Transportation is a key economic sector. It spans a multitude of diverse companies engaged in logistics, urban transit, land and air cargo and passenger conveyance, and other activities.

The transportation system performs critical functions that support nationwide objectives by connecting different areas of a country and sectors of the economy. Carriers also do business with large numbers of individuals and organizations involving significant funds. This is why transportation sector organizations attract the attention of both politically and financially motivated malicious actors as a key target for cyberattacks. According to our data, transportation was once again one of the 10 most targeted industries in 2023.

The transportation sector has undergone a digital transformation in recent years with a significant effect on both operating efficiency and passenger comfort. However, the growing reliance on information technology is making the industry increasingly susceptible to a variety of cyberthreats that can disrupt company operations or even affect the economy of an entire nation.

This study looks at how malicious actors operate when they attack transportation sector companies, what consequences companies face as a result of these attacks, what cyberthreats can inflict irreparable damage, and most importantly, how to prevent these events from happening.

Our data for 2023 shows a 36% YoY increase in the number of successful attacks on the global transportation industry. We attribute the increase to a general rise in cyberattacks and continued activity by hacktivists targeting significant infrastructure. Computers, servers, and network equipment were the most frequently targeted objects in 2023. Our estimates suggest that 87% of all successful attacks on the transportation sector were aimed at these. Company websites were attacked in half of all cases. Every fifth attack relied on social engineering, mostly phishing emails.

No letup in hacktivist DDoS attacks

Company websites were successfully attacked in half of all incidents, mostly through DDoS. We have mentioned this malicious activity before against the backdrop of complicated geopolitical relations, including attacks on transportation sector. companies. In addition, according to a report by StormWall, Q3 2023 saw DDoS attacks on the transportation sector increase by 86% YoY. This increase is associated with hacktivist activities resulting from tensions in cyberspace.

A successful DDoS attack on a transportation company can lead to business disruptions and service delays, and the nature of the industry means that these disruptions can pose a critical threat or even become a non-tolerable event for an organization. For example, a successful attack that disables a carrier's online ticketing system results in passengers being unable to buy tickets or check schedules.

When aimed at a company's internal resources, a successful intrusion can lead to delays in cargo delivery and inflated operating costs. In the worst-case scenario, a DDoS attack can target passenger safety systems, putting lives at risk.

Other recently recorded attacks include RDDoS (ransom DDoS): attempts to extort money from organizations by threatening to launch a DDoS attack. For example, malicious actors may begin to attack and then send a message that demands a ransom for them to stop. An attack like that on Scandinavian Airlines was reported in February 2023. The attackers kept hammering the airline's website for hours before demanding a ransom of $3,500 and threatening to continue unless their demands were met. The company apparently decided not to pay up, because the attack resumed and the ransom jumped to $3 million (followed by $10 million later). The attack knocked the company's website and mobile apps offline.

Malware attacks: ransomware is a trend

In every third (35%) successful attack, malicious actors used malware. Ransomware remained their main weapon: two-thirds of successful attacks on the sector relied on this type of malware. This can be explained by ransomware being one of the most powerful yet cheapest tool to make money illegally. Encryption makes essential systems and files inaccessible and partially freezes operations, forcing companies to grind to a halt. A huge number of different types of ransomware are offered on dark web forums as RaaS (Ransomware-as-a-Service).

One of the most popular ransomware tools used against the transportation sector is LockBit. This is a cross-platform RaaS malware with a broad affiliate network. Some high-profile victims of LockBit are U.S. public transport operator Pierce Transit (оператор общественного транспорта), the Port of Lisbon, and the Romanian Association for International Road Transport (ARTRI).

In addition to ransomware, there is a visible new trend in using spyware. In 2022, we wrote that spyware use was on the rise, and the transportation sector was not unaffected: 21% of all malware incidents in the industry in 2023 involved spyware. This figure represents a year-on-year increase of 13%. The share of remote access trojans (RATs) almost doubled to make up 15% of all attacks in 2023, up from 8% in 2022. Note that most RATs double as spyware capable of recording screens, identifying locations, and logging keystrokes.

Malicious actors use a variety of ways to deliver malware, setting up scam websites, exploiting device vulnerabilities, and buying access to companies they intend to target. However, the most popular method is emailing malware to employees. This method accounted for half of all successful attacks on the transportation sector in 2023.

Malicious actors typically generate messages designed to look like emails from coworkers, suppliers, business partners, or authorities, with malicious files disguised as legitimate attachments. July 2023 saw a malicious mailshot target companies from a variety of industries, including transportation. The messages warned of a spyware attack and offered to download a safeguard. But opening the link in the email actually downloaded Cryptonite ransomware.

Protecting organizations from malware requires a combination of engineering and administrative controls.

For example, advanced security systems with an integrated sandbox to analyze file behavior and detect malicious activity can provide efficient file scanning. Solutions like this are capable of scanning objects that are manually uploaded by users, and that come from other sources, such as email attachments.

Ransomware protection calls for a backup system that can help recover the infrastructure in case of infection. Remember that backups ideally must be stored on servers outside of the office network perimeter. Additionally, we recommend monitoring network and endpoint activity to help detect malware activity on the network, contain the threat, isolate infected hosts, and eliminate the danger.

Organizations also must have an information security policy that outlines workstation protection measures, an incident response plan, and infrastructure recovery activities. Companies need to regularly train their employees and keep them up to date on the latest social engineering attack schemes.

Dangerous vulnerabilities

Nearly every fifth (18%) attack on the transportation sector exploited a vulnerability. Information security researchers and malicious actors routinely find new vulnerabilities. Known vulnerabilities are targeted with exploits published on dark web forums, so even a low-skilled attacker can use a ready-made script to take advantage of a known flaw. Certain companies neglect to build a vulnerability management process or install security patches on time. In November 2023, Australia's largest container terminal operator, DP World, had to suspend its activities at several of the country's ports following a cyberattack. Experts believe that the attackers leveraged a NetScaler vulnerability known as Citrix Bleed (CVE-2023-4966) to penetrate the company's network. The flaw was remediated on October 10, 2023, but DP World apparently failed to install the requisite patches. The cyberattack affected 40% of container traffic into and out of Australia, causing a delay in processing more than 30,000 containers and warehouse overflow.

Every organization should have a competent vulnerability management process to defend itself against attacks of this kind. All security flaws are unlikely to be fixed at once, so it's key to set the right priority for each vulnerability. Priority is determined by the significance of the asset where the vulnerability is detected, its accessibility to the malicious actor, the level of threat posed by the vulnerability, its popularity among other malicious actors, and the availability of a ready-made exploit.

Supply chain attacks in the transportation sector

Some successful attacks (8%) saw malicious actors disrupt system operations by compromising a trusted third party. The method has evolved into a trend in various industries, such as IT, and will spread to other sectors. Many organizations rely on services provided by contractors, including some whose cybersecurity arrangements are inadequate. It's sometimes easier to hack into a contractor's systems to steal the target organization's data or gain access to its network.

In July 2023, there was a mass leak of Dublin Airport employee data that was traced to a compromise of the airport's supplier Aon. The latter was breached by exploiting the CVE-2023-34362 vulnerability in MOVEit Transfer, a managed file transfer application. The attackers stole payroll and benefits data on almost 2,000 of the airport's employees.

Another way of attacking a company is to cause negative consequences by breaching a contractor's systems. In September 2023, a large-scale DDoS attack was launched on Leonardo, a Russian airline ticket booking system. The country-wide outage made it difficult to check in for Aeroflot flights at airports, delaying at least 16 flights at Sheremetyevo Airport alone. We previously mentioned a similar attack on Supeo, a provider of track maintenance and speed limits information for engine drivers, which caused several hours of outage across Denmark's state-owned rail network.

We recommend only partnering with reliable suppliers and contractors. It's important to select partners with a good reputation and robust security systems. We also recommend conducting security audits of your suppliers and contractors to ascertain that they meet your security standards.

In addition, you need to put a plan of action in place in the event a trusted contractor is attacked: simulate a scenario where all IT systems provided by an important partner go offline and outline steps to mitigate the consequences of the attack.

Criminal market for initial access

Initial access to the infrastructure of transportation companies is a dark web commodity. Prices vary wildly, from $50 for access to a smaller organization to tens of thousands of dollars for high-privilege access to large transportation companies. In most offers (54% of all ads we found online for 2023–2024), access to a single company can be had for $1,000 or less.

The price depends on company size, level of privileges (user, domain user, local admin, domain admin), and the country where the company is located. Other criteria may affect the price as well, such as access type (RDP, VPN, shell/SSH, web shell), the number of hosts on the network, or details of the security systems protecting the network. For example, local user access via RDP for a small (around $5 million in sales) Irish company costs $50.

However, access with local user rights to the database server of a large shipping company in Saudi Arabia (with a turnover of around $270 million) costs as much as $2,500.

The highest price we saw was $10,000 in an ad offering domain admin access to a large company in India with $710 million in sales and around 4,000 employees.

The bulk of available offers is composed of local admin or local user access: 26% and 30%, respectively. The value of this kind of access directly depends on the significance of the server or computer that can be compromised. Access to an FTP server is generally cheaper than access to a 1C server, and access to an average employee's workstation is cheaper than access to an accountant's or senior manager's computer. A domain administrator's account affords the broadest privileges, giving the adversary a picture of the network structure and allowing them to pursue attacks on any systems connected to the domain, even critical ones. In addition, this type of access is much more difficult to obtain than local access to a specific computer, hence the price is much higher and the percentage of ads significantly lower (12%).

Attack consequences

Seven out of every ten incidents in the transportation sector caused disruptions to companies' core business. The share of this type of impact remained at the same level of 2022 in 2023. The most common consequences were client service outages (83% of attacks that caused disruptions to core business), loss of access to internal infrastructure or data (30% of attacks), and disruptions to internal business processes (14%).

In some cases, successful attacks led to non-tolerable events. KNP Logistics Group, one of Britain's leading privately owned logistics companies, declared itself insolvent in September, citing a June ransomware attack that affected key systems, processes, and financial information. The business was reportedly unable to continue against a backdrop of challenging market conditions and failing to secure urgent investment due to the attack. More than 700 employees were made redundant as a result.

In 2023, malicious actors compromised confidential information stored at transportation companies in 38% of incidents, a 14% YoY increase. We attribute this to the spread of spyware and a large number of attacks that targeted vulnerabilities in data transmission systems. Half (51%) of stolen information consisted of personal data, and a quarter was trade secrets.

Stolen confidential data usually includes the personal information of the customers of affected organizations: passengers of ground, air, and sea transportation, and users of logistics companies' services. For example, in Fall 2023, as a result of an attack on an Iranian taxi booking company, data of more than 33 million app users was affected, including both clients and drivers. The attackers demanded a ransom, and after refusal, they put the stolen data up for sale.

Negative events caused by a cyberattack can affect individual companies or entire economic sectors. Due to the connective role of transportation, an attack on this sector can damage multiple industries at a time. Here are some of the cyberthreats that target rail transport, road transport and infrastructure, and air and maritime transport.

The potential cyberattacks and their consequences described below are hypotheses made by Positive Technologies.

Rail transport

The volume of transported cargo is a key economic indicator of transportation performance. The significance of railroads means that cyberattacks on them tend to have serious consequences ranging from partial or complete outage, to damage or loss of cargo. The most frequently transported freight includes coal, crude oil and petroleum products, construction cargoes, and iron ore. Damaging or losing this cargo, as in an oil spill or fire, is a non-tolerable event to rail carriers, as it has the potential to negatively impact other key branches of the industrial sector. In addition, a successful attack can affect the nation’s imports and exports. Finally, cyberattacks can endanger the lives of passengers.

What parts of rail infrastructure are susceptible to malicious attacks? A successful cyberattack can result in the attackers gaining the ability to control trackside equipment. Criminals can raise the boom barrier at a level crossing or manipulate a railroad signal. This kind of intrusion can lead to non-tolerable events: a major disaster, fatalities, cargo spoilage, or damage to tracks. It also may necessitate adjustments to train schedules and routes. Note that logistics failures along major railroad sections may cause breach of contract and fines for the carrier.

A cybercriminal that gains direct access to on-board controls can interfere with a train's movement, abruptly accelerating or braking and thus damaging the cargo. An improperly loaded cargo can be shifted or broken during hard acceleration or braking. Stopping a train too fast can cause railcars to detach or trigger an accident, resulting in loss of cargo. Train positioning and geolocation systems are a further potential target for cyberattackers. If data becomes unavailable because of malicious intrusion, the train dispatcher will have to stop all trains along the route to avoid a potential collision. An incident like that happened in Poland in 2023, when malicious actors managed to halt rail traffic. They used railroad frequencies to broadcast a signal for trains to apply emergency brakes.

An attack can cause financial damage due to a ticket booking system outage. In September 2023, a cyberattack interrupted the sale of tickets for trains operated by Estonian Railways. A company spokesperson said that passengers would be able to travel for free until the situation was resolved and as long as it remained impossible, for technical reasons, to purchase a ticket while aboard a train.

Air transport

Many airlines' core business is passenger conveyance, so if their official website is knocked offline, this can become a non-tolerable event. A ticketing system outage can cause major financial losses.

A failure of the baggage-handling system is another possible consequence of a cyberattack: a flight may have to depart without its baggage, or be delayed. This type of attack also has a high likelihood of paralyzing the airport. For example, in January 2024, Lebanon's state news agency reported that a cyberattack had disrupted the baggage inspection system.

A successful cyberattack, such as a ransomware attack, on an airline or IT contractor can result in loss of access to the personal data of customers and employees. In February 2022, Swissport International, an airport ground services and air cargo handling company, was hit by a ransomware attack that affected its operations and led to flight delays.

Furthermore, malicious actors may try to modify the messaging system used by flight crews to communicate with ground stations, highjack a jet bridge, or tamper with navigation systems. For example, in February 2024, hackers attempted to take over the communications of an El Al Israeli airline plane on course from Thailand to redirect its flight.

In 2022, security researchers reported fixing a vulnerability in the computer systems used on certain Boeing aircraft that could have allowed hackers to modify data and cause pilots to make dangerous miscalculations: an aircraft could land on an insufficiently long runway, or take off at incorrect speeds, potentially resulting in a tail strike or runway excursion.

In early 2023, there was a potentially dangerous incident in the United States. According to FlightAware, more than 10,000 flights were delayed and 1,300 canceled in the first national grounding of flights in about two decades due to an issue that prevented airports from filing updated NOTAMs (hazard notices for pilots). The issue was caused by a damaged database file, which could have been the result of a cyberattack.

Maritime transport

Ports are complex infrastructure facilities including cranes, elevators, container management systems, oil terminals, ship controls, and navigation and other systems. In a worst-case scenario, interference with a fuel depot or crane control can cause a disaster and non-tolerable event on an industry scale. An attack on a cargo loading system and associated outage can lead to spoilage and financial losses from fines and penalties. According to HFW and CyberOwl, an average cyberattack on the maritime industry in 2023 cost the target organization $550,000 compared to $182,000 in 2022.

Ports are critical infrastructure facilities, and successful attacks have severe consequences for associated industries. In January 2022, several North European oil hubs at major ports were targeted in cyberattacks. IT systems failed at Germany's Oiltanking, Belgium's SEA-Invest, and the Netherlands' Evos. Attacks like these have significant consequences for the companies involved and ordinary citizens. The companies supply numerous gas stations, and a shortage of fuel could impact an entire economy.

The smart port concept, which envisions increased IT adoption and integration in industrial and business processes, is also worth mentioning. Work on creating this type of port began in Vladivostok, Russia in 2021. The technology is expected to provide remote control and the ability to control port operations in real time. However, new automated facilities may also be susceptible to cyberattacks and need to be secured.

Ships are similarly vulnerable to malicious intrusions. Attackers who hijack the ballast control system of a large ship can cause the vessel to capsize and sink. Ships often have sensors for monitoring internal systems and engine performance, fuel rate, and temperature and hull integrity. Transmitted ashore, this data helps ship operators monitor fleet status and conduct routine maintenance remotely. Experts praise remote maintenance as efficient, but it also creates a potential attack vector. A malicious actor can disrupt a ship's IT systems by attacking the operator. An incident of this kind happened in January 2023. DNV, the world's leading ship classification society, had to shut down servers connected to its ShipManager system after experiencing a ransomware attack. ShipManager is DNV's fleet management software that includes maintenance, hull integrity, and other fleet monitoring modules. The attack resulted in 1,000 ships being disconnected from on-shore servers.

Urban road infrastructure and road transport

Malicious actors can attack public transportation companies to affect the quality of their service. In November 2022, the Seville Urban Transport Company (TUSSAM) said it had been hit by a cyberattack, which disabled its mobile app and information displays at bus stops. An attack on Australia's Black and White Cabs in early 2023 shut down the company's taxi booking system.

Malicious actors can also attack road infrastructure. Unidentified individuals hacked into a roadside digital information display in Tyumen, Russia in March 2023. A similar incident happened in Krasnoyarsk in April 2022. Traffic lights can be susceptible to attacks as well. In late 2022, a group of researchers managed to hack into the traffic lights on several intersections in Hanover, Germany using just a laptop, portable radio, and antenna. A malicious actor who hijacks a traffic light can cause an accident by manipulating its signals.

Cybercriminals can also attack EV charging stations. A prime example of this is modifying the images shown on the screens of public chargers. Although offenses like these have remained relatively harmless so far, cybersecurity experts warn that potential consequences can be far more destructive. A malicious actor who manages to activate thousands of chargers at once can destabilize or even shut down entire electrical grids.

Besides road infrastructure, malicious actors may attack traffic control systems, causing accidents on the scale of non-tolerable events. Incidents like these have already happened: in February 2023, Korean automakers Hyundai and Kia announced software updates for some of their models following social media reports about a theft technique dubbed the "Kia Challenge." The U.S. National Highway Traffic Safety Administration (NHTSA) said that the TikTok challenge had resulted in at least 14 reported crashes and 8 fatalities. More cases of hacking into vehicle control systems are also known. In January 2022, a Twitter user announced that he had been able to hack at least 25 Tesla vehicles in 13 countries and partially take them over. In March 2023, a team of white-hat hackers won $100,000 and a Tesla Model 3 for successfully hacking the vehicle's Tesla Energy Gateway power panel in order to compromise key control systems.

Moreover, the gradual adoption of self-driving vehicles worries analysts. A concerning scenario was presented following an analysis of self-driving cars on British roads: a major cyberattack that targets the operating systems of many self-driving vehicles simultaneously could lead to massive fatalities.

Airports and ports can have hundreds of networked devices running various applications. New technology, such as smart sensors, make transportation services more efficient, but the deep integration between operational and information technology also expands the attack surface that cybercriminals can take advantage of.

Unfortunately, protecting an organization from every last cyberthreat isn't feasible. However, building a security system that helps to avoid non-tolerable events is something any organization regardless of its size can do. The following are steps that we recommend on the path to achieving cyber resilience.

Step 1. Identifying non-tolerable events and how they're realized

Identifying non-tolerable events

The first thing you need to do is make a list of events that can cause non-tolerable consequences to the organization if they're realized. For a railroad company, these events may inclu'de damaging or losing hazardous cargo, or harming people, and for a port they can include an outage that lasts seven days. This stage requires direct involvement of the company's senior management, as information security goals are based on real-life business concerns and needs. Operations managers can help define scenarios that may lead to a non-tolerable event, and IT employees can help identify the target systems that can directly cause non-tolerable events if compromised.

Mapping non-tolerable event scenarios to the IT infrastructure

This stage must answer the questions of what route a malicious actor is likely to take to reach the target systems, and what IT infrastructure and business process flaws can potentially make this easier for them. This stage includes an inventory of IT assets and identifies potential starting points for penetration and key systems (that the attacker must compromise to develop the attack or make the attack significantly easier). The infrastructure information collected needs to be mapped to business processes before shaping and implementing a cybertransformation strategy in the next step.

Step 2. Cybertransformation

IT infrastructure hardening

Hardening is the process of making hardware and software more secure by reconfiguring them to remediate vulnerabilities and eliminate insecure configurations and weak passwords. This helps reduce the attack surface and eliminate potential penetration vectors.

Training, training, and more training

You need to routinely raise employee awareness. For example, when a new phishing scheme aimed at transportation companies appears. Hands-on training is also crucial.

Incident monitoring and response

The introduction of monitoring and response processes helps detect an attack on the spot and prevent cybercriminals' actions in a timely manner. The organization must have an incident response plan in place describing specific steps for employees to take in the event of a cyberattack, including notifications to stakeholders (partners, contractors, and customers) and authorities. This helps minimize damage and resume normal operations as soon as possible.

Security assessment

To assess its security posture, an organization may choose to verify non-tolerable events or conduct cyberexercises to simulate potential attacks and test the effectiveness of attack detection and response.

Process design and implementation

Identifying and properly implementing critical business processes helps achieve greater cyber resilience. We also suggest paying attention to contractor management and putting in place robust coordination procedures to ensure that external organizations meet cybersecurity standards.

Performance assessment

Every organization that undergoes cybertransformation defines performance targets that it must pursue to maintain a high standard of cyber resilience. Regular performance assessments are required to gain an insight into the current status of security.

Step 3. Confirming cyber resilience

Maintaining cyber resilience

Malicious entities continue to improve their attack methods, while corporate IT infrastructure changes. New technology is added, and new vulnerabilities appear. You must assess the level of cyber resilience on a regular basis by conducting penetration testing and building vulnerability management processes. The complex nature of transportation ecosystems can cause issues maintaining asset transparency, so it's essential that cyber resilience assessment and maintenance grow into regular activities.

Establishing a bug bounty program

Another essential step to confirming a high level of cyber resilience is establishing a bug bounty program or non-tolerable event bounty program. Today, bug hunting services are widely sought by IT companies, service providers, retailers, and financial organizations. We expect transportation companies to follow this trend in the future. Some members of the industry, such as LATAM Airlines, inDrive, and Via Transportation, are already joining various bug bounty platforms. Users are starting to show interest as well: in 2023, 19% of HackerOne participants looked at car, truck manufacturing, and road transport programs, and 15% at aviation programs (note that users of bug bounty platforms typically focus on several programs in different industries simultaneously).

The global transportation industry is evolving by adopting new information technology, building and upgrading infrastructure, and making services more convenient for passengers.

The transportation sector is vital to the economy and society as a whole. A cyberattack can disrupt the normal functioning of a city, region, or whole nation, damaging multiple industries at once. To prevent destructive consequences, regulators must focus on potential industry-wide cyberthreats, and transportation companies must prioritize their insights into non-tolerable events when building IT processes.

This report contains information on current global cybersecurity threats based on Positive Technologies' own expertise, investigations, and reputable sources. This report considers each mass attack, such as phishing emails sent to multiple addresses, as one incident, not multiple incidents. For explanations of terms used in this report, please refer to the Positive Technologies glossary.

During our shadow market research, we analyzed 241 sources, including Telegram channels and dark web forums with a combined user base of more than 18 million users. This multilingual sample included the largest platforms centered around various subjects. Our analysis of the initial access market covered ads posted in 2023 and 2024.