Security Experts:

The Logistics Supply Chain is Being Targeted by Both Cybercriminals and Nation States

Logistics

The cybersecurity supply chain threat increasingly goes beyond the delivery of software to include the global delivery of physical goods

Attacks against the supply chain have been growing in quantity and gravity for several years, culminating in SolarWinds. Most discussion has focused on the software supply chain, but a new study shows that the physical logistics supply chain is equally subject, and susceptible, to cyberattacks.

The Covid-19 pandemic has increased and highlighted the world’s reliance on logistics, which is the physical movement of goods from one location to another. At one level, the safe distribution of Covid-19 vaccines from manufacturing points often in Europe to all around the world is vital to the health of entire populations.

At another level, the increased working from home and changes to shopping habits caused by numerous lockdowns has spurred the shift from high street to online shopping. Online shopping means that purchases can be selected from anywhere in the world rather than just what is available in the local shops – and the reliance on logistics to deliver these goods has grown.

A new report highlights that the logistics industry is not only susceptible to cyberattacks, it is already in the sights of the attackers. 

The attacks are not limited to ransomware, but ransomware is the most common and most disruptive weapon. It can be, and is used, by cybercriminal gangs for extortion, and nation state groups for geopolitical disruption.

The potential for ransomware in logistics attacks was highlighted by the accidental disruption of Danish shipping giant Maersk by NotPetya in 2017. NotPetya is believed to have originated as a cyberattack by Russian sources against Ukraine, but to have escaped from Ukraine to cause massive damage globally.

Maersk’s operations came to a standstill. It cost the company $250 to $300 million dollars, and it required the re-installation of 50,000 computers. Since then, there have been numerous direct ransomware attacks against other shipping companies – including MSC, Australia’s Toll (at least twice), France’s CMA CGM, and COSCO.

According to today’s BlueVoyant report (PDF), logistics firms can now expect an average of one month’s disruption every 3.7 years; 72% of logistics firms have suffered from disruptions; and there were 290 attacks against supply chain firms in 2019 alone. The attacks against maritime companies and organizations are against both IT and OT networks, with the latter having potential for the greater disruption. OT attacks have grown from 50 in 2017 to around 500 in 2020 – an increase of 900% in three years.

“Shipping and logistics are vulnerable as a sector because they are targeted both by nation-state groups as well as cybercriminals. Geopolitical tensions can be disruptive and spark attacks or interference in shipping businesses, such as incidents resulting from issues like Brexit and ongoing US-China trade disputes,” warns the report. In May 2020, the Washington Post reported that Iran’s Shahid Rajaee port terminal was taken offline by an attack thought to have originated from Israel.

“Maritime shipping, which is more OT reliant, has in the last three years been heavily and successfully attacked in no small part due to the sector’s reliance on outdated OT infrastructure,” Thomas Lind, BlueVoyant’s co-head of strategic intelligence, and a former cybersecurity fellow at Columbia university, told SecurityWeek. “I think those attacks are coming more usually from sophisticated actors – so there are many maritime shipping attacks that have been loosely attributed to Chinese APT groups operating against South China Sea shipping and freight.”

BlueVoyant’s analysts took a close look at incoming and outgoing traffic for 20 of the leading logistics firms. It found that 16 of the companies had evidence of brute force attacks; 14 had received targeted attacks using proxy networks; and all 20 received traffic from known botnets. Outgoing, 10 of the companies were generating traffic to blocklisted/deny listed assets (seven of which reached out to suspicious infrastructure); and one of the companies generated traffic to assets known to be associated with ransomware.

“What surprised me most in this analysis,” said Lind, “was the distribution of vulnerabilities across the whole logistics sector. Vulnerabilities weren’t concentrated in IT or OT, in shipping or trucking; it was everyone.”

“NotPetya,” says the BlueVoyant report, “was an especially damaging case, and subsequent coverage of Maersk’s experience has implied that it was spectacular enough to serve as a wake-up call for the logistics industry. More than three years later, the sector remains vulnerable to malicious cyber activity, and especially and specifically vulnerable to ransomware attacks.”

It is clear the cybersecurity supply chain threat increasingly goes beyond the delivery of software to include the global delivery of physical goods. But there is a new emerging threat vector that will also need to be considered in the future: driverless delivery by truck and rail.

“We’re going to see increasing automation across all parts of the logistics supply chain,” Lind told SecurityWeek. “Most immediately it is going to be in trucking freight, both land and rail. Any time you increase the number of smart devices – including vehicles – you increase the attack surface. The problem is, I'm not seeing the logistics companies getting out ahead of this issue – their cybersecurity hygiene is pretty poor and they're not developing a common set of practices. How bad this will become may depend on the effect of government policy. Cybersecurity will need to be built in at the manufacturing phase. If the companies don't do this, they're going to face a hard reckoning when government policy orders come into effect.”

What is clear is that there will be a new wave of logistics cyberattacks against both individual and fleets of driverless trucks.

New York-based BlueVoyant was founded in 2017 by Jim Rosenthal (CEO) and Thomas Glocer. It provides managed security services based on threat intelligence, and has raised a total of $275.5 in three funding rounds.

Related: Overcoming Security Challenges in the Transport and Logistics Sector

Related: Continuous Updates: Everything You Need to Know About the SolarWinds Attack

Related: US Takes New Aim at Ransomware After Most Costly Year

Related: Trucking Giant Says Ransomware Attack Had $7.5M Impact

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.