The Increasing Cyber Threat on Logistics Companies

Add your subtitle here

Picture of Danny Ramon
Danny Ramon

Intelligence & Response Manager

Like all companies, transport and logistics are vulnerable to the increasing threat of cyber attacks. But a reliance on legacy IT systems that lack support, increased remote monitoring and control systems in transportation, and a lack of regulation and awareness of cyber threats make the sector perhaps uniquely vulnerable. Additionally, many logistics firms–including the largest four global shipping companies–have all suffered attacks. In particular, these global logistics companies–in addition to port infrastructure–have been repeatedly targeted in recent months. These attacks demonstrate the ability of both State and non-State actors to target logistics companies and infrastructure, affecting company’s operations, global supply chains and markets.

Types of Cyber Attacks

Transport and logistics companies are as vulnerable as any other corporation to malware–including trojans, worms, spyware, and viruses–which infect computers to steal or modify data, corrupt systems, or give access to external actors. Of these threats, ransomware is by far the most common attack used against businesses and the logistics industry. A 2021 report by cybersecurity firm BlueVoyant claims that ransomware attacks on logistics firms tripled in the 2019-2020 period, while another firm, Sonicwall, saw a 105% increase in global ransomware attacks in 2021.

In such an attack, hackers gain access to a system where their malware encrypts data that is held hostage until the ransom is paid (usually in a cryptocurrency such as Bitcoin. It is only when this demand is met that hackers provide the decryption key to recover the data.

Despite the documented increase, it is unclear just how many attacks occur, as private companies are often reticent to report attacks due to concerns over reputational risk. In addition to financially motivated ransomware attacks, hackers could aim to disrupt or cripple IT or equipment’s Operational Technology (OT) systems with viruses, gain control of systems with Trojan Horses, or simply steal data for commercial advantage.

105 percent

increase in global ransomware attacks in 2021

Vulnerabilities in the Logistics Sector

Potential scenarios of a cyber-attack include everything from the temporary loss of commercial data to the complete crippling of all electronic devices, or the deliberate grounding of a ship through the hijacking of its OT systems. The 2021 obstruction of the Suez Canal by the container ship Ever Given gives an idea of the potential global disruption such an attack could cause.

If a significant cyber-attack were to be successful in crippling the operations of a major port, airport, or even the operating systems of a major maritime choke point like the Panama Canal, the impact on global logistics would be catastrophic. Even without major disruptions, such attacks can be costly, with companies losing millions of dollars in incidents like the 2021 Hades ransomware attack on Forward Freight, which wiped $7.5 million USD off the company’s Q4 earnings. The effects of a cyber attack are not restricted to the targeted 3PL or port operator but can spread to impact shippers, as cargo is delayed due to operational problems, loss of visibility, or is even lost track of entirely as data is stolen or encrypted by hackers.

$7.5 million

lost from Forward Freight’s Q4 earnings after a ransomware attack


The expanding digital ecosystems in logistics companies means more opportunities or “attack vectors” for hackers to exploit. Systems in ships and trains that used to be hard-wired are increasingly linked together and to external systems through wireless communications or cloud-based LANs. The long lifecycle of ships means many operate on outdated systems not designed with cyber security in mind and retrofitted with technologies when necessary. There are also an increasing number of ways to get into a company’s IT systems through remote VPNs, automated ordering systems, shipment tracking apps, and the like which often have poor security or password discipline by users. These systems promote efficiency and connectivity between shippers, 3PL, and other partners but at the cost of an increased “attack surface” for hackers to target and an increased number of vectors through which to do it. As Microsoft’s 2021 Digital Defense Report warns, “Attacks against unpatched third-party software or on-premises infrastructure will likely become more pervasive and become more easily exploited by nation state and cybercrime actors.” A broad array of software and equipment used throughout the industry also offers countless opportunities for hackers to gain access through third-party products that have been infiltrated upstream in the supply chain. Concerns that Chinese-built container cranes used in U.S. ports could come with dormant malware pre-installed in their operational systems until activated by the Chinese government as part of a broader conflict has prompted legislation to force the securing of the U.S. infrastructure supply chain against political risks.


Many common vectors of cyber attacks rely on human error by company employees or others with access to IT systems. The majority of cyber attacks in the logistics sector make use of social engineering such as phishing or spear-phishing to trick staff into revealing passwords or unwittingly opening a door for malware to be installed by opening fake emails or clicking on malicious links. One example of this was the 2021 spread of a variant of the Buer Loader malware through emails pretending to be shipping notices from DHL. Once on a system, the loader was designed to download and install more malware to further compromise the system. A lack of cyber security awareness amongst workers and lagging contingency plan–especially in small companies–increases the potential impact of attacks. One survey found that 43% of trucking firms in the U.S. do not have a chief information security officer (CISO), implying they have no cyber crisis management or response plans. At a higher level, there is also a lack of industry standards and government regulation, although this is gradually being addressed in both Europe and the U.S.

State and Non-State Actors

The prevalence of ransomware attacks on the logistics sector implies a financial motivation and therefore a preponderance of criminal as opposed to State actors, although political “hacktivism” and demonstrative motivations are also a factor. These hackers are facilitated by an entire virtual marketplace where malware, leaked credentials, and access to botnets or corporate networks are sold, with several actors brokering access to logistics firms’ IT systems being reported in 2021.

Although government agencies and think tanks are the primary targets of State-sponsored attacks, which generally aim to steal political information or disrupt systems, the nature of cyber attacks can lead to State-launched incidents spilling over into the private sector. A prominent example of this came in 2017 when shipping company Maersk was hit by the NotPetya attack. Believed to have been conducted by the Russian military to disrupt Ukrainian tax system software and entering the system via social engineering, the malware spread to over 60 countries. Once inside their network, Maersk lost all connected Microsoft-based computers and around 3,500 of their 6,200 servers, severely impacting operations costing the company as much as $300 million to fix. While the NotPetya attack did encrypt data and demand a ransom, experts believe this was a smokescreen for an operation aimed at disrupting a foreign government’s systems.

Microsoft reported that 58% of State-sponsored attacks in 2020 originated in Russia, as opposed to 10% from China. State-sponsored attacks use ransomware less often, although DPRK hackers have increased their use of ransomware as the North Korean economy has declined further during Covid-19. Iran also uses ransomware, but like with the Russian NotPetya incident, this is mainly done to provide cover for other espionage objectives. Some Statebacked hacking groups are known to target logistics companies, although not exclusively. Fox Kitten and Parasite are both Iranian groups that have targeted Isreali logistics companies while ControlX, APTS, and Keyhole Panda of China have hacked communications infrastructure in the past. With the ongoing conflict in Ukraine and Western countries implementing embargoes on Russian oil supplies, Moscow could now have a far greater incentive to inhibit oil port operations in Europe and continue to disrupt the already fragile supply chains to further damage Western economies. Such attacks are clearly possible, as the ransomware attacks on the oil handling ports of Antwerp, Rotterdam, Amsterdam, and Germany in February 2022 show; however, an attack on freight handling could be just as damaging as supply chains continue to struggle to cope with Covid-19 lockdowns and the war in Ukraine.

Notable Cyber Attacks

Colonial Pipeline

In May 2021 the Colonial Pipeline on the East coast of the U.S. was hit by a ransomware attack launched by the Russian/Eastern European group known as Darkside, encrypting 100 gigabytes of data, and demanding 75 Bitcoin ($4.4 million at the time) in ransom. The attack was made possible when an employee reused a password which had been leaked in a previous data breach and caused panic buying and a price spike in fuel across the Eastern U.S. before the ransom was paid.


In early 2020, hackers placed malicious code into an update to the tech company SolarWinds’ Orion system which was then unwittingly sent to their 33,000 customers, creating backdoors into the systems of companies and government agencies around the world. This backdoor was then used to install further malware to spy on and exploit these systems. The hack was undetected for months and the extent of the information leaked is not known. The SolarWinds hack is a prominent example of exploiting the software supply chain to gain access to targets via a third-party supplier.

Port Attacks

In August 2021 a suspected State-backed actor targeted the Port of Houston, installing malicious code to export login credentials via a previously unknown vulnerability in a password management system. Although the attack was unsuccessful (and had it not been detected), the hacker would have had complete access to the port’s IT systems. A later attack in February 2022 targeted the Jawaharlal Nehru Container Terminal with a ransomware attack that caused the port to redirect an incoming ship. It is unknown who carried out this attack.


Freight forwarder Expeditors was hacked in February 2022, forcing them to close most of their global operating systems to avoid further infection. A statement in March from the company said “[Expeditors] is incurring significant expenses to incorporate business continuity systems and to investigate, remediate and recover from this cyber-attack.” However, no information was released about the nature of the attack, who the perpetrators may have been, or if it was a deliberate targeted attack on the company.

This is an image caption. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Interested in working together? Let's see if we align.

Tell Us More

Have a story to tell? Let us know how we can be part of it.

Let's Connect

Need to get in touch for support? We'll respond as quickly as we can.

Let's have a chat

Learn how we've helped 350+ Global Brands with Supply Chain Visibility and Risk.

Let's have a chat