The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the logistics industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the logistics industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the logistics industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.
Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.
Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.
Logistics organizations featured in 9 out of the 23 observed campaigns, which is a presence in 37.5% of campaigns
Observed Campaigns per Month
The monthly chart shows consistent 3 campaigns each month from November to January.
Suspected Threat Actors
Suspected threat actors are Mustang Panda with overlapping TTPs of other known China-APT41-nexus, collectively tracked as Mission2025, as well as Leviathan, focusing on the Middle East, followed by Russian cybercrime syndicates TA505, FIN and both Bears.
GEOGRAPHICAL DISTRIBUTION
Victims of observed attack campaigns were recorded in 36 different countries. Notable are Middle Eastern countries in the crosshairs of Leviathan APT, as well as a growing focus on Asia.
TOP ATTACKED TECHNOLOGY
Attack campaigns focused on Web Applications, Infrastructure Solutions and Operating Systems.
Risk Level Indicator: Medium
In the past 90 days, the logistics industry has consistently faced a medium level of risk. Threat actor interest was divided between Chinese nation-state and Russian financially motivated groups, with Mustang Panda and APT41-nexus (tracked as Mission2025) being the most active Chinese threat actors. Notably, Fancy and Cozy Bears, along with TA505, were the prominent Russian threat actors.
Furthermore, a campaign by the Leaviathan group, linked to China and focusing on the Middle East, was recorded.
Geographically, the most targeted regions were India, Taiwan, and Japan, closely followed by the USA, Vietnam, and South Korea. Southeast Asia saw an increase in attack volumes, previously associated with the Lazarus Group’s heightened activity, but the current surge is attributed to Chinese nation-sponsored activity.
Web applications continued to be the most frequently targeted technology across various industries, closely followed by operating systems in terms of susceptibility. Additionally, there were instances of cyberattacks targeting infrastructure-as-a-service.
Over the past 3 months, CYFIRMA’s telemetry recorded 9,024 phishing campaigns out of a total of 328,083 that impersonated the logistics industry brands.
As per the chart below Logistics & Couriers with Transportation accounted for 2.76% of all observed phishing campaigns. A noticeable decline compared to 6.05% in the previous 90-day snapshot.
Global Distribution of Phishing Themes per Sector
Top Impersonated Brands
In total 39 different brands were impersonated. The chart shows the Top 25 with USPS and DHL leading by a large margin.
Top Countries of Origin based on ASN
Based on ASN origin logistics phishing campaigns were observed in 71 countries with the US accounting for 62% of them all. This corresponds with USPS being the most impersonated brand and global DHL being impersonated around the world.
Risk Level Indicator: Medium
The logistics and transportation industry witnessed a significant decline in share of impersonations, dropping from 6.05% to 2.76%, compared to the previous 90 days, marking a 50% reduction in volume. The ASN origin breakdown indicates decreased activity from Indonesia and Malaysia, previously among the most active regions. Additionally, there was a more moderate drop in impersonations against national postal services, suggesting a shift in cybercriminal interest towards new themes as the previous tactics became familiar to organizations and users.
The United States Postal Service (USPS) remains the most impersonated organization by a large margin, followed by DHL Airways. Poste Italiane and DPD group secure the distant 3rd and 4th places. A total of 39 different organizations were observed being impersonated, with campaigns originating from 71 different countries. The USA accounted for 62% of all campaigns, followed by Hong Kong, Canada, and Germany.
In the past 90 days, CYFIRMA has identified 124 verified ransomware victims within the logistics industry sectors. This accounts for 10.9% of the overall total of 1,133 ransomware incidents during the same period.
The Monthly Activity Chart
Monthly trends show consistently high numbers across months even in the partial months of November and February.
Breakdown of Monthly Activity by Gangs
A breakdown of the monthly activity provides insights into per-group activity. For example, LockBit3 and Blackbasta were highly active across months, whereas Trigona recorded logistics victims only in January.
Ransomware Victims in Logistics Industry per Group
In total 26 out of 50 groups recorded logistics organization victims in the past 90 days. The top 4 are responsible for half of them.
Comparison to All Ransomware Victims by Group
Compared to all recorded victims in the same time period, Blackbasta gang records a comparatively high number of victims in this industry, suggesting a focused interest on the logitics organizations.
Geographic Distribution of Victims
The heatmap of geographic distribution shows a truly global reach of ransomware
Total Victims per Country
In total 31 countries recorded ransomware victims, with the US alone accounting for ~53% of all victims with identified geography.
Sectors Distribution
Listing consolidated sectors matched under the logistics industry umbrella shows Transportation, Logistics Support, Supply & Technology and Supply Chain & Management as the most attacked sectors. Furthermore, we observe a diverse range of impacted sectors, including many niches.
Risk Level Indicator: High
Monthly activity consistently indicates a steady volume of ransomware attacks, accounting for 10.9% of all victims. LockBit3, Blackbasta, and ALPHV were active throughout the months, while the Trigona group recorded victims only in January.
Among the 50 active gangs in the past 90 days, 26 targeted the logistics and transportation sectors. Blackbasta and Trigona showed a heightened focus on this industry, with 35% and 78% of their victims belonging to logistics, respectively. In contrast, groups like Cactus or Medusa demonstrated reduced interest in this sector compared to their total number of victims. The data highlights the dominance of major ransomware gangs, with the top four accounting for over half of all victims.
Across 31 different countries, the United States experienced the highest impact, with 65 victims (53% of all victims), followed by the UK and Canada. The United States remains the most targeted country across various industries, owing to its extensive economy and massive trade supported by extensive logistics networks.
Most affected sectors are Transportation, Logistics Support, Supply & Technology and Supply Chain & Management.
For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.
In the logistics industry’s external threat landscape, we consistently observe a medium to high risk across monitored categories. Cybercriminals have found effective ways to monetize attacks on the logistics and transportation sector, since then attracting threat actors even at lower skill levels.
Ransomware remains a significant threat, with logistics organizations constituting 10.9% of all victims in the last 90 days. Blackbasta and Trigona show high focus on this industry, while LockBit3 and ALPHV pose high risks due to their overall high volume of ransomware attacks.
Phishing has decreased to a medium risk, with a recorded drop of over 50% in share of observed phishing campaigns. This decline is attributed to the absence of previously high volumes originating from Southeast Asia and a decrease in presence of smaller nation postal services. This is possibly due to a declining success rate of this themed attack over recent years and shift to other themes.
Observed Advanced Persistent Threat (APT) campaigns retain a moderate risk, with a relatively even distribution between financially motivated threat actors from Russia and state-sponsored groups from China. Chinese threat actors, including Mustang Panda, APT41-nexus (Mission2025), and Leviathan focused on the Middle East, are among the most active.
