Attacks Against the Transportation Sector

The transportation industry, a critical backbone of global commerce and connectivity, has become an increasingly attractive target for cybercriminals. Historically, their attacks have primarily focused on financial gain — although politically motivated attacks are becoming more frequent — attempting to steal sensitive data and disrupt operations in exchange for ransom payments. The sheer volume of user and operational data that the industry receives, processes, stores, and transmits makes it a prime target for such activities. This data, coupled with the increasing reliance on interconnected systems, creates a lucrative opportunity for malicious attackers.

The increasing digitalization of the transportation sector, while offering significant benefits in efficiency, automation, and user experience, has also dramatically expanded its attack surface. Adopting advanced technologies like artificial intelligence for data analysis and transportation planning, operational technologies, blockchain, and the Internet of Things (IoT) has created a complex web of interconnected systems. This interconnectedness, while improving efficiency and user experience, also introduces vulnerabilities. Moreover, organizations often rely on third-party service and product providers, further complicating security management and increasing potential points of entry for attackers. This reliance on third-party providers means that a vulnerability in one organization can have a cascading effect on other companies in the digital ecosystem.

The 2024 ENISA Threat Landscape report highlights the severity of the situation, ranking the transportation industry as the second most attacked sector in Europe, surpassing even banking and finance and only trailing public administration. Denial-of-service (DoS) attacks are identified as one of this sector's most common attack vectors. This broad industry encompasses a wide range of organizations, including airports, seaports, railways, shipping companies, trucking companies, and postal and logistics services, all facilitating the movement of passengers and goods across land, air, and sea. The potential impact of a successful cyberattack on any of these entities can be substantial, affecting everything from core operational systems and physical infrastructure to customer-facing services and sensitive data. The IBM Cost of a Data Breach Report 2024 underscores the financial impact of these attacks, revealing that the average data breach cost in the transportation sector is a staggering $4.4 million.

While a previous blog post centered on the risks and attacks within the aviation sector, this post will shift the focus to cyberattacks targeting other modes of transportation. Although some of the companies affected may also utilize aircraft as part of their service offerings, the emphasis here will be on incidents impacting maritime, rail, and road transportation, as well as logistics and postal services. These examples illustrate the cyber threats facing the transportation sector and underscore the need to implement robust cybersecurity measures in companies without delay.

December 2020. The US freight transportation and logistics company Forward Air suffered a ransomware attack attributed to the Hades gang, allegedly associated with members of the Evil Corp group. This incident forced the company to disconnect its systems from the network to prevent further propagation of the malware. As a result, the business was significantly impacted, with disruptions including the unavailability of documentation required to release cargo from customs. It was also reported that the interruption of customer data interfaces led to losses exceeding $7 million. Furthermore, the attack reportedly exposed sensitive data, such as names, social security numbers, driver's licenses, bank account numbers, and passport information, belonging to this trucking giant's former and current employees.

June 2023. KNP Logistics, a privately-owned UK logistics organization formed in 2016 through the merger of four companies, suffered a devastating ransomware attack. Reportedly, it was carried out using Akira ransomware and compromised critical systems and financial data. It appears the threat actors exploited a weak password through a brute-force attack, successfully gaining access to the network due to the company's lack of multi-factor authentication. The impact on KNP Logistics was catastrophic, leading to the layoff of over 700 employees and the company's collapse roughly three months after the infection. However, in a silver lining to the unfortunate event, one entity within the KNP group was successfully sold, saving approximately 170 jobs.

July 2023. The Port of Nagoya, Japan's largest port, was forced to suspend operations for over two days due to a ransomware attack attributed to the pro-Russian group LockBit 3.0. The cyberattack specifically targeted the Nagoya Port Unified Terminal System (NUTS), its central container terminal control system. This disruption halted the loading and unloading of containers, impacting shipments of imported and exported parts for industrial giants like Toyota Motor, resulting in significant financial losses. This incident was not the first cyberattack faced by the Port of Nagoya. In 2022, the port experienced a DDoS attack that rendered its website unavailable for approximately 40 minutes.

September 2023. New Zealand's Auckland Transport was targeted in a series of cyberattacks attributed to the Medusa ransomware gang. The initial incident disrupted ticketing systems, online top-ups, and customer service centers. While Auckland Transport maintained that no personal or financial data had been compromised, Medusa contradicted this claim on their website, demanding a ransom of $1 million and, at the same time, offering the stolen data for purchase and download for the same price. Days later, seemingly in response to the refusal to pay the ransom, Auckland Transport suffered a DDoS attack, causing intermittent access issues to its website, mobile app, journey planner, and other systems. Despite these attacks, company executives continued to assert that there was no evidence of sensitive information being stolen.

September 2023. This month marked the beginning of a significant cyberattack against Estes Express Lines, a major North American less-than-truckload carrier. Although the attack began in September, Estes didn't officially identify it until October 1st. The incident forced the company to shut down its email, website, phones, and other critical systems for approximately three weeks. To maintain operations, Estes temporarily diverted freight to competitors, highlighting the disruption these attacks can cause to supply chains. Months later, following the corresponding investigation, Estes confirmed the incident was ransomware and notified over 21,000 individuals that their personal information, including names and social security numbers, had been compromised. The company emphasized that it did not pay the ransom but did not disclose details about the threat actors or the restoration process. However, in November of that year, the LockBit ransomware gang claimed responsibility for the attack.

November 2023. DP World Australia, the country's largest port operator, was forced to suspend operations for three days in response to a cyberattack. This precautionary measure resulted in delays in the shipment of over 30,000 containers from four of Australia's major ports, causing significant disruptions to the supply chain. While the attack reportedly compromised the personal information of past and present employees, customer data remained unaffected. Security analysts suggested that DP World Australia may have been vulnerable to the Citrix Bleed exploit at the time of the attack, a vulnerability linked to multiple high-profile data breaches worldwide. This incident served as a reminder of the critical importance of timely patching and vulnerability management for organizations, especially those operating critical infrastructure.

March 2024. US trucking and logistics company Ward Transport & Logistics, specializing in less-than-truckload freight services, became a victim of a ransomware attack. The cyberattack, reportedly carried out by the DragonForce ransomware gang, disrupted operations and compromised sensitive data. DragonForce claimed to have stolen nearly 600 GB of data from Ward, including personal information belonging to an unspecified number of individuals. In a move that deviated from typical cybersecurity advice, the organization reportedly opted to pay the ransom to the criminals. This decision, along with the impact of the ransomware attack, ultimately resulted in significant financial losses and reputational damage for the company.

August 2024. A ransomware attack attributed to the Rhysida gang targeted the Port of Seattle. Systems were swiftly disconnected from the network to contain the intrusion. Primarily affected was the agency overseeing the Seattle seaport and Seattle-Tacoma International Airport. Data was encrypted, and various systems were disrupted, including baggage sorting and retrieval, flight and baggage information displays, check-in and ticketing systems, the port's website, and even Wi-Fi. The organization opted not to pay the ransom, seemingly based on a cost-benefit analysis, and endured a couple of weeks with limited functionality of some systems (some were restored faster than others), forcing manual workarounds to fulfill certain procedures (for example, more than 7,000 bags from disrupted flights had to be manually sorted). The nature of any potentially compromised data appears not to have been disclosed.

August 2024. This month, privately owned international freight forwarder JAS Worldwide fell victim to a ransomware attack. The incident impacted crucial systems, including those for customer support, billing and payment processing, and stakeholder data integration. Although JAS Worldwide publicly acknowledged the attack, no ransomware group claimed responsibility for the incident. The company's core operational system and customer-facing portal were offline for several days, leaving customers unable to track their shipments in real time.

September 2024. The Transport for London (TfL) grappled with a significant cyberattack that exposed thousands of customers' financial and personal information, including, potentially, the bank account details of around 5,000 passengers. The incident even forced TfL's 30,000 or so employees to go to offices to have their passwords reset in person. While core services such as the railway and bus networks remained operational, several other functions were impacted. TfL proactively suspended operations like jam cams, external bookings, and the dial-a-ride service for disabled passengers to limit the hackers' access during their persistent attack. Additionally, live train arrival information, online journey history, and some payment processes were disrupted, and a number of TfL's ongoing projects faced delays. In response to the attack, London authorities arrested a 17-year-old suspect believed to be involved in the hacking operation.

Staying ahead of cyber threats requires more than just reacting to the latest headlines. Truly effective vulnerability management means learning from the misfortunes of others, understanding the ever-shifting threat landscape, and proactively adapting your company’s defenses to the real risks it faces. Don't wait to become another statistic. Let Fluid Attacks help you build a comprehensive vulnerability management strategy tailored to your specific business risks. Contact us today for a consultation and take control of your cybersecurity posture.