On the Road Again: Hackers Hijack Physical Cargo Freight

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.In a new cyber threat campaign, attackers are using remote monitoring and management tools to actually steal physical cargo out of the trucking and freight supply chain.November 3, 2025Threat actors are using remote monitoring and management (RMM) tools to compromise trucking and freight companies, all in an effort to steal physical cargo.That's according to researchers from Proofpoint, which today published research describing how unnamed attackers compromise trucking and freight companies to bid on cargo shipments before stealing them. The hackers then ship this cargo overseas or sell it online, working with organized crime groups all the while. Since at least June 2025 and possibly going back months further, threat actors would compromise an account for a broker load board, which are used book loads for trucking companies. The threat actors would then publish a fake listing for a load, and reply with phishing links to the freight carriers that respond. Once attackers successfully phish a trucking company, they install remote access tools, bid on real truck loads to transport, and subsequently intercept the cargo from those real jobs. As cargo theft leads to an estimated $35 billion in losses each year, this kind of attack poses a risk to the supply chain unlike that commonly seen in cybersecurity research. That's not to say it's unheard of, however; Proofpoint published research surrounding a similar campaign in September 2024, though the security vendor was unable to tie the threat actors from those attacks to this more recent cluster. Related:1Password Addresses Critical AI Browser Agent Security GapIn this campaign, the threat actors utilized a range of RMM tools to compromise victims, including ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. Although not all tools were utilized in every single attack, Proofpoint said some attacks would utilize multiple tools in tandem (such as using PDQ Connect to download ScreenConnect and SimpleHelp). Hackers would get to this point through multiple means. Besides obtaining accounts on load boards, attackers would compromise email accounts and hijack ongoing threads with malicious links. Other times, the attackers would simply target carriers via direct phishing email campaigns. Broadly speaking, the threat cluster isn't picky with its targets."Based on campaigns observed by Proofpoint, the threat actor does not appear to attack specific companies, and targets range from small, family-owned businesses to large transport firms as described above," the report read. "The threat actor appears to be opportunistic about the carriers that it targets and will likely attempt to compromise any carrier who responds to the fake load posting."Related:Philippines Power Election Security With Zero-Knowledge ProofsOnce they have an initial foothold, the threat actor conducts additional reconnaissance with the goal of deepening access within target environments. The ultimate goal is to compromise a legitimate freight carrier and, as Proofpoint explained, "identify and bid on loads that are likely to be profitable if stolen."Ole Villadsen, staff threat researcher at Proofpoint and co-author of the report, tells Dark Reading that cargo is physically stolen in a few different ways. When hackers maliciously take ownership of a load, sometimes the truckers are working directly with the criminals. Other times, the criminals use a technique known as "double brokering" where loads are resold to a legitimate trucking company that believes they are transporting goods legitimately. "In all cases, these operations require people to be physically present to get their hands on the goods, and the goods will be delivered to a location or warehouse controlled by the criminals," Villadsen says. "We have also observed other types of cyber-enabled physical goods theft in which thieves will get goods shipped or delivered to warehouses or locations owned by mules to take delivery of the stolen goods and then resell them or further ship them overseas."Related:NIST Digital Identity Guidelines Evolve With Threat LandscapeAt a time when the global supply chain is constantly stressed due to geopolitical, economic, and technological reasons, any additional threat to its stability is worth taking note of. Dark Reading asked Proofpoint about the scale of a threat that cyber-assisted cargo theft poses on the supply chain. Selena Larson, staff threat researcher at Proofpoint and co-author of the report, explains that while the firm lacks precise numbers, "its effects are widespread and disruptive across the entire surface transportation supply chain." "Cyberattacks targeting transportation companies can interrupt individual shipments, leading to increased costs for shippers, while also delaying the delivery of goods and services," Larson says. "These disruptions often result in insurance claims, which can drive up premiums, costs that are ultimately passed on to consumers. Beyond the financial toll, cyber-enabled theft erodes trust within the supply chain, as organizations may hesitate to engage with partners who have previously been compromised."Proofpoint suggests that organizations at risk of cargo theft review the National Motor Freight Traffic Association Cargo Crime Reduction Framework. For all organizations attempting to fight RMM abuse, the vendor recommends restricting the download and installation of RMM tooling not approved by the organization's IT administrators, implementing network detections, refraining from downloading executable files delivered via email from external senders, and training users to identify and report suspicious activity. Alexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.