14 recent cyber attacks on the transport & logistics sector

In this post we summarise recent cyber-attacks on transport and logistics operators.

• Network Rail (United Kingdom)
• Transport for London (TfL) (United Kingdom)
• Port of Seattle (United States)
• JAS Worldwide (Global)
• Oahu Transit Services (United States)
• Baltic Flight Carriers (Baltic Sea, Black Sea, and eastern Mediterranean)
• Radiant Logistics (United States)
• Beirut-Rafic Al Hariri International Airport (Lebanon)
• DP World (Australia)
• Estes Express Lines (United States)
• Elron (Estonia)
• Auckland Transport (New Zealand)
• Polish Railways (Poland)
• Port of Nagoya (Japan)

Transport and logistics sector overview

The transport and logistics sector is responsible for the movement of people and goods. Our definition covers the public and private transport systems, infrastructure, and ancillary services associated with:

• Aviation – airports and airlines
• Maritime – ports and shipping
• Rail – light rail, trams, and heavy rail
• Road – roads including highways and freeways, trucking, and buses

Our definition of transport and logistics covers the transport and logistics elements of other sectors we monitor, including food and agriculture, and mining and metals.

Transport and logistics is a prime target for cyber attacks

Between 1 July 2023 and 30 July 2024, we identified 27 publicly reported cyber incidents affecting organisations in the transport and logistics sector. It was second only to the manufacturing sector.

Some attacks resulted in data loss exclusively. Ransomware victims who lost data included the Belt Railway Company of Chicago (therecord.media), Welsh haulage company Owens Group (ibtimes.co.uk), and Australian fuel distributor North Coast Petroleum (cyberdaily.au).

Theft of information can have several consequences.

• Where personally identifiable information (PII) is breached, such as that of employees, the people to whom it belongs are put at increased risk of fraud, identity theft, and other potential risks such as personal safety.
• Contracts and intellectual property, which can be commercially sensitive, could find its way into the hands of competitors.
• Infrastructure asset information can expose sensitive details, such as confidential asset locations, makes and models of items, and condition, which in the hands of adversaries can make exploitation easier.

Transport and logistics cyber attacks that caused service interruption

Whilst many incidents resulted in the theft of information exclusively, there was no shortage of attacks that impacted service delivery.

Network Rail

UK railway infrastructure manager

Date: September 2024
Country: United Kingdom
Consequences: Suspension of public Wi-Fi at railway stations

A hack linked to an insider at internet provider Global Reach caused terror messages to be displayed on devices accessing Wi-Fi at 19 UK railway stations. The incident, identified as cyber vandalism, disrupted public Wi-Fi services managed by Network Rail and operated by Telent. The Wi-Fi service was suspended for investigation for several days. The attack affected stations in London, Reading, Leeds, and Glasgow Central.

Read more: bbc.co.uk

Transport for London (TfL)

London’s public transport authority

Date: September 2024
Country: United Kingdom
Consequences: Exposure of customer banking and other details, suspension of travel information feeds and some booking services, requirement for 30,000 in-person password resets for staff

Transport for London (TfL) suffered a cyber attack at the start of September 2024 that exposed bank and other personal details of 5,000 customers and required 30,000 employees to book in with IT support to perform in-person password resets. The attack caused several million pounds in damages. While Tube and bus services were unaffected, other operations like jam cams, external bookings, the Dial-a-Ride service for disabled passengers, and concession card applications were shut down. Live Tube arrival information, online journey history, and some payment processing were disrupted. A scheme to roll out contactless ticketing to stations outside London – called Project Oval – had been due to be in operation by the end of September but was delayed. Other projects were also hit with delays. A 17-year-old was arrested in connection with the incident.

Read more: standard.co.uk, cyberdaily.au and bbc.co.uk

Port of Seattle

Agency overseeing Seattle seaport and Seattle-Tacoma International Airport

Date: August 2024
Country: United States
Consequences: Disrupted baggage sorting systems, offline flight and baggage info displays, handwritten boarding passes and manual bag searches

The Port of Seattle, who operates Seattle-Tacoma International Airport, was attacked by the Rhysida ransomware group on 24 August 2024, causing disruptions at the airport and seaport. The attack encrypted systems and data, affecting services including baggage sorting and searches, flights and baggage information display screens, check-in systems, ticketing, and Wi-Fi.

The Port refused to pay the ransom and warned of potential data leakage. Some systems, including flight and baggage information displays, were left unavailable for around three weeks.

Read more: seattletimes.com and techcrunch.com

JAS Worldwide

Global freight forwarder

Date: August 2024
Country: Global
Consequences: Loss of business systems and customer portal, impacts to customer and vendor data integrations

Privately owned international cargo freight forwarder, JAS Worldwide, experienced a ransomware attack on 27 August 2024, causing technical disruptions and impacting service delivery. Customer service, billing, payment systems, and data integration with customers’ and vendors’ systems were all impacted. The central operations system, known as C1, and customer facing portal, JAS SmartHub, were offline for several days. The loss of SmartHub prevented customers from tracking their shipments in real time. Many countries activated local contingencies, and the majority of the contract logistics business remained unaffected.

Read more: thecyberexpress.com

Oahu Transit Services

Manages Honolulu’s bus and paratransit system

Date: June 2024
Country: United States
Consequences: Financial loss resulting from inability to charge users

A cyber attack caused an outage of TheBus and Handi-Van systems managed by the Honolulu Department of Transportation Services. The incident disrupted online services, including GPS services and Holo Card readers, leading to financial losses as riders were not charged. The FBI and other authorities were involved in the investigation. No ransom was paid, and the exact nature of the attack remained unclear.

Read more: kitv.com

Baltic Flight Carriers

Flight operators in the Baltic region

Date: Years long
Region: Baltic Sea, Black Sea, and eastern Mediterranean
Consequences: Use of alternative navigation methods, or flight suspension

Russia has been causing disruption to GPS systems affecting thousands of civilian flights in the Baltic region. The interference has prompted airlines such as Finnair to suspend flights, and impacted maritime signals used by boats. Estonia’s Foreign Minister has blamed Russia for the interference, which violates international agreements.

Read more: bbc.com

Radiant Logistics

International freight logistics and supply chain services technology

Date: March 2024
Country: United States; service disruptions in Canada
Consequences: Service disruption for Canadian customers

Radiant Logistics experienced a cyberattack on March 14, 2024, which led to the isolation of its Canadian operations. The incident caused service disruptions in Canada, but the company’s operations in other countries remained unaffected. Radiant Logistics activated incident response protocols and engaged cybersecurity professionals to mitigate the breach. The company reported no material impact on its financial conditions or operational results.

Read more: thecyberexpress.com

Beirut-Rafic Al Hariri International Airport

Beirut’s international airport

Date: January 2024
Country: Lebanon
Consequences: Compromised flight information display screens

Flight information display screens at Beirut’s international airport were hacked, displaying politically motivated messages. The incident also briefly disrupted the baggage inspection system.

Read more: apnews.com

DP World

Major global ports operator

Date: November 2023
Country: Australia
Consequences: Three-day suspension of operations, leading to 30,000 container backlog

DP World Australia experienced a cyber attack in November 2023, leading to a three-day suspension of operations and the theft of employee personal data. The breach, detected on November 10, affected container terminals in Melbourne, Sydney, Brisbane, and Fremantle, disrupting freight movements. No customer data was compromised, and no ransomware was found. The company cleared a backlog of over 30,000 containers by Nov. 20. According to multiple cybersecurity analysts, the port operator had failed to fix a critical IT vulnerability known as CitrixBleed when hit.

Read more: abc.net.au and theguardian.com

Estes Express Lines

Richmond-based less than truckload (LTL) carrier

Date: October 2023
Country: United States
Consequences: Temporary freight diversions to competitors

Estes Express Lines experienced a cyber attack in October 2023 that disrupted its email, phones, website, and other systems for weeks. The attack led to temporary freight diversions to competitors before Estes restored its systems and regained business.

Read more: truckingdive.com

Elron

Estonian national rail carrier

Date: September 2023
Country: Estonia
Consequences: Financial loss resulting from inability to charge users

A cyber attack disrupted Elron’s ticketing system in September 2023, affecting sales at train terminals, on trains, and online. Passengers were allowed to travel for free or pay with cash to the train attendant. The attack was linked to distributed denial of service (DDoS) attacks on third-party ticketing system provider, Rindago, by Russia supporters.

Read more: err.ee

Auckland Transport

New Zealand transport service

Date: September 2023
Country: New Zealand
Consequences: Financial loss resulting from inability to charge users

Auckland Transport suffered two cyber attacks in the same month in 2023. The first, around 18 September, was a result of an attack by the Medusa ransomware gang. The incident disrupted ticketing systems, online top-ups, and customer service centres. No personal or financial data was believed to be compromised. Medusa demanded US$1 million to delete the data and threatened to publish it within seven days. On the 29 September, Auckland Transport experienced a DDoS attack, resulting in intermittent issues accessing their website, AT Mobile App, AT Park, Journey Planner and public information displays. It is believed this was in retaliation for Auckland Transport not complying with the ransom demand.

Read more: cyberdaily.au and nzherald.co.nz

Polish Railways

Poland’s railways

Date: August 2023
Country: Poland
Consequences: Emergency stoppage of around 20 trains

Hackers broke into Poland’s railway radio frequencies, and caused an emergency stoppage of about 20 trains near Szczecin. The saboteurs sent simple “radio-stop” commands via the radio frequency to the trains they targeted, triggering their emergency stop function. The attack, which included recordings of Russia’s national anthem and a speech by President Putin, disrupted traffic in the north-west of the country. Services were restored within hours.

Read more: bbc.com and wired.com

Port of Nagoya

Japan’s largest port by cargo throughput

Date: July 2023
Country: Japan
Consequences: Two-day suspension of operations

Nagoya port in Japan was non-operational for over two days due to a ransomware attack by LockBit 3.0, causing a failure in the Nagoya Port Unified Terminal System (NUTS). The attack disrupted the loading and unloading of containers, impacting Toyota Motor’s shipments of imported and exported parts.

Read more: bleepingcomputer.com and csoonline.com