Hackers take aim at manufacturers

By Karen Hanna 

A young woman sits down at a computer and gets to work. 

This company’s management is stupid. I want my money; I’ve done my work. It’s time to get paid. 

But they keep evading my questions and demands. My patience is shot, and I won’t abide further frustration. 

“We are the only ones with a copy of this data now,” I write. “Stop this nonsense. ... Make the correct decision and pay the ransom. If you keep stalling, it will be leaked. Do not waste time.” 

I hit send and wait for my Bitcoin coffers to fill.  

***  

The cybersecurity field is filled with so-called “White Hats”— information technology (IT) experts devoted to helping others fight off hackers.  

Christopher Fielder, field CTO at Arctic Wolf, a security operations platform, is one of the good guys.  

Any given company has about a 50-50 chance of being breached in the next year, he said. “At some point, we are all potentially victims.” Manufacturers are among the most commonly targeted. 

The email excerpt above is real, written by teenager Matthew Lane, who last year fired off the extortion demand from a server based in Ukraine to rip off PowerSchool, a Folsom, Calif., company that offers software and cloud-based learning platforms for students in kindergarten through high school.  

The rest of the italics represents a composite of a hacker’s thought process, based on characterizations of so-called “Black Hats” by Fielder and others.  

In May, Lane, a student at Assumption University, Worcester, Mass., pleaded guilty to one count each of cyber extortion conspiracy; cyber extortion; unauthorized access to protected computers; and aggravated identity theft.  

Others like him are still out there.  

In a survey earlier this year of 1,200 IT and security decision makers at companies in the U.S. and abroad, as part of its “2025 Trends Report,” Arctic Wolf found that 70 percent had experienced a significant cyberattack last year. Of them, 64 percent reported a loss of productivity lasting at least three months; 24 percent of organizations saw productivity drop for six months or longer. 

Of about a dozen industries, manufacturing ranked in the top five most-targeted sectors for the three kinds of cyberattacks that last year accounted for 95 percent of all attacks Arctic Wolf clients reported – ransomware, business email compromise and intrusions, according to another company analysis, the “2025 Threat Report.” 

Accounting for legal bills, downtime, damaged equipment, reputational harm and other potential headaches, the price of putting off cybersecurity protection can be disastrous — “probably something on the order of 40 times what it’ll cost to defend your systems,” said Patrick Curtin, director of technical sales for Field Effect, another cybersecurity-services firm. With good backups, manufacturers might be able to resume work within two or three weeks. 

If that doesn’t worry you, consider this: According to Arctic Wolf, over 40,000 vulnerabilities — weaknesses or flaws in computer systems that open a door to hackers — were recorded in 2024. 

*** 

I needed money, and some gamer friend pointed me to the dark web.  

It blows my mind you can literally lease kits to break into other people’s computer systems.  

I mean, wow!

I’m not some Bill Gates character. I’m not a nerd. I don’t think in 1’s and 0’s, just dollar signs.  

It's nothing personal. I don’t care about your business. I care about mine.  

Ransomware-as-a-Service (RaaS) is gonna make me rich.

Passw0rd101: Aim for strength 

Cable bills, bank accounts, health records, they’re all locked behind passwords. And for many of us, attempting to log in is an Olympian feat of memory.  

Maybe that’s why so many passwords are weak. Here are among the most common: 123456, secret and cheese. According to encryption service NordPass, we also like football, superman and sunshine. Based on a survey reported on by SecurityInfoWatch, a Plastics Machinery & Manufacturing sister publication, 18 percent of employees reuse passwords across work accounts and 78 percent said they’re not fully confident in spotting more-advanced phishing attacks like deepfakes or voice spoofing. 

Want to protect yourself and your accounts? Do better. 

According to Arctic Wolf, 56 percent of organizations that experienced a significant cyberattack had not implemented multi-factor authentication (MFA). 

Companies looking to protect themselves can start with advice that every computer user should know: Back up your files, use strong encryption like two-factor authentication for passwords, avoid mixing work and pleasure — even at home, work secrets and devices need scrupulous oversight. 

“It’s not that hard to make yourself a hard target,” said Curtin, who compared hackers to thieves in a parking lot. “Again, in the car, roll up the windows, lock the door, put the steering lock on, maybe put an immobilizer on. In cyberland, there are similar steps to take that aren’t that daunting. They do require some effort ... but it’s not unreasonable at all for 2025, so you invest there, then it makes it so much less likely that you’re going to be brought to your knees in a cyber breach.” 

Passwords and email represent access points that are easy to jimmy.  

“One little, tiny mistake can cause a catastrophic series of events, and that’s really all it takes — one person clicking on an email,” said Jesse Varsalone, an associate professor of cybersecurity at the University of Maryland Global Campus. 

Other common vulnerabilities include improperly secured remote access applications, such as the Virtual Network Computing (VNC) programs, and virtual team tools that allow people to collaborate from desktops or devices that are geographically distant from each other. They also include improper use of Virtual Private Network (VPN) systems, which route internet traffic through a remote server. 

“You’re essentially opening up a doorway into your environment,” Fielder said. 

Varsalone said employees who work from home can more easily leave proper computer-usage protocols at the office.  

Tools such as Remote Desktop Protocol (RDP) capabilities are particularly easy for hackers to leverage, Curtin said.

“Say you’re doing everything right,” Varsalone said. “ ’I audited the cloud system. I have all these monitoring [applications], everything set up.’ You’re paying a premium every month.’ But your employee is taking their personal laptop where their kid plays Minecraft and all these other things, and then they’re hooking up to your system from home. They’re remoting in [via] their VPN. That’s one of the recommendations that will commonly come up is, ‘What kind of systems are people [using] working from home?’ ” 

Such tools must be used with care, Fielder said. “Not to say there’s anything wrong with them — they’re needed — but organizations are not taking the steps to secure them like they should, and if you can use them to get access to a system, then attackers can use them, as well.” 

Surviving a cyberattack 

One company that’s already paid the price is a manufacturing facility in Minnesota. Some might argue, how could it not answer the ransom demand? No orders get filled while criminals lock up the data and hold recipes, machinery and business contracts hostage.  

“When the cybercriminals go in, they’ll steal your data, they’ll steal your customer lists, and then they'll encrypt you,” Curtin said. “So, they’ve got a bunch of leverage, right? We call that double extortion. They will then exert that leverage to try and get a ransom, try and get paid. They will scale their demands. They’re not going to ask the same of a 40-person organization as a 10,000-person organization, but it hurts.”  

In reference to the Minnesota facility, Curtin said, “I was talking to a plant that got hit in Minnesota, a 200-person operation. … Because they didn't have some of these safeguards in place, they had no choice, which is really sad. They survived, and then they engaged my company to defend them.” 

Your company has a plan for fires. You know which doors to exit, and which to keep closed. Which employees report to whom? Where do they go in the event of an emergency, and who watches out for whom?  

But in your servers and in the cloud, another crisis could already be smoldering.  

“The misconception is that the cybercriminals are only going after the big people,” Curtin said. 

Not true.  

He continued: “They’re going after the mom-and-pop-shop operations, as well. It’s just that those don’t make the news.”  

Patch the weak spots 

Curtin offers this sobering reality: Every externally facing system is constantly being scanned for vulnerabilities. But he said that's not because everyone is a cat burglar looking for an open window; legitimate actors like Google and Windows also are performing once-overs.  

“Attackers are not going out there and saying, ‘We’re trying to leverage every potential weak system that there is,’ ” Fielder said. “They’re primarily targeting the most popular ones. ... If you can protect against those, then you can really protect your environment from a majority of attacks that are occurring.” 

Here’s the good news: “Vulnerability management can seem like a never-ending game of high-stakes Whac-A-Mole — but a little prioritization can take away attackers’ favorite means of infiltration,” according to the Arctic Wolf report.  

The report found that just 10 vulnerabilities accounted for 76 percent of all intrusion cases.  

Patches exist for all 10. 

Not that the Black Hats aren’t engaged in some continuous improvement of their own. 

*** 

I always hated school. But doing this work, I have found so much information online that's actually interesting.

This job attracts lots of competition, and not every company is run by idiots. They're starting to take precautions, so there's stuff I have to learn, if I want to continue making money.

A challenge is nice, but I'd rather things came easy.

What, you think I'm trying to get caught?

All along the (cyber) watchtower

Just like fires, cyber risks don’t take a day off. Neither should efforts to prevent a hack. 

It’s a 24/7/365 job, Fielder said. 

“Take that approach of assuming that somebody is already in your environment and you have to find them, and you have to respond to it. That way, you can respond very quickly and then understand what your environment is really made of. Make sure that you have full visibility,” he said. “You cannot have any dark spots in your environment, because if you do, that’s where, just like with a fire … if you were to have any area of your environment that is not watched by people and it’s not monitored, that’s where a fire could break out, that’s where it could spread. Same thing with a cyberattack.” 

Fielder said company administrators should ask themselves, “ ‘Do I have a security program? Do I have a security policy or something in place that I could start to rebuild and reformat?’ ”  

He and Curtin recommended that companies consider outside help to perform tasks such as security assessments and regular monitoring. Smaller companies, especially, might lack the bandwidth to go it alone. 

“There are contracts — we are one of them — that can help you monitor your environment, respond to threats, and, if something were to occur, help you get out of trouble. But it’s also about keeping you from getting into trouble, being able to detect and respond as quickly as possible,” Fielder said. 

To get started, companies — or the third-party experts they hire — should take stock of all their technology and assess its current protection levels.  

One obvious way to protect software is by simply keeping it up-to-date, Curtin said. Monitoring can reveal software that’s running unpatched, and watch for both intruders and potential intrusion points. 

Fielder said without constant monitoring, ransomware can go unnoticed for weeks or even months, lying in wait to ambush users.  

“A lot of times ... an attacker will get in and they’ll plant that logic bomb, and they’ll set a timer and wait for it to go off once they’ve already gotten out of the environment. And they’ll wait for your systems to run, and they’ll wait for you to execute maybe new contracts … new data, and they’ll steal that so they have the latest and greatest. They’ll wait for you to do backups, and then they’ll implant their cells ... so that if you try to restore, you’re reinstalling infected software or something that has a weakness in it. So, yes, a lot of times, attackers will lie dormant. That’s why nation-states are often referred to as APTs — Advanced Persistent Threats — because they are low and slow.” 

According to the Arctic Wolf survey, only one-quarter of respondents could say with confidence that their systems had not been breached; 52 percent of organizations reported at least one intrusion; many simply didn’t know either way. 

Tending to older technology 

Not all technology can interact with the outside world safely. But if it’s old, or especially vulnerable, it can be locked away more securely.  

According to a Rockwell Automation report, “The enormous amount of legacy equipment on plant floors today was not built to connect to the internet. It’s outdated, frequently unpatched and in many cases, not patchable. This equipment may carry recognized vulnerabilities, or were designed with no capacity to protect themselves.” 

To mitigate the spread of an attack, Curtin advised segregating IT from operational technology (OT) systems.  

“You don't want to have one big flat network where, say, HR and all your billing information is in the same area as your manufacturing [equipment]f. ... “ he said. “You would have kind of an IT zone. You would have a manufacturing zone.” 

Though only the most-modern systems can be optimally protected, Curtin conceded that sometimes, companies have to maintain the aging systems they already have.  

In those cases, Curtin said, with “really old gear, put it in its own zone,” with “eagle eyes on traffic.” 

He and Fielder said the goal should be identifying soft targets and making the path to them as difficult as possible. 

“If it’s something that’s IoT and you can’t really install an agent on or you can’t monitor yourself, then be able to monitor around it. The way that we always approach it is, if you can’t secure the device, then secure the path to the device. If you can’t protect that piece of equipment, protect the pathway, and monitor the pathway to that equipment, so that you can stop things or identify things they’re trying to get to it, or take things from it,” Fielder said. 

In many cases, such equipment can be protected through virtualization — basically, a process of creating snapshots of various versions of software and burrowing it away in safe zones within other, more-secure systems, the White Hats explained.  

“It makes sense to apply the patches, so you’re making it harder on the bad guys. But in the case of manufacturing, sometimes you have systems that can’t be patched,” Curtin said. “It can’t be upgraded. So, then what? Well, there’s a whole approach for that. You need to set up a secure zone for those to be in. Those things can’t be looking out at the internet.”  

In one case, Varsalone worked with a client that needed a long-obsolete version of Windows, with no more available security patches. 

“They were running a Packard Bell, and it ran Windows 98, and obviously, Packard Bell has been out of business for 20 years. You can’t get those parts, you can’t get that motherboard,” he said. “Basically, I took the hard drive out and I made a forensic image of it, and I put it in a virtual machine, and I was able to rebuild everything. And now the virtual machine can be copied, it can be backed up, you can do things like updates.” 

The virtual copies exist in a nesting doll, with the newest, most-secure version serving as a “secure crate” that provides protection for the outdated versions running inside, Fielder said. 

Varsalone also said virtualized copies can be air-gapped away from networks that could have public-facing entry points. 

They provide moments in time that allow users to revert to backups, if something goes wrong, and administrators can add to the snapshots as they go, creating an internal album that allows them to continue running — and even building on — technologies that otherwise might have met their end.  

“What’s great about virtualization is they can keep testing it until it works, and once it’s exactly as they want, they can take a snapshot, and then they can do more testing and say, ‘Well, what happens if we try to add this module? We’ve never been able to add this module before without the system crashing.’ And they can try different experiments. The snapshotting, basically taking a picture of it working over time, is invaluable,” Varsalone said. 

*** 

I don’t always need to break into a company. Sometimes, I just buddy up with some moron cleaning out his inbox. 

I don’t like writing, so I ask ChatGPT for a phishing email. Nope, it’s too ethical for that.  

But this is for “research,” I plead. 

Now, we’re cool:

“Dear [Employee Name], 

We have detected an unusual login attempt to your account from an unknown device in Belgrade, Serbia on Monday, July 22 at 3:12 a.m. EST. … If this wasn’t you, please verify your identity immediately by clicking the link below. …”  

Lol. Somebody at this company is about to get promoted to IT administrator — they just won’t know it. 

AI enters the chat 

Just like old technologies, new technologies bring their own set of worries

According to the Arctic Wolf survey, for the first time in four years, ransomware wasn’t IT leaders’ primary concern, AI was. 

“We tell people to just be aware of where technology is going, how you’re utilizing it, how it’s being used in your industry, how it’s being used by attackers. And that way, you can keep an eye on the overall environment and any potential weaknesses that could occur,” Fielder said. 

But as the Arctic Wolf report cautions, "A real risk with AI’s novelty and hype is that it
is distracting from genuinely larger risks."

Fielder said companies need formal policies stating how AI can — and can’t — be used. 

“That’s a big question mark right now. … How are these threat actors going to utilize artificial intelligence, and how is artificial intelligence going to play into the overall technology landscape? So, we’ve been monitoring that very closely. We already see attackers making use of artificial intelligence. Sometimes, it’s helping them write phishing emails. Think of ChatGPT; it’s making the concept of social engineering and phishing way easier for attackers,” he said. 

Workplaces must be sure that secret data isn't available to AI’s prying eyes. 

“What you don’t want to happen is somebody puts that into an OpenAI, because then you’ve leaked those secret recipes,” he said.  

But AI can be friend, as well as foe.  

For cybersecurity specialists, AI provides pattern-recognition capabilities for sounding early warnings when something has gone off-kilter in systems that are being monitored.  

It can recognize right away when someone has logged in on an unfamiliar device, or has executed atypical actions or performed tasks at times when the shop is supposed to be closed. 

“All those things that the cyber criminal does are observable. It’s just not that easy to see, because it’s like [finding] the needle in the haystack in a field full of stacks,” Curtin said. “So, we provide the analytics that will find those things. Put us on your system, we’re going to be looking for that stuff. And then if you give us permission, when they’re attacking you in the middle of the night and they’re doing bad stuff at 2 a.m., we’re going to be quarantining systems, so that it doesn’t spread.” 

Future-proofing your operation 

In case you’re wondering, no, I don’t tell people what I do for a living. Most people hate their jobs, anyway. Who wants to talk about that?  

It's not like I'm smashing car windows and rooting around for change.

Think of it like playing slots. I'm just logging in, doing my thing, looking for a score. I mean, who doesn't need money?

*** 

Somewhere, there’s a gang of criminals overseas, or maybe a kid down the street, sizing up their next victim. 

Cybersecurity experts say that could be you. 

Whether you play for the good guys or the bad guys, this game of cat and mouse — as Curtin and Varsalone call it — is always evolving.  

“It all goes back to acknowledging that it’s 2025, and cybersecurity is really important. All these big companies are getting hacked. Little companies, medium-scale enterprises are being hit, unfortunately, as well,” Curtin said. 

Like other cybersecurity experts, Curtin understands both the effort of trying to prevent an attack, and the costs of recovering from one. 

The trauma of an attack can leave a lot of scar tissue, a Curtin has seen in his contacts with the Minnesota manufacturer. 

“That organization I mentioned, they get very emotional thinking about how we helped them get back on their feet, because they’re in a smaller town, where that 200-person plant is a good chunk of [what] that town is built around. For me, it’s like, ‘Wow, we’re having a real impact on those people, and we can be really proud of the work we’re doing to support that organization.’ ” 

By making things harder for hackers, companies just might entice RaaS users and other criminals to look elsewhere for their next shakedown. With that effort, manufacturers can keep their machines running and their employees working. 

In presentations he makes to companies, Curtin has one message:  

“We need to take steps to protect and monitor the IT. Or at some point it’s going to happen to us, and it will be ugly.”