In a compelling disclosure, security researchers at Proofpoint have highlighted the alarming activities of cybercriminals targeting the trucking and logistics sector. Over the course of a month, these experts delved into the tactics employed by these hackers, shedding light on how they infiltrate companies within the shipping industry, steal cargo, and siphon payments. However, their latest research goes beyond mere infiltration; it seeks to unveil what transpires once these cybercriminals successfully breach a company’s defenses.
This investigation underscores the rising threat of cyber-enabled cargo theft, revealing its intricate connections to organized crime. According to Geotab, a fleet management company, the financial toll from cargo theft in North America surged to a staggering $6.6 billion by 2025, with a significant portion attributed to digital attacks. Ole Villadsen, one of the researchers involved in the study, emphasized the gravity of the situation, stating, “It’s a huge problem beyond just one actor or one country.”
In an effort to understand the cybercriminals’ modus operandi, the research team constructed a controlled decoy environment. Within this setup, they intentionally downloaded a malicious payload delivered via email to transportation carriers after the hackers had compromised a load board platform—essentially a marketplace where freight brokers and shippers coordinate cargo movement.
Once access was gained, the cybercriminals took immediate action by installing six distinct remote access tools, inclusive of four instances of ScreenConnect. This tactic appears to be a strategic move to ensure continued control in the event that any of the tools were neutralized. The final instance of ScreenConnect revealed an unexpected twist: it incorporated a script that autonomously queried an external certificate signing service. This development allowed all installed components to be signed with a certificate that would be recognized as trusted by Windows.
Villadsen expressed intrigue at this new capability, indicating that it was a fortunate encounter for the research team. The “signing-as-a-service” tool represents a notable shift in the tactics employed by cybercriminals, adapting to recent security measures implemented by ScreenConnect to revoke existing certificates. This requirement for new software instances to have their installers signed has significantly disrupted the remote monitoring and management (RMM) ecosystem.
Furthermore, Villadsen noted that instead of individual criminals attempting to forge their own certificates, they could now utilize a somewhat clandestine signing-as-a-service process. This method not only ensured that the Microsoft Installer (MSI) was signed, but it also automated the process of re-signing all component files, showcasing a well-crafted strategy.
Additionally, Villadsen observed that the hackers appeared to have broader intentions beyond mere cargo theft. They actively sought cryptocurrency wallets and conducted manual checks for PayPal credentials. Their inserted PowerShell script scanned for access points leading to financial institutions, money transfer services, and online accounting platforms. They even probed load management systems and freight brokerage platforms, displaying a comprehensive understanding of the transportation industry.
Villadsen remarked, “They know the transportation industry really, really well for sure, and know how to target that particular space. But they’re also cybercriminals, and they’re looking for any way that they can monetize a workstation that they’ve landed on.” This indicates a sophisticated level of strategy, showcasing the hackers’ acumen in exploiting industry-specific vulnerabilities.
While this specific threat group stands out for its proficiency in infiltrating load boards to deliver malicious payloads, it is by no means the only actor within this vulnerable sector. The research team is currently tracking approximately a dozen different groups engaging in similar activities across North America and Europe.
The majority of carriers involved in the trucking and logistics industry consist of small enterprises, with many operating fewer than ten trucks. This demographic may lack robust cybersecurity measures, making them prime targets for hackers. By exploiting load boards, cybercriminals can infiltrate numerous carriers simultaneously, amplifying their impact and financial gain.
Villadsen summarized the troubling landscape, stating, “It’s an industry that unfortunately presents itself well to cyber intrusions and being able to escalate or scale the theft really well.” As the research continues to expose these alarming trends, it becomes increasingly evident that the trucking and logistics industry must strengthen its cybersecurity posture to fend off these sophisticated threats.