LevelBlue SpiderLabs: APAC Emerges as Primary Target for Manufacturing Cyberattacks

• The manufacturing sector faces a 793% surge in cyberattacks, with APAC manufacturers being the primary targets worldwide.

• Sophisticated threat actors—including Lazarus Group, APT41, and Russian ransomware affiliates—are driving a wave of ransomware and cyber espionage campaigns against manufacturers.

• Ransomware and cyber espionage attacks are increasingly targeting valuable intellectual property and operational technology, posing severe risks to manufacturing continuity and data security.

The Asia-Pacific region is home to the highest concentration of manufacturing sites on the planet, so it comes as no surprise that manufacturers here absorb more attacks than the rest of the world combined.

LevelBlue SpiderLabs compiled the Manufacturing Threat Landscape 2025 report, which noted that 56% of all attacks targeting the manufacturing sector occurred in the APAC region. This is compared to 22% in North America, Europe (16%), and Africa (2%).

Globally, 26% of all cyberattacks struck the manufacturing sector, an indication of the importance threat groups place on these organizations.

Breaking down the numbers a bit further, we see Japan was impacted most often due to its advanced technology and geopolitical exposure, being victimized by 37% of the attacks. China, with its vast industrial base, is a distant second at 11%, closely followed by South Korea (10%), which faces threats from North Korea, and finally India (2%).

Manufacturing at the Epicenter

Let’s take a step back for a moment and look at how threat actors have been dramatically, increasing their attack rate on this sector.

LevelBlue research found that between 2019 and 2025, the number of attacks increased 793% to just over 5 billion. Once broken down, the “why” behind these is fairly obvious.

Manufacturers own valuable IP and cannot afford any downtime, so they may be more inclined to pay a ransom and are worth the effort of gaining access to steal IP.

Top Threats

Ransomware, phishing/social engineering, and supply chain attacks were the top threat types that manufacturers faced, with the most active adversaries being the Chinese state-sponsored groups (APT41), Russian ransomware affiliates, such as LockBit3 and RansomHub, and North Korea’s Lazarus Group.

These groups each have a different goal and represent the primary reasons behind many attacks on this sector.

1. State-Sponsored Espionage: Chinese groups like APT41 and Mustang Panda are heavily involved in data theft and IP loss, seeking a competitive advantage for their national industries.

2. Geopolitical Sabotage: The Lazarus Group (North Korea) remains a dominant force, particularly targeting South Korean semiconductors and automotive components to acquire technology and circumvent economic sanctions.

3. Financial Extortion: Russian-linked ransomware affiliates, such as LockBit3 and RansomHub, drive the majority of financially motivated attacks, using the threat of downtime to extract massive ransoms.

Not surprisingly, the most common malware types were ransomware, infostealers, trojans, backdoors, and droppers. In turn, the top malware variants were Qilin Ransomware, Akira Ransomware, the infostealer/RAT Agent Tesla, and the infostealer Lumma.

Attacks typically begin with phishing or vishing, escalating to network infiltration and severe impacts like operational disruptions and data exfiltration. These can be rapid, but in many cases, threat actors are interested in success rather than speed, so their efforts can be drawn out over many months.

The researchers noted that threat actors favored phishing and vishing (voice phishing) to trick employees into providing credentials for initial access. They also employ "watering hole" attacks, in which they compromise legitimate websites, such as job boards, frequented by industry professionals, to deliver malicious scripts.

Once an initial foothold is established, the attackers move to exploit their entry. Windows Management Instrumentation (WMI) is often used for lateral movement, enabling attackers to map the target’s network and identify critical OT infrastructure. To ensure they aren't easily evicted, they maintain persistence through scheduled tasks, rootkits, and registry modifications.

Anatomy of an Attack

Let’s examine a prime example of exactly how sophisticated the threat is that manufacturers face by looking at what SpiderLabs discovered about "Operation SyncHole", a 2024–2025 campaign attributed to The Lazarus Group.

This attack demonstrates the Lazarus Group’s established tactics, techniques, and procedures (TTPs), notably their use of supply chain and watering hole attacks, as documented in prior operations.

By exploiting a zero-day vulnerability in a secure file transfer tool used by a South Korean-based automotive parts manufacturer, the group deployed ThreatNeedle malware.

Lazarus Group then leveraged WMI for lateral movement, systematically mapping the manufacturer’s operational technology (OT) infrastructure. Persistence was secured through the implementation of scheduled tasks and rootkits, ensuring prolonged access. Command and control (C2) communications were routed through encrypted channels via proxy servers, effectively masking the group’s North Korean origin and evading detection by standard security measures.

The operation escalated in late April 2025, with ransomware encrypting critical OT systems, disrupting production lines, and prompting a substantial cryptocurrency ransom demand. Concurrently, sensitive intellectual property, including design blueprints for an electric vehicle battery, was exfiltrated, aligning with Lazarus’s dual objectives of espionage and financial gain. The incident resulted in significant operational downtime and potential compromise of South Korea’s competitive position in the global market.

Guarding the Factory Gate

LevelBlue is uniquely qualified to protect manufacturers. Through its legacy services and solutions and those recently added through multiple acquisitions, its repertoire is ready to be leveraged to protect manufacturing organizations.

These include:

1. Unified OT Security Monitoring (Co-Managed SOC): LevelBlue provides a 24/7 Co-Managed SOC that integrates traditional IT data with specialized OT security platforms like Nozomi Networks and Microsoft Defender for IoT.

2. Passive OT Threat Detection (Asset Discovery): Using technology bolstered by the Trustwave acquisition, LevelBlue employs "passive" sensors. Unlike IT scanners that can "crash" sensitive legacy factory equipment by sending too many requests, these sensors simply "listen" to network traffic.

3. OT-Specific Penetration Testing: LevelBlue’s SpiderLabs team offers specialized "Safe-to-Fail" penetration testing for industrial environments. They simulate attacks on ICS (Industrial Control Systems) and SCADA networks using specialized protocols like Modbus or EtherNet/IP.

4. Managed Vulnerability & Exposure Management: Manufacturers often cannot patch machines because they must run 24/7. LevelBlue uses its newly acquired Alert Logic Exposure Management capabilities to prioritize "virtual patching."

5. Incident Response for OT: With Cybereason’s AI-powered "MalOp" (Malicious Operations) engine, LevelBlue can track the "root cause" of an attack at machine speed.