ENISA reports ransomware attacks ‘most prominent’ threat against transport sector, as attacks by hacktivists rise

With attacks nearly doubling from 13 percent in 2021 to 25 percent in 2022, ransomware attacks have emerged as the most significant threat to the transportation industry, data released by European Union Agency for Cybersecurity (ENISA) revealed in its initial cyber threat landscape report on the transport sector. These attacks are closely followed by data-related threats, such as breaches and leaks, as cybercriminals target credentials, employee and customer data as well as intellectual property for profit. The attacks are considered to be planned in an opportunistic nature.

The ENISA report aims to bring new insights into the reality of the transport sector by mapping and studying cyber incidents from January 2021 to October 2022. It identifies prime threats, actors, and trends based on the analysis of cyberattacks targeting aviation, maritime, railway, and road transport over a period of almost two years. 

During this reporting period, ENISA reported that it did not receive reliable information on a cyberattack affecting the safety of transport. The majority of attacks on the transport sector target information technology (IT) systems. Operational disruptions can occur as a consequence of these attacks, but operational technology (OT) systems are rarely targeted. Though, it warned that ransomware groups will likely target and disrupt OT operations in the foreseeable future. 

The prime threats identified during the period include ransomware attacks at 38 percent; data related threats at 30 percent; malware at 17 percent; denial-of-service (DoS), distributed denial-of-service (DDoS) and ransom denial-of-service (RDoS) attacks at 16 percent; phishing/spear phishing at 10 percent, and supply-chain attacks at 10 percent. ENISA also said that the hackers with the biggest impact on the sector were state-sponsored actors, cybercriminals, and hacktivists.

“Transport is a key sector of our economy that we depend on in both our personal and professional lives,” Juhan Lepassaar, executive director at EU Agency for Cybersecurity, said in a media statement. “Understanding the distribution of cyber threats, motivations, trends, and patterns as well as their potential impact, is crucial if we want to improve the cybersecurity of the critical infrastructures involved.”

Cybercriminals are the main actors responsible for attacks on the transport sector (54 percent of the total number of incidents) and they target all subsectors, the ENISA report revealed. They use the ‘follow the money’ philosophy in their modus operandi. Almost two-fifths of the total number of incidents attributed to cybercriminals targeting two sectors – aviation and road transport. 

“During the reporting period, 18% of cybercriminals targeted the aviation sector (primarily airports and airlines and their customers) and 19% targeted the road sector (primarily the automotive industry),” ENISA reported. “Likewise, the motivation behind attacks on these two sectors was primarily financial gain (11% and 13% of the total number of incidents, respectively), as the aviation and automotive industries are considered to be the more lucrative ones for cybercriminals. The attacks are considered opportunistic in nature, as we have not observed known groups targeting the transport sector exclusively.”

One-fourth of the attacks are linked to hacktivist groups (23 percent), with the motivation of their attacks usually being linked to the geopolitical environment and aiming at operational disruption or guided by ideological motivation, ENISA reported. These hackers mostly resort to DDoS attacks and largely target European airports, railways, and transport authorities. The rates of these attacks are focused on specific regions and are affected by current geopolitical tensions.

ENISA also observed that hacktivists have claimed responsibility for attacks on the railway (8 percent) and aviation (6 percent) sectors, and this has to do mainly with attacks linked to Russia’s military aggression against Ukraine. “In particular, these types of attacks make up almost one-tenth of the total number of incidents that aimed at operational disruption in the railway sector. State-sponsored actors were more often attributed to targeting the maritime sector or targeting government authorities of transport,” it added. 

Contrary to ransomware, ENISA observed a decline in malware incidents in 2022 compared to 2021, dropping from 11 percent to 6 percent. 

Threat actors will increasingly conduct ransomware attacks with not only monetary motivations, such as the ransomware attack by Belarusian hacktivists against the Belarusian state railway in January 2022. “Hacktivists will likely be attracted by the effectiveness and the impact that ransomware attacks can have and the media attention they attract. The scale and sophistication of hacktivists’ ransomware operations are not expected to be as high as the ones conducted by cybercriminals. Finally, governmental organisations are very likely the primary targets of hacktivists’ ransomware operations,” the report added.

ENISA also reported that increased hacktivist activity targeting the transport sector is likely to continue, while the increasing rate of DDoS attacks targeting the transport sector is likely to continue.

The report said that it observed an increase in DDoS attacks in 2022, which is mostly linked to recent activity by hacktivists. The rates of these attacks are focused on specific regions and are affected by current geopolitical tensions, with selected incidents in all transport sectors attributed to hacktivism. The motivation was primarily operational disruption and ideological.

ENISA also said that the aviation sector is facing multiple threats, with data-related threats being the most prominent, coupled with ransomware and malware. Customer data of airlines and proprietary information of original equipment manufacturers (OEM) are the prime targeted assets of the sector. In 2022, there has been a rise in the number of ransomware attacks affecting airports. Fraudulent websites impersonating airlines have become a significant threat in 2022. 

The maritime sector experiences ransomware, malware, and phishing attacks targeted toward port authorities, port operators, and manufacturers, the ENISA report disclosed. State-sponsored attackers often carry out politically motivated attacks leading to operational disruptions at ports and vessels. 

The proliferation of cybersecurity incidents35 in ports over the last few years, such as the cyberattack on Antwerp port, the NotPetya ransomware incident and its impact on Maersk, and the wave of ransomware attacks on the Port of Barcelona and San Diego39, has led to a change in the sector’s cyber risk profile, ENISA reported. “Attacks in the maritime domain are often politically motivated and perpetrated by state-sponsored attackers. During 2021 and 2022, a few notable cases of activities linked to state actors were reported. These attacks indicate the interest of state-sponsored actors to cause operational disruption by targeting ports and vessels.” 

The railway sector also experiences ransomware and data-related threats primarily targeting IT systems like passenger services, ticketing systems, and mobile applications, causing service disruptions. Hacktivist groups have been conducting DDoS attacks against railway companies at an increasing rate, primarily due to Russia’s invasion of Ukraine. The road transport sector faces predominantly ransomware attacks, followed by data-related threats and malware. 

“The majority of the attacks observed targeted the IT systems of railways (passenger services, ticketing systems, mobile application, display boards, etc.) and caused disruptions due to the unavailability of these services,” ENISA reported. “Examples include the ransomware attacks targeting Skånetrafiken (August 2021) and Ferrovie dello Stato Italiane (March 2022), which resulted in customers not being able to buy tickets following infections to IT systems. The only cases were OT systems and networks were affected were either when entire networks were affected or when safety-critical IT systems were unavailable.”

The report also revealed that DDoS attacks were on the rise in 2022, reaching one-fifth of the attacks on the railway sector, primarily due to the increased hacktivist activity which followed Russia’s unprovoked invasion of Ukraine. Hacktivist elements with pro-Russian/anti-NATO sentiments have been conducting DDoS attacks against railway companies. Examples include pro-Russia hacker groups claiming responsibility for attacks on railway transport operator CFR Calatori (April 2022), Lithuanian Railways (June 2022), Latvian passenger train company SJSC (June 2022), and Estonian Railways (August 2022).

Automotive industry, especially OEM and tier-X suppliers, has been targeted by ransomware leading to production disruptions, ENISA reported. Data-related threats primarily target IT systems to acquire customer and employee data as well as proprietary information. There is a limited number of cyber incidents that cannot be placed in one specific subsector. These include general campaigns targeting the whole transportation sector in particular countries. These campaigns are often attributed to hacktivists and state-sponsored actors and are linked to geopolitical tensions.

ENISA also reported that there were a limited number of cyber incidents that cannot be placed in one specific subsector. “These include general campaigns targeting the whole transportation sector in particular countries. These campaigns are often attributed to hacktivists and state-sponsored actors and are linked to geopolitical tensions. Moreover, there are also incidents where attackers directly target transport agencies. Examples include incidents of impersonation, such as in the case of the US Department of Transport, which was the target of phishing attacks both in September 2021 and in September 2022,” it added.

The report assesses that hackers will increasingly conduct ransomware attacks with not only monetary motivations, but hacktivists will likely be attracted by the effectiveness and the impact that ransomware attacks can have and the media attention they attract. The scale and sophistication of hacktivists’ ransomware operations are not expected to be as high as the ones conducted by cybercriminals. Finally, governmental organizations are very likely the primary targets of hacktivists’ ransomware operations.

“The significant increase in hacktivist activity, which followed Russia’s unprovoked invasion of Ukraine, and the increasing rate of DDoS attacks are highly likely to continue,” ENISA reported. “Hacktivist elements with pro-Russian/anti-NATO sentiments have been conducting DDoS attacks. These attacks targeted several European nations, perceived by the groups to be assisting Ukraine in its war effort. This increasing volume of DDoS attacks against the European transport sector was primarily observed in Q2 and Q3 2022. The main targets were European airports, railways, and transport authorities.”

ENISA also identified that the majority of attacks on the transport sector target IT systems and can result in operational disruptions. However, “we have not received reliable information on a cyber-attack affecting the safety of transport.” 

Ransomware groups will likely target and disrupt OT operations in the foreseeable future, ENISA said. The report identified that the factors contributing to this assessment include the ongoing digital transformation in the transport sector and the increased connectivity between IT and OT networks, increased urgency to pay ransom to avoid any critical business and social impact, and ongoing rebranding of ransomware groups, which increases the chances of malware blending and the development of capabilities to target and disrupt OT networks. 

It also identified Russia’s military aggression against Ukraine, as ransomware groups are taking sides and are likely to conduct retaliatory attacks against critical western infrastructure, and the increase in the number of newly identified vulnerabilities in OT environments. 

“While we have not observed notable attacks on global positioning systems, the potential effect of this type of threat to the transport sector remains a concern. Jamming and spoofing of geolocation data could affect their availability and integrity, affecting transport sector operations,” the report disclosed. “This type of attack requires further analysis in the future.”

In July, ENISA released insights that brought out the reality of ransomware incidents through mapping and studying ransomware incidents from May last year to June this year. Ransomware threat has adapted and evolved, becoming more efficient and causing more devastating attacks. As a result, businesses should be ready not only for the possibility of their assets being targeted by ransomware but also to have their most private information stolen and possibly leaked or sold on the Internet to the highest bidder.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.