APT Campaigns – 6.5
13 of 38 campaigns (34%), up from 7 of 19 last period. China-linked actors dominant, with Stone Panda and MISSION2074 leading. Leviathan notable for maritime and transportation specialization. RDP, SSH, and PHP targeting points for remote access exposure.
Cyber Incidents – 5.8
18 incidents, ranking 10th. Cyber-enabled cargo theft matured into a standing criminal business model, FBI confirming losses in the millions. Taiwanese rail hack exposed structural OT risk. No dedicated sector threat actor; mostly opportunistic overlap.
Dark Web Chatter – 5.6
2.48% of all detected chatter, ranking 11th. Breach and leak mentions collapsed in the final period, consistent with forum disruption. Claimed hacks and web exploits diverged sharply upward, the strongest signal in the dataset.
Vulnerabilities – 7.2
10.76% of all industry-linked disclosures, ranking 3rd. RCE nearly quadrupled across the period. DoS and memory vulnerabilities both spiked sharply in the final period. Compounding escalation across categories drives the high score.
Ransomware – 5.0
74 victims, virtually unchanged from the previous quarter. Up only 1.4% from 73Q-on-Q, share of all victims flat at 3.3%. Monthly activity stable, oscillating between 21 and 32 victims over the past 6 months. 35% gang participation signals broad opportunistic rather than concentrated targeting.
The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the transportation & logistics industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the transportation & logistics industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, public reports, underground & dark web chatter, vulnerabilities, and ransomware incidents targeting transportation & logistics organizations.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA delivers pre-emptive cybersecurity, cyber threat intelligence, and external threat landscape management through its platforms, DeCYFIR and DeTCT. These platforms have been purpose-built over many years to continuously collect, correlate, and analyse large volumes of external threat data, combining proprietary intelligence automation with deep, hands-on cyber threat research.
For the purpose of this report, the analysis draws on intelligence generated from CYFIRMA’s platforms. The data referenced has been processed through automated correlation and enrichment mechanisms, informed and validated by human-led research and investigative expertise, and sourced from both structured and unstructured external intelligence channels.
While this report contains data collected and processed by our in-house AI and ML, all charts, statistics, and analyses are done by human CYFIRMA CTI analysts to ensure the highest quality and provide accurate insights.
Transportation & logistics organizations featured in 13 out of the 38 observed campaigns, which is a presence in 34% of all campaigns, an increase from the previous period where transportation & logistics organizations were present in 7 out of 19 campaigns, a mild decrease from presence in 37% of observed campaigns.
APT activity targeting Transportation & logistics has been continuous. Most of the campaigns remain active and have been updated with new detection as recently as June.
Observed APT campaigns are dominated by suspected China-linked, state-sponsored actors, with Stone Panda recording the highest number of observed campaigns, followed closely by MISSION2074. Leviathan and Gothic Panda also feature, with Leviathan notable for its known focus on maritime and transportation sector targets specifically.
North Korea-associated Lazarus Group, Russia-linked Cozy Bear, and Iran-linked OilRig and Charming Kitten round out the state-sponsored actor profile. Financially motivated actors TA505 and FIN7 are also present, alongside additional China-linked representation from APT27, Hafnium, and Lotus Blossom.
Victim distribution spans 32 countries, with the United States recording the highest victim count, followed closely by Japan. South Korea and the United Kingdom both feature prominently, with Australia, India, Taiwan, and Thailand also recording multiple victims across observed campaigns.
Middle Eastern presence spans several countries, with Saudi Arabia recording the highest count in the region, alongside the UAE and Gulf states, including Qatar, Kuwait, Bahrain, and Oman, each recording a single instance. Southeast Asian countries, including Thailand, Singapore, the Philippines, Malaysia, and Indonesia, appear regularly, consistent with major regional shipping and logistics hubs.
Remaining victims are spread across continental Europe, Africa, and isolated cases in East Asia, reflecting broad geographic targeting consistent with the diverse actor profile observed this period.
Web applications and operating systems account for the majority of observed attacks this period. The remaining targeted technologies show a broader spread than in most sectors, including application infrastructure, database management software, open-source database software, and SQL server performance monitoring tools.
Notably, RDP services on Windows platforms, SSH, and PHP also appear among targeted technologies, pointing to remote access and web-facing application layer targeting consistent with the sector’s reliance on distributed operational systems. Application security software completes the profile, recorded in a single instance.
Based on observed trajectory across the two reporting periods, the transportation and logistics sector’s external threat landscape is expected to remain at Elevated through the next 90 days. Campaign presence shows a mild decrease from 37% to 34% of all observed campaigns, though the absolute campaign count increased from 7 to 13.
Sustained volume: Campaign presence grew from 7 out of 19 to 13 out of 38 observed campaigns period over period. The June surge, following zero campaigns in May, suggests volatility rather than a steady decline, and the underlying actor base does not show signs of disengagement. 10 to 14 transportation and logistics sector campaigns over the next 90 days is a plausible baseline estimate.
Dominant actor continuity: Stone Panda and MISSION2074 recorded the highest campaign counts this period and are expected to maintain operational tempo. Leviathan’s presence is particularly relevant given its known specialization in maritime and transportation sector targeting, indicating sector-specific rather than opportunistic interest.
Remote access and web-facing exposure: RDP services on Windows platforms, SSH, and PHP appearing among targeted technologies point to remote access and web-facing application layer targeting consistent with the sector’s reliance on distributed operational systems such as ports, warehouses, and fleet management platforms. Organizations with exposed RDP or unpatched web infrastructure face the highest immediate risk.
Geographic targeting: The United States leads in victim count, followed closely by Japan, with South Korea and the United Kingdom also featuring prominently. The Indo-Pacific corridor and North America are expected to remain primary target zones, with continued exposure across major Southeast Asian shipping and logistics hubs including Singapore, Thailand, and the Philippines.
Multi-actor threat profile: North Korea-associated Lazarus Group, Russia-linked Cozy Bear, and Iran-linked OilRig and Charming Kitten all feature alongside the dominant China-linked cluster and financially motivated TA505 and FIN7. Defenders should prioritize TTP-based detection over actor-specific IOC tracking given the broad technology and actor overlap observed this period.
Over the past 90 days, DeCYFIR and DeTCT platforms tracked 781 cyber incidents reported publicly. We could identify the industry for 572 of these incidents (73%).
The transportation & logistics industry was detected in 18 incidents, which equals 2.98% of the incidents where we knew the industry, ranking 10th out of 14 industries.
The sector saw activity across three distinct threads rather than a single dominant threat actor.
Cyber-enabled cargo theft matured into a standing criminal business model this quarter. Multiple April-May reports described hackers gaining remote access to freight-tracking systems and handing stolen shipment data to physical theft crews. The FBI confirmed this is now generating millions in losses — a maturing vertical rather than an isolated tactic, and none of the actors involved have been publicly named.
Rail and transit OT exposure produced the quarter’s most striking incident: a Taiwanese student hacked the island’s high-speed rail to trigger emergency brakes, prompting wider commentary on rail cybersecurity gaps. While not state-directed, it demonstrated that critical rail systems remain reachable without significant resourcing. Separately, France’s national railway was targeted in a multi-stage phishing scam, and the Iranian intelligence-linked Handala group was tied to a hack of the LA transit system — the only clearly state-directed incident in the sector this quarter, likely reconnaissance-oriented.
Data breaches at travel-adjacent companies rounded out the picture: Eurail (300,000 records, surfaced in April), Carnival Cruise Lines (nearly 6 million records via account takeover), and corporate travel firm BCD Travel, hit by ShinyHunters with roughly 400,000 accounts exposed.
Transportation doesn’t have a dedicated threat actor the way other sectors do — most hits are opportunistic overlap from broader campaigns (ShinyHunters reaching BCD Travel) rather than deliberate sector targeting. The exception is Iran, whose interest in transportation as critical infrastructure fits its broader pattern of OT-focused activity this quarter. The fastest-growing and most sector-specific risk is the cargo theft ecosystem, which appeared in three separate reports across six weeks — a stronger signal of an entrenched trend than any single incident.
OT/ICS attacks were the dominant technique, concentrated entirely in the previous 30 days, with no activity in the last 30 days. Account takeover and phishing each appeared once, also in the previous 30 days. Ransomware appeared once in the last 30 days, the only technique identified in the most recent period. The sharp drop-off from the previous to the last 30 days suggests either reduced targeting activity or a gap in public reporting during the most recent window.
Attacking country attribution was minimal, with Iran identified once as the only attacking entity. Victim attribution was more complete, with Taiwan recording the most targets, followed by Europe and the United States, and isolated cases in France and Spain. The geographic spread across Asia-Pacific, Europe, and North America suggests opportunistic or diverse targeting rather than concentration on a single region.
The threat level for the transportation and logistics sector over the next 90 days is assessed as elevated risk.
The following developments are anticipated based on current trends, actor capabilities, and operational patterns:
Cyber-Enabled Cargo Theft. This vertical matured into a standing criminal business model this quarter, with hackers gaining remote access to freight-tracking systems and handing stolen shipment data to physical theft crews. FBI confirmation of losses in the millions, combined with appearances across three separate reports in six weeks, indicates an entrenched trend rather than isolated activity. Continued growth is likely given the absence of publicly named actors to disrupt.
Rail and Transit OT Exposure. Critical rail systems remain reachable without significant resourcing, as demonstrated by the Taiwanese high-speed rail incident. While this case was not state-directed, it highlights structural exposure that more capable actors could exploit. Iran’s reconnaissance-oriented activity against the LA transit system, via the Handala group, is the sector’s only clearly state-directed incident this quarter and fits Iran’s broader pattern of OT-focused targeting.
Opportunistic Data Breach Exposure. Unlike other sectors, transportation lacks a dedicated threat actor. Most breaches, including ShinyHunters’ hit on BCD Travel, reflect overlap from broader campaigns rather than deliberate sector targeting. This pattern is likely to continue, with transportation remaining a secondary target rather than a primary focus for major threat groups.
Low Reporting Volume. At 18 incidents and 2.98% of industry-attributed activity, this remains one of the lower-volume sectors. This constrains confidence in trend identification and likely understates actual exposure given the sector’s reliance on third-party logistics and travel platforms.
Over the past 90 days, CYFIRMA’s telemetry has identified 888 mentions of transportation & logistics organizations, out of a total of 35,836 industry-linked mentions. This is from a total of 300k+ posts across various underground and dark web channels and forums.
Transportation & logistics organizations placed 11th out of 14 industries in the last 90 days, with a share of 2.48% of all detected industry-linked chatter.
Below is a breakdown by a 30-day period of all mentions.
Transportation & logistics shows comparatively lower overall underground chatter volume than sectors like IT, finance, or healthcare, but this likely reflects a smaller digital attack surface and lower public reporting volume rather than reduced attacker interest. The steep decline in breach and leak visibility in the final period is consistent with the forum’s disruption pattern observed across other sectors, though the sector’s typically lower baseline chatter makes it harder to distinguish a genuine coverage gap from an organic decline.
Data Breach and Data Leak: The sharp decline in the final period (186 to 38, and 107 to 32) aligns with the broader forum disruption and migration dynamics seen elsewhere in this report. Given the sector’s lower baseline visibility, this drop should be interpreted cautiously rather than read as a clear reduction in actual threat activity.
Ransomware: The most stable category in this dataset, declining only modestly from 65 to 52. This consistency across all three periods, even as breach and leak chatter collapsed, suggests ransomware targeting of transportation and logistics operates somewhat independently of the forum disruption dynamics affecting other categories.
Claimed Hacks and Web Exploit: Both show clear upward divergence from the rest of the dataset, more than tripling and doubling, respectively, in the final period. This is the strongest signal in the sector, indicating growing interest in access sales and active probing of transportation systems even as overall sector chatter declines.
Hacktivism and DDoS: Both remain minimal with no sustained pattern.
Sector context: The divergent rise in claimed hacks and web exploits against an overall declining chatter trend is the most notable signal here. It may indicate early-stage targeting or reconnaissance activity that has not yet translated into broader breach or leak chatter and warrants monitoring even though current volumes remain comparatively low.
Over the past 90 days, CYFIRMA’s telemetry has identified 426 mentions of transportation & logistics organizations out of a total of 3,959 industry mentions. This is from over 10k CVEs reported and updated in the last 90 days.
Transportation & logistics organizations ranked 3rd out of 14 industries in the last 90 days with a share of 10.76% of all detected industry-linked vulnerabilities.
Below is a breakdown by a 30-day period of all mentions.
Reported CVEs in the transportation & logistics sector over the last 90 days show sharp and sustained escalation across multiple high-impact vulnerability categories. Remote and arbitrary code execution vulnerabilities increase consistently and substantially, nearly quadrupling from initial levels to 97 in the final period. Denial of service and memory and buffer vulnerabilities both show dramatic spikes in the final period, increasing several-fold from prior levels. Injection attacks show a steady upward trend across all periods. Privilege escalation declines in the final period after initial stability, while cross-site scripting, directory traversal, and information disclosure remain minimal throughout.
Transportation & logistics shows a disproportionately high concentration of reported vulnerabilities relative to its size and underground chatter footprint, indicating the sector’s digital attack surface is more exposed than its dark web visibility alone would suggest. The consistent and compounding escalation across RCE, DoS, injection, and memory vulnerability categories in the final period, rather than a spike in just one category, is the key driver of the elevated score.
Remote & Arbitrary Code Execution: The dominant and most consistent vulnerability category, nearly quadrupling over the 90-day window. Direct compromise potential is particularly concerning given exposure of fleet management, tracking, and supply chain coordination systems that underpin physical-world logistics operations.
Denial of Service: The sharp final-period spike is significant in this sector specifically, where service availability is directly tied to scheduling and supply chain continuity. Unlike sectors where DoS is a secondary nuisance, disruption here has direct downstream physical and economic effects.
Memory & Buffer Vulnerabilities: The largest proportional jump in the dataset. This category often reflects vulnerabilities in embedded systems, firmware, or legacy industrial software, which is plausible given the operational technology common in transportation and logistics infrastructure. This trend deserves closer technical review rather than being read as routine.
Injection Attacks: Steady upward trend suggests sustained rather than episodic targeting of backend logistics platforms and tracking systems.
Privilege Escalation: Decline in the final period is the one counter-trend in the dataset but given the concurrent rise in RCE and memory vulnerabilities, reduced privilege escalation disclosures should not be read as reduced overall risk.
Sector context: The compounding nature of this escalation, multiple high-impact categories rising simultaneously rather than one outlier category, is a stronger risk signal than any single number in this dataset and is the primary basis for the high score despite the sector’s comparatively quiet underground chatter profile.
In the past 90 days, CYFIRMA has identified 74 verified ransomware victims in transportation & logistics organizations. This accounts for 3.34% of all 2,216 ransomware victims during the same period, placing this sector 10th out of 14 industries.
Furthermore, a quarterly comparison shows that the number of victims in transportation & logistics organizations has been sustained. It went from 73 to 74 victims and a 1.4% growth. The overall interest, represented by share, also remained almost the same from 3.35% to 3.34% of all victims.
Monthly activity has been remarkably consistent over the past 6 months, including partial months of September and June. The number of victims per month was oscillating between 32 and 21 for the entire period.
A breakdown of monthly activity per gang reveals which gangs were most active each month. For instance, gangs Qilin and The Gentleman were highly active every month.
On the other hand, LockBit5 recorded most victims during April, and alongside many smaller gangs recording victims only in April, contributed to April’s numbers.
Safepay recorded most victims during May, and similarly to April, many smaller gangs recorded victims only in May, underlining how activity changes month to month.
Out of the 82 gangs, 29 recorded victims in transportation & logistics organizations in the last 90 days, representing a disturbing 35% participation.
Qilin and Thegentlemen had the highest numbers of victims, however a relatively low share of their victims in this industry (3.9% out of 306, 4.7% out of 234).
M3rx, Everest, and Gunra stand out as gangs with the highest shares of transportation & logistics victims, disregarding the low overall volume gang Secpo.
Among gangs with more than 2 victims, on average, 6.47% of their victims are from this industry, that is, about 1 in 15 victims.
Freight Trucking and Third-Party Logistics (3PL) dominated organizations, reflecting ground-based freight movement and outsourced logistics. Aviation and Specialty Logistics followed, with Maritime and Integrated Logistics also significant.
General Distribution, Passenger Transport, E-commerce Logistics, Automotive Logistics, Warehousing, and Supply Chain Management were less represented, with most having fewer than five organizations. This suggests broad sector coverage rather than concentration in a single logistics function.
The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.
Transportation & logistics victimology shows the USA being the most targeted, accounting for 27% of all victims. Remaining activity is distributed among 25 countries for 54 victims.
Australia, Thailand, Spain, and Brazil recorded the highest elevations in the last 90 days.
Malaysia, the UK, Romania, the UAE, Indonesia, and Vietnam have seen the largest declines.
In the last 90 days, 26 countries recorded transportation & logistics victims, 5 fewer than 31 countries in the previous period.
The Transportation & Logistics sector threat landscape is expected to remain at a moderate-elevated level through the next 90 days. Victim volume has been remarkably stable across the past six months, with growth of only 1.4% quarter-on-quarter and sector share of total ransomware victims holding flat at roughly 3.3%, indicating a consistent but not escalating threat pattern.
Volume outlook: Monthly activity oscillated narrowly between 21 and 32 victims across the period, without the sharp spikes seen in other sectors. June recorded only 13 victims, but as a partial month, this should not be read as a genuine decline. A baseline of 75 to 85 victims over the next 90 days is the most plausible outcome given the sector’s demonstrated stability.
Actor behaviour: 29 of 82 active gangs recorded transportation and logistics victims, a 35% participation rate that signals broad opportunistic interest rather than concentrated targeting. Qilin and Thegentlemen produced the highest victim counts but represent a comparatively low share of each group’s total activity, suggesting this sector is not a primary focus even for its most active attackers. M3rx, Everest, and Gunra show the highest shares of their overall activity directed at this sector, marking them as the actors most likely to sustain or increase focused targeting going forward. LockBit5 and Safepay drove the April and May peaks, respectively, with many smaller gangs contributing single victims in those months, a pattern of rotating opportunistic activity likely to continue.
Subsector risk: Freight Trucking and Third-Party Logistics together account for the largest share of victims, consistent with the high volume of smaller, less security-mature operators in these subsectors. Aviation, Specialty Logistics, and Maritime Logistics also show meaningful exposure, reflecting the operational disruption value these targets offer attackers.
Geographic targeting: The USA remains the dominant target, accounting for 27% of all victims, with Canada, Italy, Australia, and Germany forming a consistent secondary tier. The contraction from 31 to 26 countries suggests modest narrowing in geographic spread, though Australia, Thailand, Spain, and Brazil recorded elevations in the current period and warrant monitoring as potential emerging focus areas.
APT Campaigns (Elevated): Transportation & logistics featured in 13 of 38 observed campaigns (34%), up from 7 of 19 (37% share) since the last period, a mild decrease in share despite higher absolute volume. Activity is dominated by China-linked actors, with Stone Panda and MISSION2074 leading. Leviathan stands out for its known specialization in maritime and transportation targeting. RDP, SSH, and PHP appear among targeted technologies, pointing to remote access and web-facing exposure consistent with the sector’s distributed operational systems. Victim distribution spans 32 countries, led by the US and Japan.
Reported Cyber Incidents (Elevated): 18 incidents recorded, ranking 10th across industries. Cyber-enabled cargo theft matured into a standing criminal business model this quarter, with the FBI confirming losses in the millions across multiple reports. A Taiwanese student’s hack of the island’s high-speed rail demonstrated structural OT exposure, while Iran’s Handala group was tied to reconnaissance against the LA transit system, the only clearly state-directed incident this quarter. The sector lacks a dedicated threat actor, with most breaches reflecting opportunistic overlap from broader campaigns rather than deliberate targeting.
Underground & Dark Web Chatter (Elevated): Transportation & logistics ranked 11th at 2.48% of detected chatter. Breach and leak mentions collapsed in the final period, consistent with forum disruption patterns observed elsewhere. Ransomware chatter remained the most stable category, declining only modestly. The standout signal is a sharp divergent rise in claimed hacks and web exploits in the final period, more than tripling and doubling, respectively, suggesting early-stage reconnaissance activity not yet reflected in broader breach chatter.
Vulnerabilities (High): Transportation & logistics ranked 3rd at 10.76% of industry-linked disclosures, a disproportionately high share relative to the sector’s quieter dark web footprint. RCE vulnerabilities nearly quadrupled across the period. DoS and memory/buffer vulnerabilities both spiked sharply in the final period. The compounding escalation across multiple high-impact categories simultaneously, rather than one outlier, is the primary driver of the elevated score.
Ransomware (Sustained): 74 victims, up just 1.4% from 73 prior, with sector share holding flat at roughly 3.3%. Monthly activity has been remarkably stable, oscillating narrowly between 21 and 32 victims. 29 of 82 active gangs recorded victims, a 35% participation rate signaling broad opportunistic rather than concentrated interest. Freight Trucking and Third-Party Logistics led sub-sector victim counts. The US accounted for 27% of victims, with geographic spread narrowing from 31 to 26 countries.
