“A very scary place” – Russian-Ukrainian war brings new cyber risks to transport sector

Even before Russia invaded Ukraine, transportation and logistics companies were hit by cyberattack after cyberattack. Case in point: Global logistics giant Expeditors International continues to recover more than two weeks after an attack destroyed its operating systems.

With the ongoing war, the risks are even greater.

Russia and its supporters could unleash cyberattacks on businesses and critical infrastructure in response to sanctions and direct military aid from US and European allies. A ransomware gang has vowed to attack the critical infrastructure of any country that retaliates against Russia.

On the other side, a hacking group recently claims to have disrupted trains transport Russian troops to Ukraine.

The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) advises businesses and organizations to strengthen their cybersecurity posture and warned that critical infrastructure could be affected – although he said he was not aware of any specific threats to the US CISA’s long list of critical infrastructure, including trucking companies, shipping lines, ports, freight carriers and package carriers.

Then there is the prospect of a direct cyber exchange between the United States and Russia. NBC reported that President Joe Biden had been given options for a devastating cyberattack on Russia. The White House later denied the February 25 report.

“This is going to a very scary place for me,” Josh Lospinoso, co-founder and CEO of cybersecurity startup Shift5 and former US Army cyber officer. “They really are weapons of mass destruction, they really are. The idea that you can, 5,000 miles away, cause real harm or death to civilians is unconscionable to me. And the idea that we could get into a tit-for-tat conflict where there is escalating disruption and destruction of critical infrastructure on both sides is reprehensible.

The United States is unlikely to attack Russia directly with its offensive cyber capabilities because of the potential for retaliation, Lospinoso said.

“I would be very surprised if the Biden administration employed offensive cyberattacks against critical infrastructure in Russia,” Lospinoso said. “I think their calculation for this could be a wide range of things. I guarantee a big part of that math is the fact that they know our critical infrastructure is as vulnerable as critical infrastructure in Russia, if not more so.

“I’ve never interacted with a transport system that we couldn’t break.”

—Josh Lospinoso, CEO of Shift5

Lospinoso’s work in the military included leading the development of hacking tools for the US national security apparatus. Now in the private sector, he runs a company specializing in the protection of means of transport – trains, planes and tanks – against cyber threats.

Virginia-based Shift5 has raised $72.5 million since its founding in 2018, according to Pitchbook. This includes a Series B fundraising of $50 million in February under the leadership of Insight Partners. Shift5 focuses on what is arguably a theoretical future threat, at least in the civilian world: cyberattacks targeting vehicles themselves, including highly digitized engines and control systems.

“If you have enough coffee and willpower to hang out with these systems, I mean, I’ve never interacted with a transport system that we couldn’t break,” Lospinoso said.

The concept is scary. In 2015, a duo of hackers killed the engine remotely of a Jeep Cherokee while a journalist from Wired magazine was driving. Extend the same scenario to a moving train, truck, plane or boat, and the consequences could be catastrophic.

But so far, these types of attacks have not emerged as a serious threat. Cybercriminals have little incentive to do so. It is easier and more profitable to target systems in ransomware attacks, which encrypt data in an attempt to cripple business operations. Criminals earn money by offering key to unlock data.

The logic is quite simple: why bother trying to disable individual trains when you can bring down a railroad’s operating systems?

But what if the motive is not to make money and the attackers are a state?

Lospinoso said there was reason to fear that Russian government hackers may have the ability to compromise vehicle systems. He pointed a recent joint opinion by the US and UK governments over a new type of malware they claim is being used by Sandworm, a hacking group believed to be part of Russian military intelligence.

The malware, called Cyclops Blink, replaces another malware called VPNFilter, according to the advisory. VPNFilter was widely used to exploit network devices such as routers, but security researchers discovered that it had functionality to manipulate traffic in industrial control systems through a module.

“Control systems on ships, rail-side switching infrastructure, ports, etc. all have IBS [industrial control systems] equipment targeted by this module,” Lospinoso said.

While there’s no proof yet that Cyclops Blink is capable of manipulating industrial control systems, Lospinoso said it’s “very likely” it has the capability.

The US military is actively working on the development of cyber defense for its combat vehicles. In February, the army announced that he had succeeded tested a cyber defense system that protects ground vehicle data bus systems from attack. A press release noted that “existing technologies used on Army ground vehicle systems were not designed with current cyber threats in mind.”

Lospinoso said the same problem extends to civilian vehicles — where key systems weren’t designed with cybersecurity in mind.

“The digital components that are embedded in all of these military systems – guess what – they are also in all of our critical infrastructure,” he explained. “The manufacturers that make these things, they make the same chips, hard drives, computers, and protocols that go into a Boeing 737 and an F-35, a container ship versus a destroyer, a ground combat vehicle, like a Stryker , or an Abrams tank and a locomotive. They are the same components.

And the leap from digital components to control systems is not that big.

“So you have dozens of these little electronic control units that usually do one of two things, maybe both,” he said. “They feel things, they feel temperatures and pressures and directions and that kind of stuff. They operate, they manipulate a device on the vehicle, okay, they, you know, open the fuel injector, they fire a piston, they unlock a door.

While it remains to be seen whether these types of attacks will emerge as a significant threat to companies that transport freight, there is cause for concern even if no trucks are hacked yet.

While Lospinoso said the Biden administration is highly unlikely to use cyberattacks against Russian infrastructure, he fears the level of hesitation is mutual.

“We have seen in various circumstances that they [Russia] have taken a much more aggressive stance towards the use of cyberattacks against critical infrastructure,” he said.

The United States blamed Russia for the notorious NotPetya ransomware attack in 2017. The attack took down Ukraine’s power grid among other targets in the country. It has also crippled the global operations of shipping giant Maersk, costs the company $300 million.

Even though the United States and Russia avoid direct cyberwarfare, several ransomware groups are known to cooperate with the Russian government or operate with its consent. A notorious group, Conti Lockbit, has publicly sided with Russia, stating, “If anyone decides to mount a cyberattack or war activities against Russia, we will use all our resources possible to retaliate against an enemy’s critical infrastructure. ”

Ransomware gangs themselves have done great harm to the US and global supply chain in an effort to make money in the last year alone. There were the high profile attacks on Colonial Pipeline, JBS Foods and Marten Transport. Rail operators CSX and OmniTRAX were also affected, but with no significant impact on operations.

In January, the Russian Federal Security Service announced that it had arrested suspected members of REvil, the ransomware gang behind the Colonial and JBS attacks. Lospinoso questioned the motives for Russia’s arrest, saying they were probably for show. He expects the Russian government to continue to use cybercriminals to launch attacks in line with its strategic interests.

“In these geopolitical conflicts, they like plausible deniability,” Lospinoso said of the Russian government.

Read more

Click for more FreightWaves articles by Nate Tabak.

the FREIGHTWAVES TOP 500 The list of for-hire carriers includes marten transport (No. 31).

Sign up today for the Future of Supply Chain #FOSC22

Leading supply chain voices will travel to Rogers, Arkansas, May 9-10.

*Limited time pricing available.