Cyber threats targeting the global transport and logistics sector intensified sharply in 2025, with ransomware attacks more than doubling compared to previous years, according to a new threat landscape assessment from Cyble Inc..
Cyble’s Transport & Logistics Threat Landscape Report 2025 recorded 283 ransomware incidents affecting airlines, shipping companies, freight operators and logistics providers—exceeding the combined total observed in 2023 and 2024. Alongside ransomware, the report highlighted major data breaches, hacktivist campaigns and a growing underground market for compromised network access, underscoring the sector’s increasing exposure to cyber risk.
According to Cyble’s researchers, attackers are capitalising on the industry’s low tolerance for downtime, its dependence on operational technology (OT), and the interconnected nature of global supply chains to maximise disruption and financial impact.
“The transport and logistics sector has become a prime target for cybercriminals because operational disruption translates directly into economic and societal impact,” said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble. “In 2025, we observed ransomware campaigns capable of crippling airlines, shipping firms, and ground logistics providers within hours, often by exploiting a single vulnerability across dozens of organisations.”
Concentration of ransomware activity
The report found that ransomware activity remained consistently high throughout the year, driven largely by a small number of highly active ransomware-as-a-service (RaaS) groups. Four operations—CL0P, Qilin, Akira and Play—were responsible for 57% of all recorded ransomware incidents in the sector.
CL0P alone accounted for nearly a quarter of all attacks, primarily through campaign-driven exploitation of widely used vulnerabilities. Cyble noted that this concentration highlights the disproportionate impact a limited number of sophisticated threat actors can have on critical infrastructure sectors.
Land transport bears the brunt
Land-based transport operations were the most affected, accounting for nearly three out of every four ransomware incidents. Logistics and freight services emerged as the most targeted sub-segment, though the impact extended across airlines, maritime shipping firms, trucking companies, rail operators and public transit authorities.
According to the report, this breadth of targeting reflects the systemic risk facing both commercial supply chains and public infrastructure, where even short disruptions can have cascading economic effects.
Data breaches expose sensitive records
Beyond ransomware, Cyble documented a steady stream of data breaches throughout 2025. These incidents ranged from large-scale compromises by persistent threat actors to opportunistic data leaks and sales on underground forums.
Notable cases included a breach affecting approximately six million customers of Qantas, exposing personal information such as names, email addresses and frequent flyer numbers, as well as an alleged logistics platform breach involving more than seven million user records offered for sale online. Courier and postal services across Europe and Asia were also repeatedly targeted, exposing customer data and operational details.
The report noted that government agencies, airlines and supply chain firms remain attractive targets due to the volume and sensitivity of the data they process.
Underground access markets and cyber-enabled cargo theft
Cyble’s analysis also identified a fragmented but active underground market for initial access to transport and logistics networks. Threat actors were observed selling VPN, firewall and internal system access, which often served as entry points for ransomware deployment, espionage or financially motivated attacks.
In addition, the report highlighted emerging cases of cyber-enabled cargo theft, where attackers exploited weaknesses in GPS systems, remote monitoring tools and OT environments to facilitate physical theft or operational sabotage—blurring the line between cybercrime and real-world disruption.
Exploitation of zero-day vulnerabilities
A significant driver of large-scale attacks in 2025 was the exploitation of zero-day and known high-severity vulnerabilities, particularly in perimeter devices and enterprise software. Cyble found that many of the vulnerabilities exploited carried CVSS scores of 9.0 or higher, enabling unauthenticated remote code execution and rapid lateral movement.
Frequently targeted technologies included products from Microsoft, Cisco, Fortinet, Apple, Ivanti and Citrix, reflecting attackers’ focus on widely deployed enterprise platforms.
Hacktivism adds geopolitical dimension
Hacktivist activity reached what Cyble described as unprecedented levels in 2025, with more than 40,000 data leak and dump posts affecting over 44,000 unique domains globally. The transport and logistics sector featured prominently in campaigns linked to geopolitical conflicts.
The report cited a destructive cyberattack against a major Russian airline that led to flight cancellations and infrastructure damage as an example of how politically motivated cyber activity can directly disrupt aviation and logistics operations.
A sector under sustained pressure
Taken together, the findings suggest that cyber risk in the transport and logistics sector is no longer episodic but sustained. With ransomware, data theft, access brokerage and hacktivism converging, the industry faces a complex threat landscape where cyber incidents can quickly escalate into large-scale operational and economic disruptions.
For organisations operating in global supply chains, the report underscores the need to strengthen vulnerability management, incident response readiness and OT security, as attackers continue to exploit the sector’s critical role in global commerce.