Self Assessment

CYFIRMA INDUSTRY REPORT : LOGISTICS

Published On : 2024-11-11
Share :
CYFIRMA INDUSTRY REPORT : LOGISTICS

EXECUTIVE SUMMARY:

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the logistics industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION:

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the logistics industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the logistics industry.

We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation, based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

  • Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
  • Each attack campaign may target multiple organizations across various countries.
  • Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
  • Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

  • Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
  • Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

  • The victim data presented in this report is directly sourced from the blogs of respective ransomware groups. However, it’s worth noting that certain blogs may provide limited victim information, such as only names or domains, while others may be entirely obfuscated. These limitations can impact the accuracy of victimology during bulk data processing.
  • In some cases, multiple companies share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was compromised. In such a case, we count the country of the company’s HQ.
  • During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
  • Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
  • Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

VULNERABILITIES

  • Statistics presented are processed from CYFIRMA DeCYFIR platform which collect reported vulnerabilities from plethora of available sources and vendors.
  • Filtering is based on categorization of vendors. Specifically, vendors directly related to specific industry and supporting vendors, such as Microsoft or Oracle, used in most industry’s operations.
  • We are only presenting vulnerabilities with CYFIRMA score 8 and higher to maintain clarity and concise presentation.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Logistics organizations featured in 5 out of the 11 observed campaigns, which is a presence in 45% of all campaigns.

OBSERVED CAMPAIGNS PER MONTH

After a period of lower detections in earlier months, we observed a spike in newly detected campaigns during November.

SUSPECTED THREAT ACTORS

Observed threat actors are split between China and Russia linked groups, as well as suspected Pakistan aligned Transparent Tribe group.

GEOGRAPHICAL DISTRIBUTION

Recorded victims of observed attack campaigns span 18 different countries. There does not appear to a be clear geographic pattern besides trading economy size. Observed campaigns seemingly focus on APAC-US-EU trading partnerships.

TOP ATTACKED TECHNOLOGY

Web applications continue to be the most targeted technology across industries.

APT CAMPAIGNS

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

In the past 90 days, logistics organizations have been significantly impacted by advanced persistent threat (APT) campaigns. 45% of observed APT campaigns recorded logistics industry victims, with 5 out of 11 total campaigns.

Monthly Trends
Since lower detections in earlier months, observed campaigns spiked during November to 4.

Key Threat Actors
The logistics industry is vital to global economics and geopolitics, making it a frequent target for nation-state APT groups. Key actors include Russian-linked groups, such as Fancy Bear, Cozy Bear, and TA505, as well as China-based Stone Panda and APT41, also tracked as MISSION2025. Additionally, Pakistan’s Transparent Tribe (APT36) has been active in this industry.

Geographical Impact
The campaigns impacted a total of 18 countries. Countries with large economies and trade such as the US, the UK, Japan, and India are the most frequent victims.

Targeted Technologies
Web applications with Operating systems remain the most frequently targeted technologies.

PHISHING ATTACKS IN THE HEALTHCARE INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry detected 4,267 phishing campaigns themed around the logistics industry out of a total of 200,586.

The chart below illustrates the global distribution of observed themes. Combined logistics & Couriers and Transportation accounts for 2.12% of all captured phishing attempts, placing logistics as 6th most frequent phishing theme.

GLOBAL DISTRIBUTION OF PHISHING THEMES

TOP IMPERSONATED BRANDS

In total, 42 logistics organizations were impersonated in captured phishing attempts during the last 90 days. The Top are USPS and DHL, together with many national or regional postal services.

TOP COUNTRIES OF ORIGIN (ASN)

The US is a leading source of logistics-themed phishing, aligned with the volume of USPS impersonations. In total, 60 countries were observed.

PHISHING

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

The logistics sector remains a popular phishing theme due to the direct monetization avenue for threat actors. However, its share decreased from 3.28% to 2.12%. This is largely due to the increasing share of unique and uncategorized Generic/Spear Phishing.

The American United States Postal Service (USPS) and DHL stand out as the most impersonated brands, indicating large U.S. phishing campaigns in the last 90 days.

Overall, the list includes 42 organizations from 60 countries, such as the LATAM Airlines (CL), Turkish Post (TR), and Australian Post(AU), underscoring the worldwide nature of these threats.

ASN-origin data reveals that the United States is the leading source of phishing emails impersonating logistics organizations, reflecting the extensive logistics sector in the U.S. and the vast number of compromised devices used in botnets to send phishing emails. Significant activity is also observed in the Netherlands and Germany for similar reasons.

South Africa ranked as 4th most frequent. Furthermore, Hong Kong and Singapore are often used by Chinese cyber criminals as a proxy. Southeast Asia and Latin America are steadily growing as sources and targets of global logistics-themed phishing.

The presence in both developed and developing nations highlights that phishing campaigns are opportunistic and globally pervasive. Regional variations suggest more sophisticated attacks in high-count countries, while lesser-known regions like Mongolia or Honduras show expanding attacker reach.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 55 verified ransomware victims in logistics industry. This accounts for 3.8% of the overall total of 1,454 ransomware victims during the same period, placing logistics industry as 10th most frequent victim of ransomware.”

GLOBAL DISTRIBUTION BY INDUSTRY

VICTIMS PER INDUSTRY SECTORS

Freight & Logistics and Maritime Shipping sectors are the most frequent victims of ransomware in the logistics industry.

INDUSTRY MONTHLY ACTIVITY CHART

Considering just a few days of November, we can see sustained numbers of victims with mild growth until October.

BREAKDOWN OF ACTIVITY PER GANG

A breakdown of the monthly activity provides insights into which gangs were active each month. For example, RansomHub was very active in September and October, Inc Ransom and Helldown during August.

INDUSTRY RANSOMWARE VICTIMS PER GANG

In total 23 out of 59 active groups recorded logistics organizations victims in the past 90 days. Notable is distribution among large number of groups in this period.

ALL RANSOMWARE VICTIMS PER GANG

Comparing the logistics industry to all recorded victims, Inc Ransom stands out with a high percentage of victims in this industry, recording 4 out of 22 (18%) of their victims in the logistics industry, implying a focus on this industry.

GEOGRAPHIC DISTRIBUTION OF VICTIMS

The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.

INDUSTRY VICTIMS PER COUNTRY

In total 16 countries recorded ransomware victims with the US alone accounting for ~54% of all victims with identified geography.

RANSOMWARE

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Moderate

The logistics industry is placed as the 10th most frequent victim. It faces a sustained ransomware threat, with attacks affecting a wide range of sub-sectors and a broad geographic distribution. The steady monthly activity, coupled with the involvement of numerous ransomware groups, highlights the ongoing risk.

Monthly Activity Trends
Ransomware activity in the logistics industry recorded a mild growth from August to October.

RansomHub with Play was the most active group during September and October, along with Inc Ransom, Helldown, and other smaller gangs in August.

Ransomware Gangs
A total of 23 out of 59 active ransomware groups targeted the logistics industry in the past 90 days:

RansomHub: While only 3% of their victims were from the logistics industry (9 out of 260 victims), they accounted for the most victims.

Inc Ransom: 18% of their victims were from the logistics industry (4 out of 22 victims) which is the highest share and implies more interest, specifically in logistics.

The relatively even distribution among many groups indicates no single gang currently dominates the ransomware landscape in the logistics sector.

Geographic Distribution
The geographic distribution of ransomware victims in the logistics industry reflects the industry’s lo al nature and the widespread reach of these attacks:

54% of all victims with identified geography are located in the US.

In total, 16 countries recorded ransomware victims in the logistics industry.

For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.

VULNERABILITIES IN THE HEALTHCARE INDUSTRY

Over the past months, Y I MA’s E Y I platform recorded 5,948 reported vulnerabilities with a score higher than 8. This is out of a total of 17,599 reported vulnerabilities.

Filtered by vendors, we have observed 114 vulnerabilities with a score of 8 or above, related specifically to the logistics industry.

4 of those reported vulnerabilities have a known exploit.

INDUSTRY VULNERABILITES BY SCORE

INDUSTRY VULNERABILITES BY VENDORS

VULNERABILITES WITH EXPLOIT

 Title  NIST LINK
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0 12.1.3.0.0 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).”” https://nvd.nist.gov/vuln/detail/CVE-2017-10271
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0 12.1.3.0 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).”” https://nvd.nist.gov/vuln/detail/CVE-2018-2628
Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low-privileged attackers with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris attacks may significantly impact additional products. Successful attacks of this vulnerability can result in the takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).”” https://nvd.nist.gov/vuln/detail/CVE-2019-3010
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: CachingCacheStoreInvocation). Supported versions that are affected are 3.7.1.0 12.1.3.0.0 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attackers with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in the takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).”” https://nvd.nist.gov/vuln/detail/CVE-2020-2555
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0. CVSS 3.1 Base Score 10.0 (Confidentiality Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).”” https://nvd.nist.gov/vuln/detail/CVE-2020-14871

CONCLUSION

Over the past 90 days, logistics organizations faced moderate cyber risks across monitored categories.

APT Campaigns: 45% (5 out of 11) of observed APT campaigns targeted the logistics sector, with a spike in November. Key threat actors included Russian groups like Fancy Bear, Cozy Bear, and TA505; Chinese groups, such as Stone Panda and APT41 (MISSION2025); and Pakistan’s Transparent Tri e (APT ). Attacks impacted countries, focusing on major economies like the U.S., U.K., Japan, and India. Web applications and operating systems were the most frequently targeted technologies.

Phishing: The logistics sector remains a popular phishing theme, comprising 2.12% of all observed phishing attacks. USPS and DHL were the most impersonated brands, indicating significant U.S.-focused campaigns. A total of 42 organizations from 60 countries were impersonated, including LATAM Airlines, Turkish Post, and Australian Post. Phishing emails primarily originated from the U.S., with notable activity from the Netherlands and Germany. Emerging regions like Southeast Asia and Latin America are increasingly both sources and targets.

Ransomware: Ranked as the 10th most frequent victim, the logistics industry faces a sustained ransomware threat. Activity grew mildly from August to October, with Ransomhub and Play being the most active groups in recent months. Out of 59 active ransomware groups, 23 targeted logistics. RansomHub accounted for the most victims, while Inc Ransom showed a higher specific interest in the sector. 54% of victims are located in the U.S., with attacks recorded in 16 countries overall.

Vulnerabilities: Of 17,599 reported vulnerabilities, 5,948 were high-severity (scored above 8). Specifically, 114 vulnerabilities related to the logistics industry were identified, all scoring 8 or higher. Of these, 4 have known exploits, representing immediate risks that require attention.