2026年制造业威胁态势

TABLE OF CONTENTS EXECUTIVE SUMMARY MANUFACTURING INDUSTRY OVERVIEW 2025MONTHLY ATTACK TRENDS RECOMMENDATIONS PREDICTIONS FOR 2026 CONTACT US EXECUTIVE SUMMARY In 2025, the manufacturing sector faced a sharp rise in cyber threats, with ransomware incidents targeting theindustry up 56% year-over-year, accounting for roughly half of all global attacks. Key drivers included vulnerablelegacyOT systems,complex supply chains,and increasingly sophisticated ransomware-as-a-serviceoperations. Major threat actors included Akira, Qilin, Play, Clop, Safepay, NoName057(16), and Chinafans, Regions most affected were the United States, Europe, India, Brazil, and China, with high operational andfinancial impacts reported across critical manufacturing processes. Recommendations focus on implementing Zero-Trust architecture, enhancing OT/IT security, strengtheningpatching and backup strategies, improving employee training, and mitigating supply chain risks. Threats are MANUFACTURING INDUSTRY OVERVIEW 2025 The industrial and manufacturing sectors have increasingly become prime targets for cyber threats worldwide,with ransomware, data breaches, and supply chain attacks posing the greatest risks. In 2025, global ransomware incidents surged 32% year-over-year, reaching 7,419 documented cases, whileattacks specifically targeting manufacturing rose 56%, increasing from 937 in 2024 to 1,466 incidents.Manufacturing alone accounted for roughly 50% of all ransomware hits, reflecting its high operational criticalityand the substantial financial impact of production downtime, which can cost millions per day. The countries Key drivers of this trend included the widespread presence of vulnerable legacy operational technology systems,increased reliance on complex supply chains, and the growing sophistication of ransomware-as-a-service operations MONTHLY ATTACK TRENDS In December 2025, the manufacturing sector experienced a noticeable spike in cyber-attack activity, driven by aconvergence of year-end operational pressure and attacker opportunism. As manufacturers entered peak Ransomware groups such as Akira and Qilin intensified targeting during this period, exploiting reduced staffingover the holidays, delayed patching tied to fiscal year transitions, and persistent OT vulnerabilities. MAIN THREAT ACTORS Akira Overview -Akira is a ransomware threat actor group active since March 2023, potentially linked to the defunctConti ransomware syndicate. It primarily targets small and medium sized businesses but has expanded to Motives -primarily financial, employing a double extortion model to encrypt data and threaten leaks of exfiltrated Attack vectors -initial access via VPNs lacking MFA, exploiting CVEs, spearphishing, and RDP. Notable incidents- In 2025, Akira was involved in a breach at Südkabel, a German cable manufacturer, where27 GB of data including NDAs, financial records, and employee/customer contacts were exfiltrated, leading to Qilin Overview -Qilin, also known as Agenda, is a Russia-based ransomware-as-a-service group first observed in2022, operating through affiliates who use its malware and infrastructure to conduct attacks. Motives -financial extortion, combining system encryption with massive data theft to pressure victims intopaying ransoms, often targeting critical infrastructure for maximum disruption and leverage. Attack vectors -deploying ransomware for encryption, exfiltrating terabytes of sensitive data, publicly claimingresponsibilityon leak sites,and scaling operations via affiliates,with a focus on rapid execution Notable incidents -In 2025, Qilin targeted a manufacturing and logistics firm, stealing 29,843 files includingdebtors/creditors lists, bank statements, and internal documents, causing potential supply chain disruptions. Latest IOCs – Play Overview -Play, also called Playcrypt, is a ransomware group active since June 2022, presumed to be a closedoperation emphasizing secrecy, with around 900 affected entities reported by the FBI as of May 2025. Motives -financial, using double extortion to exfiltrate data before encryption and threaten leaks on a Tor-hosted site,demanding cryptocurrency ransoms without initial specifics in notes, and escalating via emails or calls. Attack vectors -initial access through abused valid accounts, exploited applications, defense evasion by disablingantivirus with GMER/IOBit/PowerToo, credential access via unsecured creds and impact through intermittent Notable incidents -In 2025, Play breached ADC Aerospace, a U.S. manufacturing firm, exfiltrating internal/clientdocuments, budgets, payroll, IDs, and confidential info, which was posted on their dark web site, leading to operational A0L0I1 No information was found about this TA. NoName057(16) Overview -NoName057(16) is a pro-Russia hacktivist group created as a Kremlin-backed project by the Centerfor the Study and Network Monitoring of the Youth Environment, active since March 2022, collaborating