Cybercriminals break into logistics companies and steal cargo

Cybercriminals are infiltrating the IT systems of logistics companies and stealing their cargo. IT security researchers have now discovered this. It represents a multimillion-dollar business for the perpetrators. The increasing interconnectedness in the logistics sector is thus leading to an increase in network-based physical theft.

This is explained by IT security researchers from Proofpoint in a blog post. Attackers compromise the logistics providers and use IT access to bid on freight transports, then steal the cargo and sell it. One notable observation is that the actors are installing “Remote Monitoring and Management (RMM)” tools, which is a general trend in the threat landscape that cybercriminals are currently following as a first step after breaching a company's IT.

From IT Breach to Physical Theft

Proofpoint's analysts have supplemented their observations with publicly available information, leading them to conclude that the threat actors are collaborating with organized crime groups to compromise transportation facilities. Specifically, they are targeting freight long-haul and freight brokers to hijack cargo shipments and thus steal physical goods. “The stolen cargo is most likely sold online or shipped overseas,” explain the IT analysts. These criminal acts can cause massive disruptions in supply chains and cost companies millions. The perpetrators steal everything from energy drinks to electronics.

In the observed attack campaigns, the perpetrators attempted to infiltrate companies and use the fraudulent accesses to bid on the transport of real goods to steal them in the end. According to the analysis, the annual damage amounts to 34 billion US dollars. However, not only the USA is affected. Proofpoint cites figures from Munich Re, according to which global theft hotspots include Brazil, Chile, Germany, India, South Africa, and the USA. Mostly, transports of food and beverages are targeted by criminals. IT-supported theft is therefore one of the most common forms of cargo theft and is based on social engineering and knowledge of how the truck and transport industry works.

Current Campaign

The cases now observed began at least in June of this year, with indications that the group's campaigns started as early as January. The attackers have installed a number of RMM tools, including ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve, often used in pairs. For example, PDQ Connect was observed downloading and installing ScreenConnect and SimpleHelp. It is therefore important for criminals to establish a lasting presence in the compromised networks.

After this initial access, the attackers scout the networks and distribute tools for capturing login credentials, such as WebBrowserPassView. The perpetrators appear to have knowledge of software, services, and policies related to the functioning of the freight supply chain. The activities apparently aim to gain access to facilities and steal information. The RMM tools help to fly under the radar and remain unnoticed.

The Proofpoint analysis also shows details about attacks using social engineering in emails and finally lists some indicators of compromise (IOCs). Freight companies in particular should be aware of these attacks and the perpetrators' methods. Furthermore, Proofpoint recommends implementing IT security measures to prevent successful attacks.

The problem has so far been less in the spotlight. More often, however, there are reports, for example, of cyberattacks on the logistics industry that lead to restrictions in freight transport. For instance, at the end of 2023, a cyberattack on ports in Australia resulted in no containers being loaded could be. 30,000 goods were stranded there meanwhile.

(dmk)