The European Union Agency for Cybersecurity (ENISA) has published its first cyber threat landscape report dedicated to the transportation sector. It maps and analyzes cyber incidents in relation to aviation, maritime, rail and road transportation covering the period of January 2021 to October 2022. In addition to the identification of prime threats and the analysis of incidents, the report includes an assessment of threat actors, an analysis of motivations driving their actions and introduces major trends for each sub-sector.
While ENISA’s data collection process prioritizes incidents that occur in the EU, global events are also included such as a number of attacks on the aviation sector and transportation authorities in the United States as well as hacktivist attacks on Russia.
ENISA lists the prime threats targeting the transportation sector as:
- ransomware attacks;
- data related threats;
- denial-of-service (DoS), distributed denial-of-service (DDoS) and ransom denial-of-service (RDoS) attacks;
- phishing / spear phishing;
- supply-chain attacks.
Ransomware attacks have become the most prominent threat against the sector in 2022, with attacks having almost doubled, rising from 13% in 2021 to 25% in 2022. They are closely followed by data related threats (breaches, leaks) as cybercriminals target credentials, employee and customer data as well as intellectual property for profit. The attacks are considered to be planned in an opportunistic nature, as ENISA have not observed known groups targeting the transportation sector exclusively.
During the reporting period, the threat actors with the biggest impact on the sector were cybercriminals, hacktivists and state-sponsored actors. More than half of the incidents observed in the reporting period were linked to cybercriminals (55%) who apply the “follow the money” philosophy in their modus operandi.
Attacks by hacktivists are on the rise. One fourth of the attacks are linked to hacktivist groups (23%), with the motivation of their attacks usually being linked to the geopolitical environment and aiming at operational disruption or guided by ideological motivation. These actors mostly resort to DDoS attacks and mainly target European airports, railways and transportation authorities. The rates of these attacks are focused on specific regions and are affected by current geopolitical tensions.
State-sponsored actors were more often attributed to targeting the maritime sector or targeting government transportation authorities. These are part of the ‘All transport’ category which include incidents targeting the transportation sector as a whole. This category therefore includes national or international transportation organizations of all subsectors as well as ministries of transportation.
Sector by sector
Faced with multiple threats, aviation contends with data-related threats as the most prominent, coupled by ransomware and malware. Customer data of airlines and proprietary information of original equipment manufacturers (OEM) are the prime targeted assets of the sector. Fraudulent websites impersonating airlines have become a significant threat in 2022. And, in October 2022, the websites of major U.S. airports were disrupted due to a large-scale campaign of DDoS attacks, in which pro-Russian hacker group Killnet flooded servers with web traffic to take websites offline.
The number of ransomware attacks affecting airports has increased. These included the August 2022 data breach when Accelya, a technology firm providing services to Delta, British Airways, JetBlue, United, Virgin Atlantic, American Airlines and many others, confirmed that company data was posted on a ransomware leak site.
Threats targeting the maritime sector include ransomware, malware, and phishing attacks targeted towards port authorities, port operators, and manufacturers. State-sponsored attackers often carry out politically motivated attacks leading to operational disruptions at ports and on vessels. In August 2021 the Port of Houston Authority was targeted by a cybersecurity attack which is believed to have originated from a nation-state actor. In October 2021, Microsoft reported that ‘Iran-linked’ hackers targeted U.S., EU and Israeli defense and maritime sectors with ‘password spray’ attacks.
For the railway sector, threats identified range from ransomware to data-related threats primarily targeting IT systems like passenger services, ticketing systems, and mobile applications, causing service disruptions. Notable data thefts include the cases of OmniTRAX, MTA, Merseyrail, Norfolk Southern Railroads and Lokaltog A/S, where personnel and medical records were stolen. The case of OmniTRAX represents the first publicly known case of a double-extortion ransomware attack against a U.S. freight rail operator.
Hacktivist groups have been conducting DDoS attacks against railway companies at an increasing rate, which ENISA says is primarily due to Russia’s invasion of Ukraine. In January 2022 for example, hacktivists launched a ransomware attack on the Belarusian state-run train company in a bid to disrupt Russian troop movements. To achieve this, the group deployed modified ransomware to bring down the railway system and encrypted servers, databases and workstations belonging to the Belarusian railway service. Conversely, in August 2022 a pro-Russia hacker group known as the Cyber Army of Russia targeted the Ukrainian government’s Department of Transport Safety.
The threats in the road sector are predominantly ransomware attacks, followed by data-related threats and malware. The automotive industry, especially OEM and tier-X suppliers, has been targeted by ransomware which has led to production disruptions. In February 2022, Kia Motors America suffered a ransomware attack by the DoppelPaymer gang, demanding $20 million for a decrypter and to not leak stolen data. The attack was acknowledged in the public domain after Kia Motors America portals faced major outages and internal disruptions to its customer-facing systems across the country.
Data-related threats in the road sector primarily target IT systems to acquire customer and employee data as well as proprietary information. Notable cases of proprietary information being stolen or leaked include the attacks on Tesla and Volvo. In September 2021 Tesla’s ‘top-secret full self-driving AI car software, which enables Tesla cars to drive autonomously, was leaked, enabling hackers outside the U.S. to use this functionality. In December 2021 Volvo disclosed that unknown attackers had stolen R&D information by hacking some of their servers.
Directives herald a new era
ENISA says cyber attacks are rarely reported, especially those with non-significant impact or near misses. Most organizations prefer to deal with the problem internally and avoid bad publicity. Some countries have laws regulating the mandatory reporting of incidents, but in most cases a security attack is first disclosed by the attacker.
In the EU, the arrival of a revised directive and the enhanced notification provisions for security incidents is expected to support a better understanding of relevant incidents in future. In the U.S., the Transportation Security Administration (TSA) issued its own cybersecurity directives in October 2022 and March 2023 for rail and aviation respectively. These add to requirements for TSA-regulated operators to report significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency.