The cyber threat to the transportation sector

Threat Discovery Telsy TS WAY Cyber Threat Intelligence

Threat Discovery is an editorial space of Telsy and TS-WAY dedicated to in-depth analysis of cyber threat intelligence at a global level.

The information reported is the outcome of the collection and analysis work done by TS-WAY specialists for the TS-Intelligence platform.

In this article, we provide spotlights on the cyber threat targeted against the transportation and logistics sector. The goal is to suggest, through analysis and case examples, the breadth and variety of risks from adversaries ranging from hacktivist collectives, to ransomware groups, to state-sponsored formations, which carry out highly sophisticated espionage activities and commission operations aimed at sabotage and propaganda.

 

Europe and the rise of DDoS attacks

The Threat Landscape 2024 (ETL), released in September by the European agency ENISA, attests that between July 2023 and June 2024, the transportation sector was among the three most targeted by cyber offensives.

As 2024 is the year when the NIS2 directive is set to come into force, ENISA conducted an analysis of cybersecurity threats with a focus on different sectors, finding that the most impacted were organizations active in public administration (19%), transportation (11%) and finance (9%). In detail, transportation entities also ranked second among the targets of DDoS attacks (with 21% of events recorded during the reporting period).

logo ENISAThe first report that ENISA devoted to this sector (March 2023 Transport Threat Landscape) provided the overall analysis of the largest cyber events detected from January 2021 to October 2022, with specific focuses on the aviation, maritime, rail, and road transport sectors. The majority of events consisted of ransomware attacks (38%) and data breaches/leaks (30%); followed by malware-based offensives (17%), Distributed Denial of Service (DDoS) or Ransom Denial of Service (RDoS) waves at 16 percent, phishing/spear phishing campaigns (10%), and supply chain attacks (10%).

The increase in DDoS attacks is ascribed to several concauses. Many of the adversaries carrying out these types of offensives, who present themselves as hacktivist collectives, have turned out to be integrated into the state-sponsored strategies of countries such as Russia, Iran, and Israel. For example, the activities of the pro-Russian NoName057(16), the most active and constant of all, have supported Moscow’s narratives with great attention to every geopolitical event-such as elections in Europe, and every social event that has occurred in individual countries supporting Ukraine. Moreover, the landscape of adversaries is being enriched by the day with the emergence of new actors and the establishment of cross-cutting and shifting alliances among various groups.

 

Ransomware threatens IT and OT infrastructure

Globally, ransomware poses a significant threat to transportation and logistics operators. In the last two years, excellent victims have been the Japanese port of Nagoya (July 2023) and the Boeing company (October 2023) – both associated with LockBit Team – the Port of Seattle (August 2024) and TfL, the London local transport company (September 2024).

The attack on the Port of Nagoya has raised concerns about the potential impact on the local economy and supply chain, which also involves the automotive industry. The hub, in fact, is responsible for nearly 10 percent of Japan’s total trade volume-with freight traffic in 2021 of more than 177 million tons of goods-and handles automobile exports for large companies such as Toyota.

logo Lock_Bit

As for Boeing, the adversary claimed to have come into possession of a considerable amount of sensitive data, and because the company allegedly ignored its warnings, it initiated the information leak.

The offensive at the Port of Seattle-which also operates Seattle-Tacoma International Airport-has resulted in severe and prolonged repercussions on international flights. The claim was posted on the website of operator Rhysida Team, which reportedly demanded a $6 million ransom.

Finally, TfL was affected by an incident impacting travelers’ sensitive information, for which a young British man was detained. The young man was allegedly involved in the activities of the ALPHV Team operator.

In a predictive analysis released last February by a major cybersecurity firm on the ransomware threat, a systematic shift of impact from IT systems to operational (OT) systems was hypothesized, with direct consequences on remotely controlled vehicles and fleets.

One such case actually already occurred in September 2023 and impacted ORBCOMM, a New Jersey-based company that makes integrated transportation management systems. Its hardware and software solutions are used for tracking and monitoring freight and carrier fleets in the logistics, maritime, heavy equipment, oil & gas, utilities and government sectors. The problem has had a serious impact on some of America’s largest freight companies.

 

State-sponsored offensives between espionage and sabotage

The interest of state-sponsored adversaries in the transportation sector has numerous motivations and purposes. They range from spying on strategic infrastructure in susceptible geographic areas, to sabotage activities whose consequences can be exploited as part of propaganda campaigns.

Among those espionage campaigns, it is worth noting a Chinese-orchestrated campaign, reported in May 2023, which impacted the island of Guam, included in the United Nations list of non-self-governing territories, where a strategic U.S. naval base is located. The adversary Volt Typhoon allegedly breached the western Pacific island’s communication, transportation, and maritime systems. The discovery of sophisticated cyber-espionage activities over the long term has prompted the Biden administration to raise the level of attention on possible attacks on critical national infrastructure and against U.S. military bases abroad, including in relation to possible developments in the Taiwan issue.

logo DFSMore recently, on September 3, 2024, Deutsche Flugsicherung (DFS), the German state-owned company responsible for the country’s air traffic control, confirmed that a cyber attack had hit it. According to reports in local media BR24, a DFS spokesperson reportedly clarified that the offensive affected the IT infrastructure, mainly compromising internal communications. The attack reportedly occurred in late August and was associated by BR24 with the Russian APT Sofacy.

Attacks with sabotage and propaganda purposes include those claimed by an Israeli hybrid formation. Predatory Sparrow, a group associated with Israeli intelligence, claimed attacks in Iran against railways and the Ministry of Transportation dating back to 2021. In addition to causing massive disruptions, the attackers defaced information screens and displays, on which appeared messages that could be read as a form of protest against Ayatollah Ali Khamenei.

 

Strategic and propaganda sabotage against Polish railways

Finally, it is worth mentioning a physical sabotage denounced in August 2023 by the Polish State Railways (PKP). Poland plays an important strategic and logistical role in the Russian-Ukrainian conflict in favor of Kiev:

logo PKPPKP are an important transit infrastructure in NATO military operations. PKP reported a series of incidents that resulted in temporary suspensions of freight traffic and delays for numerous passenger trains, but without causing any casualties or permanent damage to the facilities. The attack was not purely cyber in nature, as it appears that a number of security gaps involving the radio system and its security features were exploited.

Specifically, the security system, which is completely analog and lacks encryption and authentication, was implemented so that any train or radio station could signal an emergency stop to all trains within a relatively small radius. The sabotage would be carried out with a simple “radio-stop” command, leaked in Polish radio and railroad forums and on YouTube many years ago, which can be transmitted with commercially available equipment at reduced prices.

The immediate hypothesis put forward by Stanislaw Zaryn, Deputy Coordinator of ABW Intelligence Services, was sabotage by Russia. Authorities identified as suspects two Polish citizens, one of them a police officer, who were detained in the town of Bialystok, near the border with Belarus. The alleged saboteurs are accused of paralyzing trains, both freight and passenger, across the country and broadcasting the Russian national anthem and parts of a speech by President Vladimir Putin on PKP radio frequencies.

 

Telsy and TS-WAY

Telsy_TS WAYTS-WAY is a company that develops technologies and services for medium and large-sized organizations, with a unique in Italy for cyber threat intelligence expertise. Founded in 2010, TS-WAY has been part of Telsy since 2023.

Is configured as an effective extension of the client organization, supporting the in-house team for intelligence and investigation activities, cyber incident response, and systems security verification activities.

TS-WAY’s experience is internationally recognized and is corroborated by large private organizations in finance, insurance, defense, energy, telecommunications, transportation, and technology, and by government and military organizations that have used the services of this Italian company over time.

 

TS-WAY’s Services and Solutions

With several vertical teams of security analysts and researchers with technical and investigative expertise, and internationally recognized experience, TS-WAY provides all the assistance needed to align an organization’s security program with its risk management objectives.

Its services offer a preventive and comprehensive approach to security to protect clients’ assets and business continuity.

Its technology solutions transform global threat data into strategic, tactical, operational, and technical intelligence.

 

TS-Intelligence

TS-Intelligence_Telsy_Platform-2TS-Intelligence is a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is presented as a Web-usable, full-API platform that can be operated within an organization’s defensive systems and infrastructure, to strengthen protection against complex cyber threats.

Constant research and analysis on threat actors and emerging networked threats, both in APT and cybercrime, produces a continuous information flow of an exclusive nature that is made available to organizations in real-time and processed into technical, strategic, and executive reports.

 

Learn more about TS-WAY’s services.