We are excited to introduce our latest threat landscape report on the construction sector, providing the latest insights into the evolving cyber threats facing the industry.
In this blog, we’ll give you a taste of the report’s key themes, including analysis of the most pressing threats, prevalent MITRE ATT&CK techniques, and dark web insights.
Top MITRE Technique: Spearphishing
The construction sector is no stranger to phishing attacks, which topped the list of initial access techniques between October 1, 2023, and September 30, 2024. The sector’s reliance on third parties and contractors, combined with high-pressure project timelines, makes it particularly vulnerable to phishing attacks, including spearphishing.
Phishing is favored by threat actors for its simplicity and effectiveness. And for construction organizations, the operational and financial consequences of a phishing attack can be severe.
MITRE ATT&CK ID | MITRE Technique | % of Incidents |
---|---|---|
T1566.002 | Phishing: Spearphishing Link | 19 |
T1534 | Internal Spearphishing | 16 |
T1566.01 | Phishing: Spearphishing Attachment | 7 |
T1078.004 | Cloud Accounts | 6 |
T1133 | External Remote Services | 6 |
Industry Benchmark: 5 Hours to Contain a Threat Without AI and Automation
ReliaQuest gathers security metrics from across all industries, including the construction sector. One of these metrics is the mean time to contain a threat, or MTTC. By containing a threat as quickly as possible, organizations drastically limit incident impact, preventing damaging consequences such as data exfiltration, malware deployment, lateral movement, and operational downtime.
On average, companies in the construction industry contain a threat within about 5 hours. However, those that are leveraging AI and automation capabilities, like the automated response playbooks within GreyMatter, have achieved drastically lower times—closer to 5 minutes than 5 hours.
DRP Insights: Credential Exposure Makes Up 75% of Alerts
Construction companies are increasingly vulnerable to opportunistic attacks, with credential exposure incidents now accounting for 75% of all GreyMatter Digital Risk Protection (DRP) alerts for the sector. This marks a staggering 83% increase from the previous year, making credential exposure the top threat type. Once account credentials are exposed on the dark web, organizations face heightened risks from threat actors who purchase these credentials to gain initial access to networks.
Ransomware Activity Targeting the Construction Sector
Ransomware remains the biggest threat to the sector, as demonstrated by the 41% rise in organizations appearing on data-leak sites over the past year. This is likely driven by the vast amounts of sensitive data that organizations hold and their critical need to maintain operational continuity. These factors, exacerbated by inherent weaknesses such as inadequate government regulations and underinvestment in cybersecurity, make the sector particularly vulnerable to ransomware attacks.
Key Ransomware Threat Group: “Play”
Financially motivated ransomware group “Play” is at the forefront of the increased ransomware activity, launching more attacks on the sector during the reporting period than any other threat group except “LockBit.” Play targets large construction companies for their valuable data like private identification information, legal documents, and tax records, employing double extortion tactics to pressure organizations into paying ransoms.
To effectively mitigate this threat, organizations should implement data loss prevention (DLP) software. This technology helps to detect and block unauthorized access and exfiltration of intellectual property and other critical data that could disrupt operations.
What’s on the Horizon
Phishing: We anticipate phishing attacks on the construction industry to continue rising, largely due to the sector’s heavy reliance on third parties and contractors. These external partners often lack essential security training and acceptable use policies, increasing their—and consequently the construction companies’—vulnerability to phishing attacks.
Cloud Exploitation: We expect this to grow in the next year as increased cloud usage opens opportunities for attacks. Cloud adoption is on the rise in the sector, but defending the cloud can be challenging due to limited tools and expertise. Attackers exploit this vulnerability to evade detection and maintain network access.
Infostealers: We also expect a rise in infostealer attacks over the coming year. This type of malware is designed to compromise user credentials, which are then sold on dark-web forums. Armed with these credentials, attackers can gain access to sensitive construction data, such as engineering blueprints, or deploy additional malware within systems to escalate their attacks.
Conclusion
The construction sector’s susceptibility to cyber threats and its critical need to maintain operational continuity makes it a prime target for malicious actors. The diverse range of attacks targeting the sector underscores the urgent necessity for organizations to implement strict security measures and digital risk protection (DRP) strategies. These defenses should not only shield the organization itself but also extend to its network of third parties and contractors.
To gain deeper insights into the major threats facing the sector, explore detailed case studies, and discover practical mitigation strategies, download the full report.