Even before Russia invaded Ukraine, transportation and logistics companies were getting hit in cyberattack after a cyberattack. Case in point: Global logistics giant Expeditors International is continuing to recover more than two weeks after an attack brought down its operations systems.
With the war underway, the risks are even higher.
Russia and its supporters could unleash cyberattacks against business and critical infrastructure in response to the U.S. and European allies’ sanctions and direct military aid. One ransomware gang vowed to attack the critical infrastructure of any country that retaliates against Russia.
On the other side, a hacking group recently claimed to have disrupted trains carrying Russian troops to Ukraine.
The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) is advising companies and organizations to heighten their cybersecurity posture and warned that critical infrastructure could be hit — though it said it was not aware of any specific threats to the U.S. CISA’s long list of critical infrastructure includes trucking companies, shipping lines, ports, freight rail and parcel carriers.
Then there is the prospect of a direct cyber exchange between the U.S. and Russia. NBC reported that President Joe Biden had been given options for a devastating cyberattack against Russia. The White House subsequently denied the Feb. 25 report.
“It goes to a very scary place for me,” Josh Lospinoso, co-founder and CEO of cybersecurity startup Shift5 and a former U.S. Army cyber officer. “These are really weapons of mass destruction, they really are. The idea that you can, from 5,000 miles away, cause real harm or death to civilians is unconscionable to me. And the idea that we might get into a conflict of tit for tat where there’s escalating disruptions and destruction of critical infrastructure on both sides is reprehensible.”
The U.S. is unlikely to attack Russia directly with its offensive cyber capabilities because of the potential for retaliation, Lospinoso said.
“I would be very surprised if the Biden administration employed offensive cyberattacks against critical infrastructure in Russia,” Lospinoso said. “I think their calculus for that could be a wide range of things. I guarantee a big part of that calculus is the fact they know our critical infrastructure is as vulnerable as the critical infrastructure in Russia, if not more.”
‘I’ve never interacted with a transportation system that we could not break.’
— Josh Lospinoso, CEO of Shift5
Lospinoso’s work in the Army included leading the development of hacking tools for the U.S. national security apparatus. Now in the private sector, he runs a company that specializes in protecting transportation assets — trains, planes and tanks — from cyberthreats.
Virginia-based Shift5 has raised $72.5 million since its founding in 2018, according to Pitchbook. That includes a $50 million series B fundraise in February led by Insight Partners. Shift5 is focused on what is arguably a future, theoretical threat, at least in the civilian world: cyberattacks targeting vehicles themselves including highly digitized engines and control systems.
“If you’ve got enough coffee and willpower to spend time with these systems, I mean, I’ve never interacted with a transportation system that we could not break,” Lospinoso said.
The concept is frightening. In 2015, a pair of hackers remotely killed the engine of a Jeep Cherokee while a reporter from Wired magazine was at the wheel. Extend the same scenario to a moving train, truck, plane or ship, and the consequences could be catastrophic.
But so far, these kinds of attacks haven’t emerged as a serious threat. There’s little incentive for cybercriminals to do this. It’s easier and more profitable to target systems in ransomware attacks, which encrypt data with the intent of crippling business operations. The criminals make money by offering a key to unlock the data.
The logic is pretty simple: Why bother trying to disable individual trains when you can bring down a railroad’s operations systems?
But what if the motive isn’t to make money, and the attackers are a state?
Lospinoso said there is reason to worry that Russian government hackers could have the ability to compromise vehicle systems. He pointed to a recent joint advisory by the U.S. and U.K governments about a new type of malware they allege is being used by Sandworm, a hacking group believed to be part of Russian military intelligence.
The malware, called Cyclops Blink, replaces another malware called VPNFilter, according to the advisory. VPNFilter was largely used to exploit networking devices such as routers, but security researchers found that it had functionality for manipulating traffic in industrial control systems through a module.
“Control systems on ships, rail side switching infrastructure, ports, etc. all have ICS [industrial control systems] equipment targeted by that module,” Lospinoso said.
While there is no evidence yet that Cyclops Blink is capable of manipulating industrial control systems, Lospinoso said it is “highly likely” that it has that functionality.
The U.S. military has been actively working to develop cyber defenses for its fighting vehicles. In February, the Army announced that it had successfully tested a cyber defense system that protects ground vehicles’ data bus systems from attacks. A news release noted that “existing technologies used on Army ground vehicle systems were not designed with current cyber threats in mind.”
Lospinoso said the same issue extends to civilian vehicles — where key systems weren’t designed with cybersecurity in mind.
“The digital components that are embedded in all of these military systems — guess what — they’re in all of our critical infrastructure as well,” he explained. “The manufacturers that make these things, they make the same chips and hard disks and computers and protocols that go in a Boeing 737 and an F-35, a container ship versus a destroyer, a ground combat vehicle, like a Stryker, or an Abrams tank and a locomotive. They’re the same components.”
And the leap from the digital components to control systems isn’t that big.
“So you’ve got dozens of these little electronic control units that, generally speaking, do one of two jobs, maybe both,” he said. “They sense things, they sense temperatures and pressures and orientations and these sorts of things. They actuate, they manipulate some device on the vehicle, right, they, you know, open up the fuel injector, they fire a piston, they unlock a door.”
While it remains to be seen whether these kinds of attacks will emerge as a significant threat to companies that move freight, there’s plenty to worry about even if no trucks are getting hacked yet.
While Lospinoso said the Biden administration is very unlikely to use cyberattacks against Russian infrastructure, he worries that level of hesitation isn’t mutual.
“We’ve seen in a variety of circumstances that they [Russia] have displayed a much more aggressive stance towards employing cyberattacks against critical infrastructure,” he said.
The U.S. has blamed Russia for the notorious NotPetya ransomware attack in 2017. The attack took down Ukraine’s power grid among other targets in the country. It also crippled the global operations of shipping giant Maersk, costing the firm $300 million.
Even if the U.S. and Russia avoid direct cyberwarfare, multiple ransomware groups have been known to cooperate with the Russian government or operate with its consent. One notorious group, Conti Lockbit, publically sided with Russia, stating, “If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.”
Ransomware gangs themselves have done plenty of harm to the U.S. and global supply chain in pursuit of making money, just in the last year. There were the high-profile attacks on Colonial Pipeline, JBS Foods and Marten Transport. Rail operators CSX and OmniTRAX were also hit, though without a significant impact on operations.
In January, the Russian Federal Security Service announced that it had arrested alleged members of REvil, the ransomware gang behind the Colonial and JBS attacks. Lospinoso questioned Russia’s motives in the arrest, saying they were likely for show. He expects the Russian government will continue to tap cybercriminals to launch attacks in line with its strategic interests.
“In these geopolitical conflicts, they love plausible deniability,” Lospinoso said of the Russian government.
