A brief overview of the main incidents in industrial cybersecurity. Q1 2025

Related tags

automotive

construction

data leakage

denial of IT services

denial of operations

denial of service

electronics industry

energy sector

food & beverage

logistics

manufacturing

metallurgy

mining

personal data leakage

ransomware

textile

transportation

utilities

In Q1 2025, 118 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail.

Report at a glance

This quarter, organizations from multiple industrial sectors around the world reported serious incidents caused by cyberattacks. These attacks resulted in the loss of confidential data and the interruption of IT services and key operational processes, including the production and supply of products. The most high-profile story of the quarter was undoubtedly the attack on Kuala Lumpur airport, which knocked out many of its information systems, including departure and arrival boards, check-in terminals and baggage handling systems, for 10 hours.

Incidents at large organizations

Tata Technologies

Construction, engineering | Denial of IT services | Ransomware

On January 31, Indian multinational engineering company Tata Technologies, which focuses on heavy machinery for the automotive, aerospace and industrial sectors, reported a cybersecurity incident to the National Stock Exchange of India. According to the company’s report, a ransomware incident prompted the multinational company to temporarily suspend some of its IT services. Those services were subsequently restored. The company’s client delivery services remained fully functional and unaffected throughout the attack. In a statement to Recorded Future, the company said it launched an investigation immediately after discovering the cyberattack. A company spokesperson confirmed that there was no disruption to operations, and Tata Technologies continued to seamlessly deliver services to its customers. In March, the Hunters International ransomware group claimed responsibility for the attack on Tata Technologies, stating they had stolen 1.4 TB of data, consisting of 730,000 files. However, the group did not post any samples of the stolen files or elaborate on the type of documents they hold.

Two separate attacks

Troxler Electronic Laboratories

Manufacturing, construction | Personal data leakage | Ransomware

Troxler Electronic Laboratories Inc., a US manufacturer of testing and quality control measurement equipment for the highway and construction industry as well as nuclear moisture/density gauges (for industrial radiography), suffered two separate cyberattacks in which hackers stole personal information. On November 10, 2024, Troxler detected suspicious activity in its network environment. Upon discovering this incident, Troxler promptly took steps to secure its network and engaged a specialized cybersecurity firm to investigate the nature and scope of the incident. As a result of the investigation, Troxler learned that an unauthorized actor accessed certain files and data stored within its network. Upon learning this, Troxler began a time-consuming and detailed reconstruction and review of the data stored on its servers at the time of the incident to determine whose information may have been affected. On December 4, 2024, Troxler identified individuals whose sensitive data may have been included in the impacted data. Around December 11, 2024, Troxler became aware of additional suspicious activity that could have resulted in access to or copying of information from the same systems that were previously impacted. Troxler determined that the following information may have been copied without authorization as a result of the event: name, Social Security number, and driver’s license number. The RansomHub ransomware group claimed responsibility for the attack on Troxler Electronic Laboratories in December 2024.

Unsuccessful negotiations

National Presto Industries

Manufacturing | Denial of operations, services and IT systems, data leakage | Ransomware

According to a regulatory filing with the Securities and Exchange Commission, National Presto Industries, a consumer products manufacturer and defense company based in the USA, reported a cyberattack that caused a system outage on March 1. Upon discovering the attack, the company activated its incident response team, comprised of internal personnel and external cybersecurity experts retained to assist with addressing the incident. The company conducted a forensic analysis to determine the nature, scope and impact of the incident. The incident temporarily impacted the company’s operations, including shipping and receiving, some manufacturing processes, and various other back-office functions, much of which was quickly restored. National Presto Industries implemented temporary measures to maintain critical functions while systems were being restored. According to the filling, the incident could potentially have a material impact on the company’s financial condition and operating results.

The InterLock ransomware group claimed responsibility for a cyberattack on National Defense Corporation, a subsidiary of National Presto Industries. On its dark web leak site, InterLock claimed to have hacked the company and exfiltrated 4,200 GB of data consisting of 2,900,205 files and 449,989 folders. The group provided some screenshots as proof. InterLock told DataBreaches that it had attempted to extort the company, but the negotiations were unsuccessful because National Defense Corporation did not consider the incident to be significant. The company allegedly told InterLock that the stolen information would have little value to others and that it would experience minimal financial impact from the data breach. National Defense Corporation also allegedly informed InterLock that all operations were back to normal. The ransomware group claimed to have encrypted the systems of at least three National Presto Industries entities, including AMTEC, which manufactures ammunition and explosives for the military and law enforcement.

Attacks leading to denial of operations

Marposs

Manufacturing | Denial of operations and services | Ransomware

On January 26, Marposs, an Italian producer of measurement and control systems for the manufacturing industry, suffered a ransomware cyberattack that encrypted some of its servers. The attack impacted business activities in various ways, with more serious consequences for logistics and less for production. Marposs notified the relevant authorities of the incident and began gradually restoring its systems to resume normal operations. The company responded quickly by setting up a team of cybersecurity experts to minimize the damage. Because of the cyberattack, the company requested the activation of the Ordinary Layoff Fund until February 7 to protect people and the company itself. This tool, designed for emergency situations like this one, was applied partially and flexibly to the most affected sectors and was intended to be reduced as activities gradually resumed.

Crystal D

Manufacturing | Denial of operations and services | Ransomware

On March 7, Crystal D, a US manufacturer of crystal awards and gifts, reported experiencing a cyberattack that disrupted its operations, including communication and deliveries. Orders scheduled to ship March 7 were rescheduled. According to the company’s statement, there was no indication that the hackers accessed sensitive customer information. On March 12, the company said it was able to communicate with customers and process orders again. The executive vice president of marketing and sales explained that the cyberbreach compelled Crystal D to temporarily shut down parts of its network. The company was unable to access phones and email accounts, and communication with customers was down. At least some orders that were set to ship were delayed and required rescheduling. The LockBit ransomware group claimed responsibility for the cyberattack on Crystal D.

Fabricaciones Militares

Manufacturing | Denial of operations and services, data leakage | Ransomware

According to Cyber Press, the Argentinian state-owned military manufacturer Fabricaciones Militares Sociedad del Estado (Military Industries State Corporation) was hit by a cyberattack attributed to the MONTI ransomware group. The attack allegedly resulted in the theft of over 300 GB of sensitive data. Production was halted at the company’s Domingo Matheu small arms facility in Buenos Aires, delaying deliveries under the FONDEF National Defense Fund-backed contracts. Argentina’s Cybersecurity Agency (Unidad Fiscal Especializada en Ciberdelincuencia) confirmed that threat actors accessed sensitive documents. On its dark web portal, the MONTI group mocked the management of Fabricaciones Militares for its insufficient cooperation, which, according to Cyber Press, suggests that negotiations were underway to recover the stolen information.

Ålands Centralandelslag

Food and beverage, manufacturing | Denial of operations

According to local press, two Finnish dairy and bakery production companies of the Åland Central Cooperative (Ålands Centralandelslag, ÅCA) – Ålandsmejeriet and Ålandsbagarn ­– were subjected to a cyberattack on March 5. After several hours of intensive work, all systems were operational again. Some operations were delayed because some processes were being carried out analogically for security reasons. ÅCA warned its customers to remain vigilant for any unusual communications from the company.

Imaflex

Manufacturing | Denial of operations, denial of IT systems, personal data leakage

On February 21, Imaflex, a Canadian manufacturer of solutions for the flexible packaging space, polyethylene (plastic) film and bags, announced that a cybersecurity incident had occurred, disrupting its systems and operations. Imaflex immediately took steps to contain and mitigate any potential impact on its data and operations. The company launched a comprehensive investigation to determine the source and extent of the incident, working closely with third-party cybersecurity experts in line with industry best practices. Although operations were impacted, Imaflex continued to manufacture, ship and perform back-office functions as required, albeit with some temporary workarounds. On March 27, the company announced that it had restored its systems and resumed normal operations. Imaflex reported to the Attorney General of the Commonwealth of Massachusetts that sensitive personally identifiable information in its care had been compromised.

Kuala Lumpur International Airport

Transportation, logistics | Denial of operations and services | Ransomware

According to a joint statement from Malaysia’s National Cyber Security Agency and Malaysia Airports Holdings Berhad, the computer disruptions that affected Kuala Lumpur International Airport were the result of a cyberattack. The coordinated statement confirmed that the attack began on March 23, causing operational disruptions across critical airport systems. The Malaysian prime minister stated that he refused to pay the US$10 million ransom demanded by the hackers. No further technical details were disclosed. Despite the attack, Malaysia Airports officials confirmed that core operations at Kuala Lumpur International Airport were not significantly impacted. However, reports and photographs circulating online indicated that several terminal systems, including flight information displays, check-in kiosks, and baggage handling, were rendered inoperable for over 10 hours. This forced airport staff to revert to manual operations, using whiteboards and markers to communicate departure times. A former Malaysian member of parliament drew attention to the prolonged outage.

The Qilin ransomware gang claimed responsibility for the attack. The attackers said they stole 2 TB of data during the attack.

Unimicron Technology

Manufacturing, electronics | Denial of operations | Ransomware

According to a bulletin published in the Taiwan Stock Exchange portal, a China-based subsidiary of Taiwanese manufacturer of printed circuit boards and integrated circuit carriers Unimicron Technology Corp. was hit by a ransomware attack. The statement said that the incident occurred on January 30 and affected Unimicron Technology (Shenzhen) Corp. The company stated that the impact on its operations was limited and that it had engaged an external cyber forensics team to analyze the incident and help implement defense measures. Unimicron did not confirm a data breach. The Sarcoma ransomware group claimed responsibility for an attack on Unimicron in February and published samples of files allegedly stolen from the company’s systems during the attack. The threat actors claimed to be holding 377 GB of database files and documents exfiltrated from the company. BleepingComputer reached out to Unimicron for an updated statement addressing Sarcoma’s allegations, but there was no immediate response.

Astral Foods

Manufacturing, food and beverage | Denial of operations and services, financial losses

On March 16, South African poultry producer Astral Foods confirmed that it had suffered a cybersecurity incident. The attack caused downtime in the poultry processing division, which impacted deliveries to customers and resulted in a production backlog. Although the company swiftly implemented disaster recovery protocols, the temporary halt in operations resulted in financial losses. The Poultry Division was negatively impacted by the downtime in processing and deliveries to customers. This resulted in a loss of revenue and additional costs to catch up on the production backlog. No confidential information or sensitive data of customers, suppliers or individual stakeholders was compromised as a result of the cyber-intrusion.

Ganong Bros.

Manufacturing, food and beverage | Denial of operations | Ransomware

According to local media, Canadian candy manufacturer Ganong Bros. was hit by a ransomware attack. The company discovered the incident on February 22, 2025. Operations at the facility in St. Stephen were temporarily disrupted. Upon discovering the attack, Ganong Bros. immediately took countermeasures to protect its network and data. These measures included retaining third-party cybersecurity experts and external legal counsel to assist with containment and remediation and to conduct a forensic investigation to determine the extent of the incident. In particular, Ganong’s investigation aimed to determine the extent to which any data, including personal information, may have been compromised. Ganong declined to comment on whether a ransom was demanded or paid. In March, the PLAY ransomware group claimed responsibility for the attack on Ganong Bros.

The attack, which lasted almost a year

Littleton Electric Light and Water Departments

Water supply, energy, utility | Data leakage | APT

Dragos published a report describing its work assisting the Littleton Electric Light & Water Department (LELWD), a public power utility, in combating the advanced threat group VOLTZITE, which had persistent access to LELWD’s network. Since the start of 2023, VOLTZITE, a threat group identified by Dragos that overlaps with Volt Typhoon, has been responsible for the widespread compromise of industrial organizations across critical infrastructure sectors. Dragos found evidence of lateral movement by the hackers and data exfiltration. However, an investigation revealed that the compromised information did not include any sensitive customer data. The utility was also able to change its network architecture to remove any advantages for the adversary. 

Dragos told SecurityWeek that the LELWD breach was discovered in November 2023. An investigation revealed that the hackers had been in the organization’s network since February 2023, for more than 300 days. In the case of the LELWD power utility, the hackers were seen collecting data on OT systems. Dragos believes Volt Typhoon is one of several active threat groups capable of developing and testing “specific and meaningful attacks on ICS”. They have also been observed exfiltrating geographic information system (GIS) data containing critical information about the spatial layout of energy systems in many cases outside of the LELWD hack.

Appendix. Full list of confirmed incidents