Major Cyber Attacks Targeting Manufacturing Industry in 2025

In 2025, the global manufacturing sector faced a growing wave of cyberattacks. Factories, supply chains, and industrial systems became prime targets for ransomware groups, hacktivist collectives, and financially motivated threat actors. These attacks disrupted operations, exposed sensitive data, and caused severe financial damage.

The cost of cyberattacks in manufacturing is increasing faster than in any other industry. According to the World Economic Forum and IBM X-Force, global losses in the sector are rising by 125% each year. If this trend continues, cybercrime could cost the global economy up to $10 trillion by the end of 2025.

Attackers often exploit outdated systems, insecure third-party integrations, and gaps in operational technology. Stolen data from manufacturing firms regularly appears on dark web forums and Telegram channels, fueling further threats and extortion attempts.

This blog highlights the most significant cyber incidents that targeted manufacturing organizations worldwide in 2025. It also explores the tactics used by attackers and the key lessons for improving industrial cybersecurity.

Dark Web Insights on Manufacturing Threats in 2025

Manufacturing appeared in only 4% of dark web cybercrime posts in 2025. Yet this small share hides a bigger threat. Threat actors treat the sector as a strategic target due to its global supply chain value and its exposure to ransomware and access sales.

Most mentioned industries on the Dark Web (Source: SOCRadar Dark Web News)

SOCRadar monitored hacker forums and Telegram channels throughout the year. Many posts included factory credentials, leaked internal data, and offers for unauthorized access. These were not passive leaks. Most showed signs of active reconnaissance or ongoing operations.

Top victim countries mentioned on the Dark Web (Source: SOCRadar Dark Web News)

The United States was the most mentioned country in manufacturing-related posts. It accounted for nearly 18% of all activity in this category. India, the United Kingdom, Italy, China, and France followed, each with a steady presence in dark web discussions.

This pattern shows that manufacturing attacks are often deliberate and well-prepared. When a factory appears in dark web chatter, attackers are likely already in motion. Monitoring these signals gives early warning before the damage is done.

Why Cybercriminals Target the Manufacturing Industry

Manufacturing stays on the radar of cybercriminals due to several structural and operational weaknesses:

• High-pressure operations: Downtime stops production and causes immediate financial losses. Attackers use this pressure to demand fast payments.
• Outdated systems: Many facilities rely on legacy ICS and SCADA platforms that lack modern security controls.
• Supply chain exposure: Attackers often reach large manufacturers by exploiting smaller third-party vendors.
• Low cybersecurity maturity:Phishing, weak passwords, and poor network segmentation remain common.
• Valuable industrial data: Blueprints, contracts, and proprietary designs can be sold or leaked for extortion.
• Strategic relevance: Nation-state groups often target manufacturers linked to defense, energy, or critical infrastructure.

These factors make manufacturing a preferred and profitable target on the dark web and beyond.

SOCRadar Attack Surface Management helps secure your digital footprint by continuously monitoring exposed assets, vulnerable software, and SSL certificates across your infrastructure. It provides real-time alerts for critical vulnerabilities linked to your systems, enabling faster remediation. The platform also detects shadow IT and unauthorized systems, helping you identify hidden threats before they can be exploited.

SOCRadar Attack Surface Management

Major Manufacturing Cyberattacks You Should Know in 2025

In 2025, cyberattacks against the manufacturing industry have continued to surge, driven by ransomware gangs, espionage-motivated actors, and supply chain vulnerabilities. Below are five notable incidents that highlight the evolving threat landscape and the sector’s ongoing exposure on both technical and operational fronts.

1. Sarcoma Ransomware Hits Unimicron

In late January 2025, Unimicron, a global leader in printed circuit board (PCB) production, experienced a ransomware attack that disrupted operations at its China-based subsidiary. The company, which supplies critical components for electronics and semiconductors, reported the incident to the Taiwan Stock Exchange and initiated a forensic investigation.

The attack was later claimed by the Sarcoma ransomware group, which posted Unimicron on its dark web leak site. The threat actors allege they stole 377 GB of sensitive company data, including SQL files and internal documents. As part of their extortion strategy, Sarcoma released a small batch of samples and warned that the rest would be published unless their demands are met.

2. Cyberattack Disrupts U.S. Steel Manufacturer Nucor Corporation

In May 2025, Nucor Corporation, the largest steel producer in the United States, reported a cyber incident involving unauthorized access to its IT systems. The breach prompted the company to shut down parts of its network, activate incident response procedures, and suspend production across several facilities.

Nucor is a key supplier of steel for U.S. infrastructure projects and one of North America’s largest scrap recyclers. The incident was disclosed in a regulatory filing submitted to the U.S. Securities and Exchange Commission (SEC).

The company is working with external cybersecurity experts and law enforcement while gradually restoring affected systems. Although the operational disruption was temporary, the overall impact is still being assessed. No threat actor has claimed responsibility, and it remains unclear whether the attack involved ransomware or data theft.

3. Cyberattack Disrupts Operations at Masimo Manufacturing Facilities

On April 27, 2025, medical technology company Masimo detected unauthorized access to its internal network, prompting an immediate incident response. The company reported the breach in an SEC filing, confirming that some manufacturing operations were affected and order processing was temporarily delayed.

Masimo isolated compromised systems, activated containment measures, and engaged external cybersecurity experts to support the investigation. Law enforcement was also notified. While the company has not confirmed data theft, it acknowledged reduced capacity at certain manufacturing sites and ongoing recovery efforts.

The nature of the attack has not been disclosed, and no threat actor has claimed responsibility. Although the disruption aligns with typical ransomware activity, there is no official confirmation linking the incident to a specific malware group.

4. Ransomware Attack Impacts National Presto Industries

On March 1, 2025, National Presto Industries experienced a cyberattack that disrupted internal systems. The company reported the incident in an SEC filing and began recovery efforts to restore operations.

Later, the InterLock ransomware group claimed responsibility and listed subsidiary National Defense Corporation on its leak site. The group alleges it stole millions of files and encrypted systems across multiple business units, including a military supplier.

National Presto has not confirmed the group’s claims. InterLock stated that ransom talks failed after the company downplayed the impact and refused to negotiate.

5. Ransomware Attack Disrupts Operations at Sensata Technologies

On April 6, 2025, Sensata Technologies detected a ransomware attack that disrupted parts of its global operations. The Massachusetts-based company, which supplies sensors and electronic components for the automotive and aerospace industries, reported the incident in an SEC filing.

The attack led to the encryption of files and temporary shutdowns in areas such as manufacturing, shipping, and support services. Sensata confirmed that some data was also stolen, and a forensic investigation is ongoing to determine the scope of the breach.

While the company has implemented temporary solutions to continue limited operations, a full recovery timeline remains uncertain. No ransomware group has claimed responsibility so far, and financial impact is still being assessed.

Hacker Forum Activities Linked to Manufacturing

Throughout 2025, hacker forums have featured a steady stream of activity related to cyberattacks targeting the manufacturing industry. From breach claims and stolen data listings to tool sharing and access offers, these underground discussions reveal how threat actors exploit the sector’s digital weaknesses. Unlike structured leak platforms, forums often host early-stage chatter or loosely detailed posts shared under pseudonyms.

While many of these discussions offer valuable clues, they should be viewed as unconfirmed claims unless supported by further evidence.

1. Coca-Cola-Linked Data Theft Claims Appear on Dark Web

Alleged Coca-Cola data breach

SOCRadar identified two separate posts on dark web platforms claiming unauthorized access to Coca-Cola and its subsidiary, Coca-Cola Europacific Partners. In the first case, an actor using the alias Everest shared what appeared to be internal corporate documents allegedly taken from Coca-Cola systems. In another post, a user named Gehenna, active on a recently popular hacker forum, claimed to have exfiltrated over 23 million Salesforce records tied to Coca-Cola Europacific Partners. The data was said to include CRM entries, contact information, and product-related details spanning from 2016 to 2025.

Monitoring such claims across forums, leak sites, and messaging platforms provides valuable context for potential targeting activity. SOCRadar’s Dark Web Monitoring helps illuminate hidden threats before they strike by providing real-time visibility into deep, dark, and surface web activity. It enables organizations to detect stolen credentials, financial scams, and stealer logs, while also offering dedicated protection for executives and brand reputation. With its advanced search capabilities and country-specific insights, it allows security teams to act on relevant threats before they escalate.

SOCRadar Dark Web Monitoring

2. Samsung Germany Customer Data Allegedly Leaked on Hacker Forum

Alleged Database of Samsung Deutschland is Leaked

SOCRadar observed a post on a popular hacker forum claiming the release of a database tied to Samsung Electronics’ German division. The post, dated March 2025, includes a download link and a brief description of the breach. According to the actor, the leaked dataset contains over 270,000 customer satisfaction tickets, allegedly exposing personally identifiable information such as full names, addresses, and email details.

3. Renault Data Allegedly Leaked Following Third-Party Breach

Alleged Data of Renault S.A. are Leaked

SOCRadar identified a post on a hacker forum claiming that sensitive data belonging to Renault S.A. was exposed in connection with an attack on OneDealer, a third-party service provider. According to the forum post, the breach occurred in February 2025 and led to the leak of over 17 GB of data, allegedly including more than 140,000 internal files.

The exposed documents allegedly contain business contracts, partner invoices, and other confidential materials. The incident was tied to leaked AWS credentials that allegedly granted access to Renault’s data environment.

4. Alleged Pirelli Data Breach Advertised for Sale on Hacker Forum

Alleged Pirelli Data Breach

SOCRadar detected a post on a hacker forum in which a threat actor claimed to have breached the internal network of global tire manufacturer Pirelli. According to the post, the actor accessed subnetworks across 28 countries where Pirelli operates and is now offering the stolen data for sale after alleged ransom negotiations failed.

The listing claims to include over 2.4 million files, totaling approximately 2 TB of data. Described contents include engineering drawings, legal and financial documents, sensitive personal data such as SSNs and dates of birth, internal communications, and technical test results.

5. Alleged Inkafarma Customer Database Offered for Sale on Hacker Forum

The Alleged Customer Database of Inkafarma is on Sale

SOCRadar identified a forum post advertising the sale of a customer database allegedly linked to Inkafarma, a major pharmaceutical chain in Peru. The post, dated June 2, 2025, claims to contain 3.9 million records, including personal identifiers such as national ID numbers (DNI), phone numbers, email addresses, full names, and birthdates.

A sample of the dataset was included to support the seller’s claim. The listing appears to target actors interested in pharmaceutical sector data, particularly in the Latin American region.

Security Recommendations for the Manufacturing Sector

Recent incidents throughout 2025 demonstrate that the manufacturing industry remains a consistent focus for threat actors. From leaked credentials and data theft to large-scale operational disruption, attackers continue to exploit systemic weaknesses such as legacy systems, insufficient network segmentation, and unmonitored third-party access.

To strengthen defenses and reduce the impact of future attacks, manufacturers should take the following steps:

• Segment critical systems: Keep production networks separate from business systems to limit the spread of intrusions.
• Monitor the dark web: Track hacker forums and marketplaces for early signs of targeting or data exposure.
• Control vendor access: Audit third-party connections and enforce basic security requirements for all partners.
• Patch outdated systems: Address known vulnerabilities in IT and OT environments as a regular practice.
• Enforce access controls: Apply the principle of least privilege and use multi-factor authentication across key systems.
• Prepare for incidents: Maintain a clear, tested response plan for both data leaks and operational outages.
• Enhance visibility: Use detection tools to monitor unusual activity and catch threats early.

While no system is entirely immune to attack, these practical measures help reduce exposure, improve response time, and protect critical manufacturing operations against evolving threats.