Full Report
Old-school cargo heists reborn in the cyber age Cybercriminals are increasingly orchestrating lucrative cargo thefts alongside organized crime groups (OCGs) in a modern-day resurgence of attacks on freight companies.…
Analysis Summary
# Threat Actor: Cybercriminals Orchestrating Cargo Thefts (In collaboration with OCGs)
## Attribution & Identity
**Identification:** Cybercriminals working in tandem with Organized Crime Groups (OCGs) to execute physical cargo thefts facilitated by cyber intrusions.
**Aliases and Associations:** No specific malware or primary threat actor name is provided, but the methodology is consistently attributed to cybercriminals by Proofpoint researchers (Ole Villadsen and Selena Larson). Associated with OCGs responsible for the physical theft and fencing of goods.
## Activity Summary
The threat actors are engaged in a modern resurgence of classic cargo heists, using cyber intrusions to gain insider knowledge and control over legitimate freight shipments. Recent campaigns involve infecting US logistics companies to:
1. **Attract Bids:** Post fake loads on broker load boards to lure bidding logistics/trucking companies.
2. **Gain Access:** Embed links onto these load boards that lead to the malicious installation of Remote Monitoring and Management (RMM) applications on the victim's network.
3. **Infiltrate:** Scan the victim network for credentials to successfully bid on genuine, high-value freight advertisements.
4. **Execute Theft:** Intercept communications, impersonate legitimate brokers or carriers, redirect cargo to controlled addresses, and coordinate physical theft with OCG partners on the ground.
Past campaigns covered by Proofpoint last year also focused on targeting logistics businesses in North America, but without linking the compromise to real-world cargo theft until recent activity.
## Tactics, Techniques & Procedures
- **Initial Access:** Compromising accounts on broker load boards; deploying malware via links embedded in fake load postings.
- **Execution:** Deploying legitimate RMM apps (N-able, ScreenConnect, SimpleHelp) for persistence and network access.
- **Credential Access:** Scanning victim networks post-access for credentials.
- **Command and Control:** Utilizing compromised systems to monitor and intercept legitimate shipment communications.
- **Defense Evasion/Impersonation:** Impersonating brokers or carriers to reroute deliveries.
- **Physical Action:** Coordinating with OCGs for final physical cargo theft.
- **MITRE ATT&CK IDs:** Not explicitly mentioned, but techniques align with stages like Initial Access (T1190, T1566.001) and Credential Access (T1003).
## Targeting
**Sectors:** Logistics, Trucking, Freight Brokerage Firms, Integrated Supply Chain Providers.
**Geography:** Primarily noted as infecting US logistics companies. Specific hotspots for resultant physical theft include **California, Illinois, Florida, Texas, and Washington** (though these also include traditional theft methods).
**Victims:** Opportunistically targets range from small, family-owned businesses to large transport firms. The actor targets any carrier responding to a compromised load posting.
## Tools & Infrastructure
**Malware Families Used:** Legitimate Remote Monitoring and Management (RMM) applications leveraged maliciously: N-able, ScreenConnect, SimpleHelp.
**Infrastructure:** Broker load boards used as the initial vector for compromise.
## Implications
This activity represents a sophisticated convergence of cybercrime and organized physical crime, driving significant financial losses (millions of dollars per incident) and causing major supply chain disruptions. The actor's opportunistic nature suggests widespread risk across the North American logistics sector. CargoNet reports indicate the average value of a stolen shipment is increasing significantly ($336,787 in Q3 2025).
## Mitigations
- Enhanced vigilance when interacting with broker load boards, particularly concerning links or invitations to install software.
- Strict controls and monitoring over the deployment and use of Remote Monitoring and Management (RMM) tools on company networks.
- Comprehensive review of outgoing communications to detect evidence of impersonation or shipment redirection attempts.
- Segregation of duties and verification protocols for high-value shipments, especially when communication channels appear to shift or requests are urgent.