and procedures (TTPs). OverWatch expects\r\nto see this escalation of activity targeting the manufacturing industry persist throughout the remainder of 2020.\r\nSuspected State-Sponsored Adversary Deploys Malicious Tooling via an Enterprise\r\nApplication\r\nhttps://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/\r\nPage 1 of 6\n\nOverWatch’s discovery of an intrusion using ShadowPad malware against a manufacturing company in the\r\nNorthAmerica region reveals that adversaries likely working on behalf of the Chinese state are actively exploiting\r\nnewly discovered vulnerabilities to target the manufacturing industry. Interestingly, this case study demonstrates\r\nthe adversary’s capability to quickly operationalize newly identified vulnerabilities, giving them the potential to\r\npursue their mission objectives at scale. In the intrusion, uncovered earlier this year, a suspected state-sponsored\r\nadversary gained access to the victim’s network by exploiting a public-facing application on the initial host.\r\nOverWatch discovered this activity shortly after it began due to a rapid succession of unusual host activities. The\r\ncombination of process-hollowing, registry changes and an interactive command shell being executed quickly\r\ncaptured the attention of threat hunters. Instead of attempting to move from one host to the next manually, the\r\nadversary deployed tooling using an enterprise application capable of updating its client software. Using the\r\ncompromised server, they copied a malicious dynamic-link library (DLL) file named dbghelp.dll into place for\r\ndistribution to client systems. The DLL was then executed on the client systems by the enterprise application\r\nleveraging DLL search-order hijacking. Once the initial DLL was executed — triggered by either a user login or a\r\nhost restart — it deployed two files to the operating system temporary directory C:\\Windows\\temp . The first was\r\nan embedded copy of consent.exe , a valid Windows executable, which was written to disk using a similar name\r\nto the affected enterprise application, and the second was a malicious ShadowPad DLL. The ShadowPad DLL\r\nmasquerades as a legitimate Windows file by using the name secur32.dll . C:\\Windows\\temp\\Update.exe\r\nC:\\Windows\\temp\\secur32.dll The initial DLL then executed Update.exe ,which then loaded secure32.dll\r\nthrough search-order hijacking. Update.exe made another copy of consent.exe and secur32.dll to a\r\ndifferent directory on the host. Once these files are in place, they are executed, and the second malicious DLL is\r\nagain loaded using search-order hijacking. C:\\ProgramData\\Gateway\\Algs.exe\r\nC:\\ProgramData\\Gateway\\secur32.dll Algs.exe then uses process injection to hide its malicious code under\r\nsvchost.exe and dwm.exe . The first attempt to execute by injecting the malicious code into svchost.exe was\r\nblocked by the CrowdStrike Falcon®® sensor. The attacker then attempted execution under dwm.exe . At this\r\npoint, dwm.exe began to communicate with adversary infrastructure masquerading as the vendor of the enterprise\r\napplication. Algs.exe was also installed using the Windows Registry to execute when a user logs in. KEY:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run NAME: LayerGatewayService VAL:\r\nC:\\ProgramData\\Gateway\\Algs.exe The adversary used the backdoors on several client hosts to create a new\r\nservice to establish persistence and prepare the system for credential harvesting attacks. They first queried the\r\nAlgs.exe process to ensure it was running, then made a renamed copy of AppLaunch.exe and a third malicious\r\nDLL to another directory on the host. C:\\ProgramData\\Bluetooth\\BluetoothSvc.exe\r\nC:\\ProgramData\\Bluetooth\\mscoree.dll A service was then installed on the host using a seemingly benign\r\nname. The third DLL was loaded by BluetoothSvc.exe and also began communicating with adversary\r\ninfrastructure. With their backdoor services in place, the adversary added a Windows Registry key to enable in-memory credential caching. reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v\r\nUseLogonCredential /t REG_DWORD /d 1 /f At this point the adversary’s session with the host ended, presumably\r\nto wait for credentials to be stored in memory for later collection.\r\nAlerting the Victim\r\nWithin an hour of initial execution, OverWatch had notified the victim of the known compromised hosts.\r\nOverwatch quickly widened its search and was able to alert the victim to several other hosts compromised by the\r\nadversary in the same time period. Because the adversary leveraged legitimate operating system executables and\r\nhttps://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/\r\nPage 2 of 6\n\nauthorized enterprise applications, they decreased their chances of discovery by traditional security monitoring.\r\nFurther, the three malicious files used in this intrusion were named to masquerade legitimate DLL names or at\r\nleast appear benign without further analysis. OverWatch was able to discover the adversary thanks to advanced\r\nhunting capability, informed by in-depth knowledge of the tactics and techniques used by attackers. This enabled\r\nthe victim organization to quickly and comprehensively contain the affected hosts and remediate the intrusion.\r\nSubsequent analysis by CrowdStrike Intelligence indicated that the DLL files were either droppers or payloads for\r\nthe ShadowPad malware. Infrastructure from command-and-control (C2) domains used by the ShadowPad\r\nmalware overlapped with Bisonal malware activity in a campaign that is currently attributed to KARMA PANDA\r\nwith low confidence.\r\nAdversary Capabilities and Motivations\r\nThis adversary exhibited several interesting techniques that provide clues to their capabilities and motivations:\r\nFirst, the compromise of a vulnerability in an enterprise application to automate the deployment and\r\nexecution of their toolset, combined with the deliberate methods used to execute their payloads, paints a\r\npicture of a meticulously planned intrusion. This is further supported by the absence of superfluous\r\narguments or typographical errors in the actor’s interactive commands.\r\nSecond, the adversary’s deliberate and patient approach to credential harvesting stands in stark contrast to\r\nnoisier smash-and-grab attacks that go after low-hanging fruit. The Windows Registry changes to\r\nWDigest node prepared the system to store the credentials unencrypted in system memory to be harvested\r\nover time. This adversary behavior is indicative of more complex motivations, perhaps the intention to\r\nreturn in subsequent attacks to steal intellectual property or disrupt the victim’s operations.\r\neCrime Adversaries Continue to Evolve Their Tactics\r\nIt is not just state-sponsored adversaries that manufacturing defenders need to be alert to. The growth of BGH\r\nactivities in recent years has been well documented by CrowdStrike. These targeted, criminally motivated,\r\nenterprise-wide ransomware attacks have proliferated, and adversaries are constantly evolving their TTPs to\r\nextract maximum value from their victims. For eCrime adversaries, the manufacturing industry is an attractive\r\nBGH target, with a perceived high ability and incentive to pay. EKANS (aka Snake) ransomware has emerged as a\r\nunique new threat to the manufacturing industry due to its reported ability to kill a wide range of processes,\r\nincluding those related to SCADA systems, industrial control systems, virtual machines, remote management tools\r\nand network management software, to enable encryption of files related to those systems. CrowdStrike\r\nIntelligence first reported on EKANS in January 2020. While the adversaries operating EKANS appear to be\r\ntargeting organizations opportunistically, the manufacturing industry — alongside the automotive, engineering,\r\nfinancial and healthcare industries — is known to have been hit by this new threat. Data extortion has proven to be\r\nanother trend that the manufacturing industry needs to watch. CrowdStrike’s 2020 Global Threat Report revealed\r\nthat toward the end of 2019, data extortion began to gain traction as an alternative method of monetizing BGH\r\nattacks. Adversaries have started using the threat of leaking or selling sensitive data instead of — or in\r\ncombination with — ransomware to increase their chances of extracting payment. Interestingly, Crowdstrike\r\nIntelligence found that manufacturing was the industry most targeted by data leaks in the first quarter of 2020. In\r\nlate February, DOPPEL SPIDER appeared to become the latest adversary group to join this trend with the launch\r\nhttps://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/\r\nPage 3 of 6\n\nof the Dopple leaks (sic) website. The website, claiming to be linked to DOPPEL SPIDER, lists information stolen\r\nfrom past victims who failed to pay ransoms.\r\nDOPPEL SPIDER Found in Hands-on-Keyboard Reconnaissance in a Manufacturing\r\nEnvironment\r\nOverWatch threat hunters recently discovered DOPPEL SPIDER in a manufacturing environment. The intrusion,\r\nwhich stemmed from asuccessful phishing attack, followed the expected pattern of ahands-on-keyboard attack\r\nwith a range of discovery techniques used to conduct reconnaissance in the environment. The intrusion was\r\ninitially observed when a malicious DLL was side-loaded by legitimate executables and the victim was notified.\r\nThe use of this technique is one of the initial hunting leads that brought it to the threat hunter’s attention. Later, the\r\nadversary returned and was discovered when aburst of unusual commands occurred within a short period of time.\r\nThe adversary used legitimate executables, regularly used by administrators, to gather information about the\r\nvictim’s Active Directory environment. The adversary created and executed batch scripts on the host, which then\r\nran the reconnaissance commands and captured the output into text files. They then used 7zip to compress the files\r\nin preparation for exfiltration. Reconnaissance:\r\nnltest\r\n/dclist:\r\nadfind.exe\r\n-subnets -f (objectCategory=subnet)\r\nnltest\r\n/domain_trusts\r\nnet\r\ngroup \"Domain Computers\" /DOMAIN\r\nData Staging:\r\n7.exe\r\na -mx3 ad.victim.7z ad_*.*\r\nFILE: victim\\ad_computers.txt\r\nFILE: victim\\ad_subnets.txt\r\nFILE: victim\\ad_users.txt\r\nWhile the data gathered on this occasion using these commands would not contain data such as intellectual\r\nproperty, it is information that would be extremely useful to an attacker in furthering the intrusion. Effective threat\r\nhunting is about assessing behaviors in their specific context to identify potentially malicious activity. OverWatch\r\nhttps://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/\r\nPage 4 of 6\n\nrecommends that defenders watch for unexpected series of commands. Though this activity could certainly be\r\nsomething that an administrator would perform during the course of their duties, OverWatch threat hunters are\r\nalways watching out for and digging into bursts of activity or an uncharacteristic series of commands similar to\r\nthis. Without continuous hunting, these types of commands may never be discovered because security software\r\nwould not see them as malicious. Because this activity was identified, the victim organization was able to take\r\naction and prevent further activity or the exfiltration of data.\r\nSecurity Recommendations\r\nThese intrusions highlight the lengths to which adversaries will go to achieve their mission objectives. Both state-sponsored and eCrime adversaries have demonstrated their ability to evolve their TTPs to exploit new\r\nvulnerabilities or increase the pressure on their victims. OverWatch expects to see the manufacturing industry\r\nremain a high-frequency target through the remainder of 2020. Accordingly, defenders need to be alert to the\r\nsophisticated and diverse threats taking aim at the industry.\r\nThreat Hunting\r\nThese case studies highlight the heightened threat environment currently facing the manufacturing industry. In\r\nboth examples, adversaries used living-off-the-land (LOTL) techniques to avoid detection. Human-driven\r\ncontinuous threat hunting is the most effective way of identifying and derailing intrusions that leverage LOTL\r\ntechniques long before adversaries can establish a foothold in the environment.\r\nRecommendations\r\nKnow your environment. Being able to identify malicious activity in your environment comes down\r\nto understanding what behavior falls outside of your “normal.” Be on the lookout for unusual\r\nsequences of commands, or commands being executed from unexpected hosts.\r\nKnow your enemy. Familiarize yourself with the TTPs of the adversaries that target your industry.\r\nPrioritize your hunt by focusing on those behaviors known to be prevalent in manufacturing.\r\nVulnerability Management\r\nToday’s adversaries move fast to operationalize exploits for newly disclosed vulnerabilities, and they have shown\r\ntheir capacity to roll out their attacks at scale. Defenders need to be prepared to move faster than the enemy to\r\nimplement short-term workarounds or apply security patches.\r\nRecommendations\r\nKnow your weaknesses. Effectively prioritizing vulnerability management in your environment is about\r\nunderstanding the relative risk of any individual vulnerability, while also drawing on up-to-the-minute\r\nthreat intelligence to understand what threats are most active in your region or industry.\r\nShine a spotlight on your environment. It is critical that your security team has comprehensive\r\nvisibility of your environment to avoid any blind spots that could become an access point for an\r\nadversary. CrowdStrike® Falcon Spotlight™ offers security teams a real-time assessment of\r\nhttps://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/\r\nPage 5 of 6\n\nvulnerability exposure across their environment, enabling teams to quickly pinpoint and patch\r\nvulnerable hosts.\r\nSocial Engineering Schemes\r\nDue to the widespread use of COVID-19-themed phishing lures and scams and an increasing number of remote\r\nworkers, employees in all industries should remain vigilant and take advantage of the resources available to\r\nenhance their security postures in the context of this new threat landscape.\r\nRecommendation\r\nEnlist your users in the fight. While technology is clearly critical in the fight to detect and stop intrusions,\r\nthe end user remains a crucial link in the chain to stop breaches. User awareness programs should be\r\ninitiated to combat the continued threat of phishing and related social engineering techniques.\r\nAdditional Resources\r\nRead the CrowdStrike Services Cyber Front Lines Report: Observations From the Front Lines of Incident\r\nResponse and Proactive Services in 2019 and Insights That Matter for 2020\r\nWatch an on-demand webcast that takes a deep dive into the findings, key trends and themes from the\r\nreport: CrowdStrike Cyber Front Lines Report CrowdCast.\r\nRead an eBook about securing your remote workforce during the global pandemic.\r\nLearn more about the powerful CrowdStrike Falcon® platform by visiting the webpage.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/\r\nhttps://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/" ], "report_names": [ "adversaries-targeting-the-manufacturing-industry" ], "threat_actors": [ { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087", "created_at": "2024-06-19T02:03:08.067518Z", "updated_at": "2026-04-10T02:00:03.671628Z", "deleted_at": null, "main_name": "GOLD HERON", "aliases": [ "Doppel Spider " ], "source_name": "Secureworks:GOLD HERON", "tools": [ "Cobalt Strike", "DoppelPaymer", "Dridex", "Grief", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "a0d0e1ef-3562-40a8-a021-321db92644d9", "created_at": "2023-01-06T13:46:39.104046Z", "updated_at": "2026-04-10T02:00:03.2146Z", "deleted_at": null, "main_name": "DOPPEL SPIDER", "aliases": [ "GOLD HERON" ], "source_name": "MISPGALAXY:DOPPEL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d555c5da-abe4-42aa-a8cf-77b68905891a", "created_at": "2022-10-25T16:07:23.548385Z", "updated_at": "2026-04-10T02:00:04.65211Z", "deleted_at": null, "main_name": "Doppel Spider", "aliases": [ "Gold Heron", "Grief Group" ], "source_name": "ETDA:Doppel Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DoppelPaymer", "Pay OR Grief", "Pay or Grief", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434893, "ts_updated_at": 1775792056, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/22a138c89aaa5863b6c32a8c74e0b30b639ec717.pdf", "text": "https://archive.orkl.eu/22a138c89aaa5863b6c32a8c74e0b30b639ec717.txt", "img": "https://archive.orkl.eu/22a138c89aaa5863b6c32a8c74e0b30b639ec717.jpg" } }