Sean Moran, researcher and writer at JUMSPEC, pictured, examines their latest analysis and why ransomware attacks are on the rise in the transport sector.
Aviation, maritime, rail and road transport organisations are experiencing increased levels of ransomware activity – as per ENISA’s recent report. In comparison to the 13 per cent jump in total UK attack figures across all sectors from 2021 to 2022, European-wide reported ransomware attacks against the transport sector rose by a massive 41pc in 2022. But why such a large rise in attacks on this specific sector? Primarily, transport sector organisations have a distinctive profile from an attacker’s perspective, making them a lucrative prospect.
Cyber criminals know transport sector attacks have high impact. The potential to cause serious business interruption for transport sector organisations is immense – making airports, shipping ports, rail operators and logistics companies prime ransomware targets. This stands in stark contrast to other sectors, which attackers may find easy to breach but potentially difficult to extort, due to the inability to cause meaningful disruption (for example, construction, as per this JUMPSEC report).
The transport sector also offers an extensive attack surface – transport and logistics organisations are highly dependent on supply chain integration and play a key role within the end-to-end value chain. They also use specific technical equipment like satellite communication and IoT technologies, increasing potential attack vectors leveraged by cyber criminals. JUMPSEC has observed instances where interconnected shipping organisations were breached concurrently, illustrating the scope of supply chain risks to transport and logistics organisations.
What’s more, cunning cyber criminals often capitalise on existing disruption. They strike at disrupted organisations to add to the chaos and maximise extortion potential. To name a few recent instances – the energy crisis, the post-Brexit lorry drivers’ debacle, and the airport chaos travellers’ experienced last year. Overall shipping and delivery times have also risen, as capacity decreased by an estimated 10-15% globally in 2022. Pundits say the container shipping sector remains in crisis, post-pandemic.
Attacker motivations for targeting an airport or shipping facility can be more diverse than simple financial gain, given the strategic geopolitical disruption that can be achieved by ‘nation state’ threat actors, and ecologically motivated disruption caused by ‘hacktivists’ (generally via DDoS attacks).
But perhaps the most interesting development is the increase of ransomware attacks in specific transport sub-sectors – particularly in maritime and aviation. The scale and ambition of attackers targeting the transport sector has seen a significant increase from 2021-22. In 2021, a considerable proportion of reported attacks were directed at smaller sized national motor freight businesses (labelled ‘Road (Logistics)’ below). But we have witnessed increased attacks in areas like aerospace, airport authorities, airlines, high-end manufacturers and larger international logistics organisations.
LockBit ransomware (the most prevalent global threat actor) is responsible for the majority of attacks against European transport organisations, but this varies within some specific sub sectors such as maritime, for example. In contrast to other notable attackers of European transport organisations, Lockbit has now claimed 62% of transport sector attacks in JUMPSEC’s initial ransomware figures for 2023.
Maritime
The maritime sector arguably produced the most insightful findings. JUMPSEC has seen a notable uptake in attacks in the sector as 2022 progressed. Unexpectedly, given Lockbit’s domination of the ransomware space, the PLAY ransomware group is the most prevalent threat to European maritime organisations. PLAY ransomware disproportionately targets European Maritime sector organisations compared to a generally lower volume of attacks when combining UK and Europe.
As the sector experiences increasing attack rates, organisations should need no further motivation to build more effective security controls than being aware of the effects of NotPetya, which crippled shipping giant Maersk in 2017 and cost the firm more than US$300m. More recent targets in the maritime sector include attacks on the Port of Houston and Port of London Authorities, both of which are believed to have been politically motivated.
JUMPSEC has observed reported attacks on several Swedish shipping logistics companies, targeted by PLAY ransomware in a single week in December 2022, in what was potentially a coordinated supply chain attack. Similarly, three connected Greek and Italian shipping logistics companies were attacked by Conti, and affiliated ransomware group Hive in early 2022 within a number of days, underscoring heightened risks posed by the interconnectivity of maritime sector organisations.
Play ransomware is currently active against the maritime sector, with an attack and data leak reported by Dutch maritime firm Royal Dirkzwager (as of March 30th 2022), while in January, Oslo-based DNV (one of the world’s largest maritime organisations and major software supplier for ships) was breached. Current or potential supply chain partners should clearly take appropriate security precautions to protect their organisation.
Aviation
Ransomware trends for European aviation organisations have been broadly similar through 2021, 2022 and 2023 so far. In terms of sector-specific threats, airline customer data and original equipment manufacturers (OEM) proprietary information are prime assets targeted by attackers in aviation. Fraudulent website impersonation, particularly of airlines companies, also became a significant threat in 2022, while ransomware attacks specifically targeting airports have increased. Attacker-reported ransomware incidents against European aviation organisations increased by over 200% in 2022. Lockbit is marginally the most prevalent threat actor, along with a varied list of other groups similarly targeting the sector.
Airlines experienced notable cyber-attacks and data breaches in 2022, including TAP Portugal, SpiceJet and Pegasus, and aviation technology firm Accelya also had sensitive data leaked by ransomware threat actors. Swissport International was affected by a severe ransomware attack, causing flight delays. The ransomware group responsible (BlackCat) followed up on their threats by leaking data including sensitive documentation, tax declarations, images of passports and ID cards and the personal information of interviewees.
Road
The automotive industry, especially original equipment manufacturers (OEM) and tier-X suppliers, have been targeted by ransomware, leading to production disruptions in 2022. Data-related threats primarily targeting IT systems to acquire customer and employee data as well as proprietary information have also been common.
Logistics
Road logistics, often standard freight trucks and smaller national sized companies, were heavily targeted in 2022, however, attack rates reduced in 2022 – perhaps due to a lack of profitability for attackers, as smaller companies may not be sufficiently lucrative targets (as we have seen with the attack rate in education and construction).
Manufacturers
There are no records of road transport manufacturers being targeted prior to 2022. But now, lesser-known road manufacturing companies and high-profile organisations such as Ferrari, Continental and Vauxhall are facing increasing attacks.
Transport
Several regional road authorities in Spain and Portugal have fallen victim to ransomware attacks. However, as is the case with ransomware generally, public sector organisations are generally not frequently targeted (JUMPSEC data shows that <8% of total UK ransomware reports are public sector). Geo-political attacks While far less frequently targeted in geo-politically motivated attacks than maritime or rail for instance, there have been several transport sector attacks linked to hacktivism, relating to the Ukraine war in 2022. It’s also worth noting several companies not strictly considered to fall within the transport sector – such as large supermarkets with their own in-house logistics operations ¬– are also subject to the same attacks, purely by virtue of being closely intertwined with road transport in terms of logistics. As detailed in JUMSEC’s recent ransomware trends report, Retail & Wholesale Trade organisations are some of the most frequently targeted, and hypothetically most lucrative sectors to target from attackers perspective, owing to the high proportion of large sized victims (> 50m euros) in the sector. It’s clear that retail and wholesale trade organisations and transport and logistics organisations should be highly vigilant in relation to potential risks posed by organisations within their supply chain.
Across all transport-related sub-sectors, larger, more cyber-mature businesses should treat their supply chain (of typically smaller, less mature businesses) as a part of their own organisation’s digital footprint. They should look to leverage their security resources to support and uplift the resilience of the entire supply chain – reducing overall risk posed to their organisation in the process.
While JUMPSEC’s data broadly aligns with ENISA’s observation that the transport sector has not been targeted more frequently than other sectors in recent months, increased attack rates within ‘transport’ sub sectors have become increasingly common over time. As above, we’ve seen increased attack rates in the maritime and aviation sectors, alongside a general trend toward attacking bigger organisations with more elevated profiles.
Further reading
See also the European Union Agency for Cybersecurity (ENISA) recently published first cyber threat landscape report dedicated to the transport sector.
