The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the transportation & logistics organizations, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the transportation & logistics industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the transportation & logistics organizations.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA delivers pre-emptive cybersecurity, cyber threat intelligence, and external threat landscape management through its platforms, DeCYFIR and DeTCT. These platforms have been purpose-built over many years to continuously collect, correlate, and analyse large volumes of external threat data, combining proprietary intelligence automation with deep, hands-on cyber threat research.
For the purposes of this report, the analysis draws on intelligence generated from CYFIRMA’s platforms. The data referenced has been processed through automated correlation and enrichment mechanisms, informed and validated by human-led research and investigative expertise, and sourced from both structured and unstructured external intelligence channels.
While this report contains data collected and processed by our in-house AI and ML, all charts, statistics, and analyses are done by human CYFIRMA CTI analysts to ensure the highest quality and provide accurate insights.
The transportation & logistics industry featured in 8 out of the 14 observed campaigns, which is a presence in 57% of all campaigns, an increase from the previous period, where industry organizations were present in 6 out of 16 campaigns (38% presence).
The monthly trend indicates a significant increase in detections during January, with December recording only one campaign, and a few days of February already showing another detection.
Observed APT campaigns are dominated by suspected China-aligned TAs, led by Stone Panda and MISSION2074, which together account for the majority of observed activity. Additional China-linked representation includes Emissary Panda, BlackTech, and Volt Typhoon.
North Korea-aligned activity is reflected through Lazarus Group, while Iran-aligned activity appears via Oilrig. A single observed instance involving TA505 represents financially motivated activity.
Victim organizations identified in observed transportation & logistics sector campaigns were distributed globally, with the highest concentrations observed across Asia-Pacific and Western countries. Japan appears most frequently, followed by the United States, India, South Korea, and Taiwan. The United Kingdom and Australia also show repeated activity, while additional cases are distributed across Southeast Asia, the Middle East, and Europe.
This geographic distribution aligns closely with the threat actor profile observed in the same campaigns, which is dominated by suspected China-linked, state-sponsored groups. The prominence of East and Southeast Asian countries is consistent with historical targeting patterns associated with these actors, while sustained activity in the United States, Europe, and Australia reflects the strategic importance of transportation & logistics infrastructure within global supply chains.
Targeted technologies in observed transportation & logistics campaigns are concentrated on web applications and operating systems, which together account for the majority of identified cases. This focus is consistent with the tradecraft of the predominantly state-sponsored threat actors observed in these campaigns, particularly suspected China-linked groups, which typically prioritize externally exposed services and core platforms for initial access and lateral movement. Other technologies appear infrequently, reflecting flexible intrusion paths rather than dependence on sector-specific systems.
Risk Level Indicator: Moderate
Over the past 90 days, the number of observed advanced persistent threat (APT) campaigns has increased and warrants a moderate risk level indicator.
8 out of 14 observed APT campaigns recorded victims in this industry. That is 57% presence in observed campaigns.
That is an increase from the previous 90-day period, during which 6 out of 16 campaigns targeted this industry, also increasing the overall share from the previous 38%.
Monthly Trends
During the last 90 days, most of the activity occurred during January. Preceding November saw no campaigns, December only one, and in just a few days of February, we already see new campaigns, suggesting the uptick will be ongoing into the next quarter.
Key Threat Actors
Most TAs were Chinese-linked groups. Then we have observed one each of the Russian financially motivated syndicate, North Korean, and Iranian groups.
Geographical Impact
Victims were identified across multiple regions, with higher concentrations in Asia-Pacific and selected Western countries. Japan, the United States, India, South Korea, and Taiwan account for the highest observed counts, followed by the United Kingdom and Australia.
The observed distribution broadly corresponds with the prevalence of suspected state-sponsored threat actors identified in the same campaigns, though attribution confidence and detection bias may influence both datasets.
Targeted Technologies
The concentration on web applications and operating systems aligns with tradecraft commonly associated with the state-sponsored threat actors observed in these campaigns, emphasizing externally exposed services and core platforms over sector-specific technologies.
Over the past three months, CYFIRMA’s telemetry has identified 1,536 mentions of the transportation & logistics industry out of a total of 78,562 industry-linked mentions. This is from a total of 300k+ posts across various underground and dark web channels and forums.
The transportation & logistics industry placed 12th out of 14 industries in the last 90 days, with a share of 1.96% of all detected industry-linked chatter.
Below is a breakdown by 30-day period of all mentions.
Chatter related to the transportation & logistics sector over the last 90 days is dominated by data breach, data leak, and ransomware discussions across all three 30-day periods. While volumes fluctuate between periods, these categories consistently account for the majority of observed activity. Lower-volume categories, including web exploits, DDoS, hacktivism, and claimed hacks, remain comparatively limited and generally decline in the most recent period, indicating reduced visibility or.
Risk Level Indicator: Low
In total, the transportation & logistics industry comprise 1.96% of all detected industry underground and dark web chatter in the last 90 days, ranking 12th out of 14 industries. Below are the observed key trends across 90 days:
Data Breach
269 → 144 → 186, High volatility with a strong rebound in the latest period. This suggests renewed compromise activity against logistics providers, freight operators, and transportation platforms, often tied to supply chain access and operational data.
Data Leak
205 → 127 → 123, Clear downward trend after a high starting point. Indicates fewer large-scale leak postings, though ongoing exposure of shipment data, credentials, and partner information remains evident.
Ransomware
192 → 71 → 94, Sharp decline followed by a partial resurgence. Ransomware remains a key threat, particularly where operational downtime can disrupt supply chains, but activity is less intense than in the earlier periods.
Web Exploit
16 → 8 → 14, Dropped initially, then rose again. Suggests intermittent exploitation of booking systems, tracking portals, and logistics web applications, likely tied to newly disclosed vulnerabilities or misconfigurations.
DDoS
17 → 9 → 9, Declined and then stabilized at lower levels. Indicates reduced emphasis on disruption attacks compared to intrusion and extortion-focused tactics.
Hacktivism
15 → 9 → 4, Steady decline. Ideologically motivated activity appears to be waning, with fewer campaigns targeting transportation and logistics entities.
Claimed Hacks
17 → 6 → 1, Sharp and continuous decline. Fewer publicly claimed intrusions suggest attackers are shifting toward quieter monetization models such as private access sales or direct extortion.
Over the past three months, CYFIRMA’s telemetry has identified 146 mentions of the transportation & logistics industry out of a total of 2,482 industry mentions. This is from over 10k CVEs reported and updated in the last 90 days.
The transportation and logistics industry ranked 5th out of 14 industries in the last 90 days, with a share of 5.88% of all detected industry-linked vulnerabilities.
Below is a breakdown by 30-day periods of all mentions.
Reported CVEs over the last 90 days are dominated by remote and arbitrary code execution vulnerabilities, which remain consistently high across all three 30-day periods. Injection attacks and privilege escalation issues also appear frequently, while denial-of-service and resource exhaustion vulnerabilities increase in the most recent periods. Other vulnerability categories remain comparatively low and sporadic, reflecting disclosure variability rather than sustained shifts in exploitation focus.
Risk Level Indicator: Moderate
In total, the transportation & logistics industry comprise of 5.88% of all detected industry-linked vulnerabilities in the last 90 days, ranking 5th out of 14 industries. Below are observed key trends across 90 days.
Remote & Arbitrary Code Execution (RCE & ACE)
23 → 17 → 23, High and persistent across all periods. RCE remains the most critical disclosure category for transportation and logistics systems, reflecting continued discovery of serious flaws in booking platforms, operational systems, and infrastructure-supporting software.
Injection Attacks
12 → 3 → 10, Sharp drop followed by a strong rebound. This suggests renewed research focus on input validation weaknesses in logistics portals, APIs, and data exchange systems after a quieter middle period.
Denial of Service (DoS) & Resource Exhaustion
1 → 8 → 10, Clear upward trend. Indicates growing attention to availability risks, particularly relevant in transportation environments where service disruption can directly impact physical operations and supply chains.
Privilege Escalation & Access Control Issues
6 → 3 → 7, Moderate but rising in the latest period. Points to increased discovery of authentication and role-based access flaws, often identified during deeper security assessments of operational platforms.
Cross-Site Scripting (XSS) & Clickjacking
3 → 2 → 6, Low early activity with a noticeable recent increase. Suggests renewed disclosure of client-side vulnerabilities in web-facing transportation and logistics applications.
Memory & Buffer Vulnerabilities
0 → 3 → 4, Emerging trend. Indicates increasing researcher attention to lower-level flaws, potentially in legacy systems or embedded components used across logistics infrastructure.
Directory Traversal & Path Manipulation
0 → 2 → 1, Isolated and declining. These disclosures appear sporadic and tied to specific products rather than widespread systemic issues.
Information Disclosure & Data Leakage
1 → 1 → 0, Minimal and tapering. Suggests limited recent reporting of direct data exposure vulnerabilities in this sector’s software stack.
In the past 90 days, CYFIRMA has identified 78 verified ransomware victims in the transportation & logistics industry. This accounts for 3.73% of all 2,093 ransomware victims during the same period, placing the transportation & logistics industry 9th out of 14 industries.
Furthermore, a quarterly comparison shows that interest in transportation & logistics organizations shows an uptick. There was an increase of 25.8% from 62 to 78 victims. The overall number grew mildly from 3.5% to 3.73% of all victims.
The monthly trendline for the past six months shows us choppy numbers. August and September were lower than the period from October to January, where we observed alternating months between 30 to 20 victims per month. The first week of February is so far on pace to be another 30-victim month, maintaining the trend.
A breakdown of monthly activity per gang reveals which gangs were most active each month. For instance, leading gangs Qilin and Akira remained active across all months. On the other hand, reappearing LockBit5 has been active only in December, and another mid-size group Incransom was active only in January.
Out of the 65 gangs, 27 recorded victims in the transportation & logistics industry in the last 90 days, representing a 42% participation.
Qilin and Akira had the highest number of victims; however, they had low shares of 3.5% and 4.6% of all their victims. That means their numbers are opportunistic targeting and the large scale of their activity.
Direwolf (12%) and Lynx, Everest, and Anubis (~10%) showed elevated focus. But overall, no gangs with a higher victim count showed particular focus on this industry.
Third-party logistics and Aviation are the most frequent victims. Overall, we see significant numbers across most identified sectors, showing there is no single niche sector being targeted above others.
The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.
The chart shows quarter-to-quarter changes in targeted countries. Data is sorted by the last 90 days and compared to the previous 90 days, marked in blue.
The USA somewhat declined in overall share, down to just 33% of all victims. Meanwhile, Canada, Malaysia, Spain, and Italy recorded higher numbers of victims.
In the last 90 days, 31 countries recorded transportation & logistics industry victims, an increase from 26 countries in the previous period.
Risk Level Indicator: Moderate
The transportation & logistics industry ranked 8th out of 14 monitored industries, recording 78 victims in the last 90 days, a significant increase of 25.8% from 62 victims in the previous 90-day period.
Overall share also mildly increased from 3.5% to 3.73% of all ransomware victims.
Monthly Activity Trends
Monthly numbers are choppy, alternating between 20 and 30 victims per month. February is so far on pace to be another 30-victim month.
Ransomware Gangs
A total of 27 out of 65 active ransomware groups targeted this industry in the past 90 days – 42% participation:
Qilin, Akira: Continuously, the most active two gangs. However, their focus on this industry is low. Their victims counts is high due to the sheer total volumes of their victims.
Direwolf, Lynx, verest, Anubis: Recording ~12-10% of their victims from this industry, suggesting a higher focus.
Overall, no gang appears to be particularly focused on this industry, and all targeting seems to be opportunistic.
Geographic Distribution
The geographic distribution of ransomware victims is relatively high, and spread across 31 countries. Increase from 26 in the previous period.
The USA recorded a relatively small 33% of all victims in this industry. Canada, Malaysia, Spain, the UK, and Italy were among the countries with the highest elevation bearing the brunt of the increased number of victims.
We assigned a moderate risk factor due to the higher total number and many countries experiencing elevations.
For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.
APT Campaigns (Moderate): APT activity against transportation & logistics increased materially, with 8 of 14 observed campaigns (57%) impacting the sector, up from 38% in the prior period. Activity clustered strongly in January, following an almost inactive November and only a single campaign in December, with early February already indicating continued momentum into the next quarter. Threat actors were predominantly Chinese-linked, alongside isolated activity from Russian financially motivated groups and North Korean and Iranian actors. Victims were distributed across Asia-Pacific and select Western countries, led by Japan, the United States, India, South Korea, and Taiwan, with secondary exposure in the UK and Australia. Targeting focused primarily on web applications and operating systems, consistent with state-sponsored tradecraft favoring externally exposed services over sector-specific technologies.
Underground & Dark Web Chatter (Low): The sector accounted for 1.96% of underground chatter, ranking 12th, with overall activity remaining limited despite volatility. Data breach chatter rebounded sharply in the latest period after a lull, suggesting renewed compromise activity against logistics providers and supply chain platforms. Data leak and claimed hack activity continued to decline, pointing to reduced public exposure and greater reliance on private access sales or direct extortion. Ransomware chatter partially recovered after a sharp drop, while DDoS and hacktivism trended downward, reinforcing the dominance of financially motivated, intrusion-focused activity.
Vulnerabilities (Moderate): Transportation & logistics represented 5.88% of disclosed industry-linked vulnerabilities, ranking 5th. RCE vulnerabilities remained persistently high, underscoring ongoing exposure in booking systems, operational platforms, and supporting infrastructure software. DoS-related disclosures rose steadily, highlighting growing concern over availability risks that can directly disrupt physical operations. Injection, privilege escalation, and XSS findings also rebounded in the latest period, suggesting deeper security reviews and renewed research attention across web-facing and operational systems.
Ransomware (Moderate): Ransomware impact increased, with 78 victims representing a 26% rise from the previous period and lifting the sector’s share to 3.73%. Activity remained uneven month to month but consistently elevated, with February tracking toward another high-volume month. While high-volume gangs such as Qilin and Akira contributed opportunistically, several mid-tier groups, including Direwolf, Lynx, Everest, and Anubis, showed higher proportional focus on the sector. Victim geography expanded to 31 countries, with growth concentrated outside the U.S. in Canada, Malaysia, Spain, the UK, and Italy, supporting the assignment of a moderate risk level.
