Technological advances and evolving cybercriminal tactics are creating a new landscape of attacks, with updated goals and consequences. Whereas cybercrime traditionally has focused on more abstract aims—though still with significant real-life impacts—like data theft and ransomware, more recently it has evolved to steal tangible goods. Logistics networks have become prime targets for attackers as cargo theft has grown in value and popularity, and digital advances have increasingly enabled these attacks.
Inside the Scheme: How Hackers Hijack the Supply Chain
Proofpoint recently released a report detailing a cluster of cyberattacks targeting trucking and logistics companies for cargo theft. The attackers first compromise the account of a broker load board, which companies use to facilitate load bookings, then create fake load postings. When carriers respond to the postings, the threat actor replies with malicious links that infect systems with remote monitoring and management (RMM) tools.
Once the tool is deployed on the target system, the attacker will exploit their malicious remote access to carry out the next stages of the attack. Using compromised carrier accounts, threat actors then go on to bid on real loads being shipped in order to attempt to steal real cargo. The anatomy of this campaign demonstrates the degree to which digital operations shape and impact the security of tangible goods.
RMM Tools as Double-Edged Swords
In this and other similar attacks, the RMM tools being used have often been created for legitimate purposes. These tools enable IT professionals and managed service providers to conduct vital operations like managing configurations and monitoring performance, making them useful for the management of companies in industries with many remote components, such as trucking and freight.
Unfortunately, these ostensibly legitimate tools can also be leveraged by threat actors for malicious purposes. The same technology that enables authorized users to gain remote access and control can grant that access to threat actors who have compromised accounts and systems. By weaponizing RMM tools or remote access software, attackers can take advantage of technology that offers full operational visibility and enables theft.
The Scale of the Problem
The issue of this attack campaign and similar attacks is not an isolated incident or a fluke in the threat landscape. Proofpoint has discovered nearly two dozen of these campaigns in the past two months alone. The National Insurance Crime Bureau estimates annual losses of around $34 billion as a result of cargo theft, highlighting the economic impact and the widespread threat to supply chains.
Similar threats are arising as well to emphasize the importance of these evolving tactics. “We have also observed other types of cyber-enabled physical goods theft in which thieves will get goods shipped or delivered to warehouses or locations owned by mules to take delivery of the stolen goods and then resell them or further ship them overseas,” says Ole Villadsen, Staff Threat Researcher at Proofpoint. This indicates a shift in cyberthreat goals and priorities that organizations and security experts should consider and respond to.
Why This Threat Is Different
In contrast with previously observed attacks, this hybrid of cyber and physical theft represents a new frontier, where threat actors are monetizing access not through data resale, but through stolen goods. This means the cyber threat of these attacks has a much more direct and tangible impact, shifting cybersecurity initiatives from a requirement for protecting data and systems to a necessity for preventing physical theft of cargo.
Where traditional theft of tangible goods would require more physical skills like stealth and physical logistics, and traditional cyberattacks often lead to profit through methods like data resale, these attacks blend the two approaches in a dangerous way. The widespread interconnectedness of digital systems and physical supply chains lends itself to this. “Attackers don't need to break into a warehouse anymore to steal anything because of this strong connectivity,” according to Randolph Barr, Chief Information Security Officer at Cequence Security, a San Francisco, Calif.-based API security and bot management provider.” Instead, they steal passwords, use exposed API endpoints, or get in through phishing and other online methods.”
Mitigation and the Road Ahead
Organizations can use a variety of measures to protect against attacks like those seen in this recent cluster. It is crucial to implement strong identity and endpoint controls to defend against compromised accounts and ensure that digital load boards are properly vetted to mitigate the risks of fraudulent postings. It is also recommended that organizations implement AI-empowered tools to dynamically detect unusual RMM activity that could signify compromise. Phishing training is a perennial necessity as well; all users should be educated in how to detect phishing attempts and avoid falling victim.
The Bigger Picture
It is vital to see this spate of attacks as a wake-up call to modern cybersecurity issues. Sectors and organizations are increasingly interconnected, and every connected industry, from logistics to manufacturing, is now part of the digital battleground. Cybercrime is not a danger only for cybersecurity and tech companies to be concerned with; all organizations are at risk, and must consider the deep implications of remaining unprotected.
