Living off your land: How cyber-attackers are using Australian manufacturers’ own tools against them

By Cristian Iordache

Running a manufacturing business today means wearing multiple hats: managing people, balancing cash flow, hitting growth targets. But if you’re not treating cybersecurity as operational infrastructure that’s as essential as your payroll or plant management system, then you’re likely already exposed. High profile manufacturing breaches are not uncommon.

Advanced malware is not the fastest-growing risk that can lead to crippling ransomware incidents or data breaches for Australian manufacturers – it’s actually your own trusted tools being used against you. Most security advice still focuses on stopping malware through downloads, links, emails, but more often, attackers don’t bring anything new into your network. They use what’s already there.

Let me walk you through a cyber-attack scenario that illustrates just how quietly this can happen. Imagine a regional Australian fabrication firm unknowingly leaving an old server’s remote desktop port exposed to the internet. Over several weeks, attackers slip in and use only built-in Windows tools, which staff might use every day, to explore the network. They stay invisible.

From there, the intruders move between finance, operations, and engineering systems until they find and copy sensitive CAD files for a confidential government tender. At no point were alarms triggered, because every step looked like legitimate work. This is the emerging danger for manufacturers: today’s most damaging breaches don’t always announce themselves with ransom notes or flashing warnings. They arrive quietly, blend in with normal activity, and because they fly under the radar, they can exfiltrate high-value designs or disrupt production before security operations teams have time to understand what’s going on and respond.

This technique is called “Living Off the Land” (LOTL), and it’s simple: attackers exploit legitimate software already installed on your systems, including tools like PowerShell, remote desktop utilities, and Windows scripting. Because these are part of normal operations, they don’t raise alarms, but in the wrong hands, they allow lateral movement, data exfiltration and long-term compromise.

Bitdefender Labs recently analysed over 700,000 security incidents, and LOTL techniques appeared in more than 84 per cent of them, which is an alarming reality. It’s particularly threatening to manufacturers where the IT footprint is lean, staff are stretched, and security is a responsibility for someone juggling multiple roles.

“Multilayered security” might sound like jargon, but in practice, it’s not unlike physical security at your site and prevention is key. Lock the front door, restrict access to key areas, and make sure no one’s wandering around your floor unchecked. Each layer helps reduce risk. Unlike static policy-based systems that require constant manual updates, a dynamic attack surface reduction approach actively blocks suspicious actions, stopping attacks before they start. It adapts individualised behavioural profiles for each machine-user pair, establishing a baseline for normal activity to enhance threat detection accuracy and continuously adjusts to shifts in user behaviour. For example, a privileged user from your company would maintain one profile for routine workstation use and a distinct one for server management tasks.

This action-level blocking, combined with the layered analysis of user and attacker behaviour, enables tailored protection without disrupting operations. Such an approach strengthens your security posture by shifting from a reactive stance to a proactive defence strategy, reducing your attack surface and actively preventing LOTL threats.

For manufacturers, this proactive, dynamic security approach can make the difference between fighting an intrusion early or discovering it after the damage is done.

Cyber resilience for manufacturers doesn’t need to be complex, it just requires clarity. What’s installed? Who has access? What’s being used and what isn’t? Once you know that, you can make smarter decisions and shut down threats before they materialise.

As the Australian government continues to expand obligations under the Security of Critical Infrastructure Act (SOCI), with potential inclusions of the manufacturing sector, baseline cyber hygiene is becoming a licensing issue, not just an operational one.

If the software that runs your machines matters, so do the solutions that protect your systems. The attackers may already be inside, so the question is: are you prepared well enough to fight this?

Cristian Iordache is Director of Product Marketing at Bitdefender.