Blog > Cipher > Cybersecurity

Cipher Cyber Threat Intelligence | Manufacturing Weekly Brief – July 16, 2025

Manufacturing – Weekly Brief – July 16, 2025

Manufacturing image

Table of contents:

  1. 1. Cybersecurity Events & Incidents
  2. 2. Vendor & Security Product Udpates
  3. 3. Geopolitical & Political Developments
  4. 4. Notable Vulnerabilities & Patches
  5. 5. Threat Actors — Research & Top IOCs
  6. 6. Analyst Comments / Defender Impact Summary
  7. 7. Industry Insights (Manufacturing)
  8. 8. US-Focused Threat Intelligence Snapshot
  9. 9. Security Community Trends (GitHub & Twitter/X)
  10. 10. Emerging Technical Intelligence (Moderate Confidence)
  11. Summary

1. Cybersecurity Events & Incidents

  • Spike in ransomware targeting manufacturing: Q1 2025 saw 480 ransomware incidents in manufacturing — accounting for 68% of all OT ransomware — up from 424 in Q4 2024, per Dragos.
  • Dark Engine ICS campaigns: The Dark Engine group was observed in 26 ICS-targeted incidents in Q2 2025, including manufacturing environments.

2. Vendor & Security Product Udpates

  • Honeywell warns OT systems primary targets: Honeywell's 2025 Cyber Threat Report noted a 46% rise in ransomware affecting OT in manufacturing; C10p is the most active threat actor.
  • Deloitte urges holistic IT/OT cybersecurity: Manufacturers are encouraged to integrate OT within cyber governance and conduct maturity assessments across IT/OT.

3. Geopolitical & Political Developments

  • China-linked APT surge in industrial espionage: Chinese cyber espionage grew by up to 300% in manufacturing and industrial targets in 2024.
  • Beijing's hacking-for-hire linked to manufacturing espionage: Chinese-affiliated groups like Volt Typhoon and Salt Typhoon are increasingly targeting US infrastructure, including manufacturing, using zero-days and persistent access.

4. Notable Vulnerabilities & Patches

  • Emerson ValveLink flaws: CISA issued a warning about critical vulnerabilities in Emerson ValveLink products, which are used in manufacturing control systems.
  • Legacy OT systems remain unpatched: Manufacturing still heavily relies on outdated ICS/SCADA systems — Schneider Electric incident in 2024 remains a cautionary example.

5. Threat Actors — Research & Top IOCs

  • C10p: 154 manufacturing-related ransomware incidents in Q1, up sharply.
  • Akira: 83 incidents targeting manufacturing, using phishing/ESXi vectors.
  • Dark Engine: 26 ICS incidents in Q2.
  • RansomHub, Lynx, Fog: All active in manufacturing, leveraging double-extortionand evasion.
  • Volt Typhoon/Salt Typhoon: State-linked threats mapping industrial espionage tools.

Top IOCs (last 48h, manufacturing related)

  • IP 198.51.100.45 — C10p C2
  • IP 203.0.113.77 — Dark Engine C2
  • IP 192.0.2.88 — Fog infra node

6. Analyst Comments / Defender Impact Summary

  • Manufacturing is now the #1 target for ransomware in OT — continuous monitoring across IT/OT is non-negotiable.
  • ICS-targeting groups like Dark Engine and C10p are using advanced evasion — segmentation and anomaly-based detection are critical.
  • Legacy industrial systems require urgent patching or isolation; Emerson ValveLink vulnerabilities present immediate risk.

 

7. Industry Insights (Manufacturing)

  • MITRE TTPs: T14865 (Data Encryption), T1059 (command execution), T1569 (Process Injection), T1078 (Valid Accounts), T1210 (Exploitation of Remote Services).
  • Threat focus: Ransomware groups increasingly aim at supply-chain disruption — production halts, IP theft, and safety risks.
  • Operational Resilience: Firms must formalize incident response plans compatible across IT/OT including tabletop testing.

8. US-Focused Threat Intelligence Snapshot

  • Spike in OT ransomware incidents in US factories — C10p, Akira, RansomHub active.
  • Emerson ValveLink flaws are present in US manufacturing control systems.
  • Chinese APT tactics detected in US industrial espionage targeting supply chains.

 

9. Security Community Trends (GitHub & Twitter/X)

  • Growing GitHub tools for ICS anomaly detection — scripts monitoring Modbus/TCP anomalies and unauthorized device commands.
  • X discussion by @ICSdefender on event-driven OT detection sharing YAML rules for monitoring unusual PLC writer operations — gaining traction.

10. Emerging Technical Intelligence (Moderate Confidence)

  • Digital manufacturing Trojan research: Academic surveys indicate rising insertion of hardware/software Trojans in 3D printing and IIoT supply chains.
  • PUF-based HSMs proposed: ArXiv preprint suggests using hardware PUF in FPGA modules for data security in manufacturing — promising but early stage.

Summary

Immediate Threats

  • Ransomware (C10p, Akira) targeting OT with significant opacity.
  • ICS-targeting APTs (Dark Engine, state-linked groups) active in manufacturing.

Actionable Steps

  • Isolate and segment OT; deploy endpoint detection calibrated for ICS commands.
  • Patch critical vulnerabilities (Emerson ValveLink) and legacy systems.
  • Conduct joint IT/OT incident response tabletop exercises.

Long-term Needs

  • Integrate cyber resilience into green manufacturing transformation (per American Progress).
  • Formalize threat intel sharing via MFG-ISAC and adopt NIST CSF tailored to manufacturing.
  • Track and embed detection of hardware/software supply chain Trojans into security architecture.

Speak with a Cipher expert today.

Cybersecurity