At the latest since the incendiary devices disguised as packages that caused damage in several DHL facilities last summer, it has become apparent that logistics in Ukraine's supporter states is also a target of hybrid threat campaigns that flank Russian war efforts. In a joint statement by international security authorities, the Federal Office for Information Security (BSI) and the Federal Office for the Protection of the Constitution (BfV) specifically warn the logistics industry against cyberattacks. The goal of these attacks is to disrupt or even prevent deliveries to the war zone. The methods used are not limited to the companies involved but also affect the infrastructure. This includes spying on logistical nodes, for example, by unauthorized access to network-connected surveillance cameras. The authorities explicitly identify Russian intelligence agencies as the perpetrators of these attacks. This gives the cyberattacks a different quality than the topics often known from the media, such as ransomware (blackmail software).
Particular Quality of the Attacks
State cyber actors such as intelligence agencies and militaries are usually not under time pressure and can access almost unlimited means. Their approach is characterized by trying to remain undetected in a system for as long as possible, where they typically steal data for espionage purposes. The current warning, however, indicates that sabotage is rather the focus in this specific case. Especially in logistics, the failure of a single company is only a partial success for the attackers. It can be compensated for by temporarily switching to other logisticians.
Therefore, a different approach is to be expected: to remain undetected in the system for as long as possible and to create chaos through manipulative interventions. When thinking of fully automated warehousing or the transport of sensitive goods, factors like temperature, storage, and time play an important role. Also, the compilation of freight documents is at times so automated that small errors in date or addresses do not stand out or are attributed to human error. The goods (e.g., food or medicine) then arrive either late or spoiled.
However, attack patterns already known from crime can also be of interest to
state actors: If the location of an interesting shipment can be tracked in real time by accessing the systems, it is easy to intercept it specifically. In addition, there are known cases where entire shipments with smuggled goods "disappeared" due to manipulation of IT systems that obscured the origin and type of the goods. Such an approach is also conceivable for intelligence agencies. The goal of IT security is therefore to quickly become aware of unusual activities in the system through measures such as anomaly detection. So let's first take a look at how the perpetrators proceed:
The Point of Entry: The Attacker Is Already In
Most cyberattacks start with an email containing a malicious link or attachment. Therefore, defense measures regularly include training employees to reduce the likelihood of them falling for such an attack. But there is a catch: the more elaborate the attack, the more difficult it is for employees. The magic word here is "trust": the malicious emails do not come out of the blue but from a trusted contact. A customer or business friend, in some cases even private accounts of close family members that have already been taken over by the perpetrators. The email itself then refers to previous communication or links directly to it.
The attacks often aim to steal login information such as usernames and passwords, which the perpetrators use to gain access to the systems. To mitigate the risk, multi-factor authentication should be set up for all user accounts. Nonetheless, one must unfortunately assume that state attackers will find ways to bypass it. The focus of IT security should therefore be on detecting unusual behavior in the network and responding accordingly (Detection & Response).
The Digital Supply Chain
Another entry point is digital interfaces: Modern order processing can be fully automated today. The customer, often even its automated factory, creates goods requests or deliveries directly set to the logistics provider. This software bridge is a potential danger for both companies. Not only is the introduction of malware a challenge. It becomes much more difficult if the software delivers incorrect results
due to external manipulation. Whether there are also IT-based access possibilities into the respective systems of the other company depends on the software used. However, experience shows here as well that it is better to assume existing security gaps and take the necessary precautions, such as segmenting the network.
Risks from Service Providers and Employees
Even very immediate connections pose a potential risk: External cleaning staff is often present in the premises outside office hours, service technicians often work on machines and systems unobserved. A new device is quickly plugged in, for example, a USB stick with malicious content. But employees also often bring their own devices like access points and routers into the network. This usually doesn't even happen with malicious intent but to make life easier for themselves. Nevertheless, they represent potential entry points from which the underlying system can be infiltrated. Most security solutions offer possibilities to prevent this or only allow certified storage media. Companies should use them.
Administrators and Access Permissions
IT administrators face the challenge of constantly adapting their knowledge to the rapid developments in IT while also attempting to handle all the tasks arising in the company. This becomes more complex as more IT is implemented. This quickly reaches the limits of human capabilities. People then try to make life easier, for example, with easy-to-remember passwords or quick access options, even though they know these are potentially risky.
Attackers specifically look for these "workarounds". If they exist, they are used to gain access permissions from the administrators. The attackers can then create their own accounts and equip them with the same rights or simply take over existing ones. Therefore, it is important to segment network areas and restrict the permissions of individual employees and also administrators. But open and honest discussions about the limits of one's performance capabilities should also be held. Overworked employees in IT and IT security are among the most common challenges in combating cyberattacks!
Logistics and Critical Infrastructure
Due to their actual importance for the functioning of the economy and society, it may seem surprising that primarily node
and infrastructure operators fall under the new NIS2 Directive of the EU in the transport and traffic sector, but many logistics companies do not. This directive describes IT security measures that are mandatory for companies in certain industries with 50 employees (and 10 million euros in annual turnover).
In addition, these companies are asked to include their entire supply chain in their IT security measures. This is where the new directive does affect and particularly focuses on the logistics industry, whose failure has consequences for practically every other industry. Although the national implementation of NIS2 in Germany is delayed due to the government change, companies are already beginning to discuss cybersecurity issues with their logisticians here as well. Where companies depend on Just in Time/Just in Sequence or operate in the area of dangerous goods, this should already be standard.
Conclusion
Being in the crosshairs of state actors may seem threatening at first, and indeed it should not be underestimated. However, with a well-established and operated cybersecurity strategy, there is a good chance of detecting and deflecting even such cyberattacks. It's important to understand that the first point of entry into a network is operated by perpetrators with enormous effort. Therefore, one can assume that state actors will eventually manage to get past even the best defense tools.
Logisticians serve not only as targets of sabotage for cyber attackers by having their transportation capabilities restricted, but also due to their trusted position and digital interfaces as entry points to their customers. A cyber security strategy focused on detecting and combating attacks ("Detection & Response") and active collaboration with customers on cybersecurity not only improves one's own protection level, but also serves to build trust. At the very least, strategies should be in place to mutually inform and handle successful cyberattacks.
The Author
As a Security Advisor, Richard Werner brings Trend Micro's strategy closer to IT security officers of large enterprise customers, especially regarding current cyber threats. Before his time at Trend Micro, Richard Werner gained professional experience in the food and logistics industry and is a trained freight forwarding
