Cybercriminals Hijack Freight Shipments in Sophisticated Supply Chain Attacks
A financially motivated cybercrime group is targeting the surface transportation industry, using advanced tactics to steal physical cargo by compromising freight brokers and trucking carriers. Since August 2025, cybersecurity firm Proofpoint has tracked nearly two dozen campaigns involving thousands of malicious messages, resulting in the theft of high-value shipments including electronics and energy drinks which are later resold online or shipped overseas.
The attackers exploit digital load boards, marketplaces where brokers and carriers arrange freight shipments, through three primary methods:
- Compromised Load Boards: Using stolen credentials, they post fraudulent freight listings and send malicious links to responding carriers.
- Email Thread Hijacking: They infiltrate legitimate email chains between supply chain partners, inserting malicious URLs into trusted conversations.
- Direct Email Targeting: Broad phishing campaigns target logistics firms to identify and later steal high-value cargo.
Once a victim clicks a malicious link, it downloads an executable or MSI file that installs legitimate but abused Remote Monitoring and Management (RMM) tools such as ScreenConnect, PDQ Connect, or LogMeIn Resolve enabling attackers to maintain control over compromised systems.
While the threat actors remain unidentified, they demonstrate deep knowledge of trucking industry software and dispatch operations. To mitigate risks, Proofpoint recommends restricting unauthorized RMM tool installations, deploying network monitoring for suspicious activity, blocking executable email attachments, and training staff to recognize phishing attempts.
As digital infrastructure becomes increasingly integral to supply chains, these attacks highlight the growing intersection of cyber threats and physical cargo theft, posing significant financial and operational risks to transportation companies.
Source: https://cyberpress.org/cargo-theft-cyberattack-wave/
Proofpoint cybersecurity rating report: https://www.rankiteo.com/company/proofpoint
Nova Marine Carriers SA cybersecurity rating report: https://www.rankiteo.com/company/nova-marine-carriers-sa
Double Broker Bounty Hunter cybersecurity rating report: https://www.rankiteo.com/company/vtspensacola
"id": "PRONOVVTS1776407277",
"linkid": "proofpoint, nova-marine-carriers-sa, vtspensacola",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Surface transportation, logistics',
'type': ['Freight brokers',
'Trucking carriers',
'Logistics firms']}],
'attack_vector': ['Compromised Load Boards',
'Email Thread Hijacking',
'Direct Email Targeting (Phishing)'],
'date_detected': '2025-08-01',
'description': 'A financially motivated cybercrime group is targeting the '
'surface transportation industry, using advanced tactics to '
'steal physical cargo by compromising freight brokers and '
'trucking carriers. Since August 2025, cybersecurity firm '
'Proofpoint has tracked nearly two dozen campaigns involving '
'thousands of malicious messages, resulting in the theft of '
'high-value shipments including electronics and energy drinks '
'which are later resold online or shipped overseas.',
'impact': {'operational_impact': 'Theft of high-value shipments, disruption '
'of freight operations',
'systems_affected': 'Freight brokers, trucking carriers, logistics '
'firms'},
'initial_access_broker': {'backdoors_established': 'Use of RMM tools '
'(ScreenConnect, PDQ '
'Connect, LogMeIn Resolve)',
'entry_point': ['Compromised load boards',
'Email thread hijacking',
'Phishing campaigns'],
'high_value_targets': 'Freight brokers, trucking '
'carriers, logistics firms'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The attacks highlight the growing intersection of cyber '
'threats and physical cargo theft, posing significant '
'financial and operational risks to transportation '
'companies.',
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': 'Stolen credentials, lack of '
'phishing awareness, unauthorized '
'RMM tool installations'},
'recommendations': ['Restrict unauthorized RMM tool installations',
'Deploy network monitoring for suspicious activity',
'Block executable email attachments',
'Train staff to recognize phishing attempts'],
'references': [{'source': 'Proofpoint'}],
'response': {'enhanced_monitoring': 'Recommended for suspicious activity',
'third_party_assistance': 'Proofpoint (cybersecurity firm)'},
'threat_actor': 'Unidentified financially motivated cybercrime group',
'title': 'Cybercriminals Hijack Freight Shipments in Sophisticated Supply '
'Chain Attacks',
'type': 'Supply Chain Attack, Cargo Theft',
'vulnerability_exploited': 'Stolen credentials, malicious links in trusted '
'email chains, phishing campaigns'}