Threat actors are increasingly leveraging legitimate remote monitoring and management (RMM) tools to compromise trucking and freight companies. Their goal is to orchestrate the physical theft of cargo, posing a significant risk to global supply chains. This emerging trend, detailed in recent research by Proofpoint, highlights a sophisticated intersection of cyber intrusion and real-world logistics manipulation.
Since at least June 2025, and potentially earlier, these attackers have systematically targeted the logistics sector. They achieve this by infiltrating broker load boards and deploying phishing campaigns to gain access to victim systems. The ultimate goal is to hijack cargo shipments, which are then either shipped overseas or sold online. These operations often occur in collaboration with organized crime groups, contributing to an estimated annual loss of $35 billion from cargo theft.
Attack Methodology: From Phishing to Physical Theft
The attack methodology typically begins with threat actors compromising accounts on broker load boards—platforms used to book freight loads. Subsequently, they publish fraudulent load listings and respond to legitimate freight carriers with malicious phishing links. Successful phishing attempts lead to the installation of RMM tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve on the victim’s network. In some instances, multiple RMM tools are used in tandem; for example, PDQ Connect might be used to download other tools. Beyond load board compromise, attackers also gain initial access through hijacked email threads containing malicious links or direct phishing campaigns targeting carriers, according to Proofpoint.
These threat actors are opportunistic, targeting a broad spectrum of carriers. This includes everything from small, family-owned businesses to large transport firms, rather than focusing on specific entities. Once an initial foothold is established, the attackers conduct reconnaissance within the compromised environment to identify and bid on profitable loads for theft. This strategy allows them to leverage legitimate operational procedures for illicit gain.
The Mechanics of Cargo Theft
The physical theft of cargo occurs through various means once a load is maliciously taken over. Ole Villadsen, staff threat researcher at Proofpoint, notes that in some cases, truckers may be directly colluding with the criminals. Other methods involve “double brokering,” where stolen loads are resold to unsuspecting, legitimate trucking companies who unknowingly transport the illicit goods. Villadsen further explained that “these operations require people to be physically present to get their hands on the goods, and the goods will be delivered to a location or warehouse controlled by the criminals.”
This form of cyber-assisted cargo theft creates widespread disruptions across the surface transportation supply chain. Selena Larson, staff threat researcher at Proofpoint, highlighted that while precise numbers are difficult to ascertain, the effects are significant. Cyberattacks against transportation companies can interrupt individual shipments, leading to increased costs for shippers and delayed deliveries. These disruptions frequently result in insurance claims, which subsequently drive up premiums that are ultimately passed on to consumers, eroding trust within the supply chain. The involvement of organized crime groups further complicates enforcement and recovery efforts.
Mitigating the Threat
To mitigate these evolving threats, Proofpoint recommends that organizations restrict the download and installation of RMM tools not officially approved by IT administrators. Implementing network detections, refraining from downloading executable files from external email senders, and conducting user training to identify and report suspicious activity are also crucial steps. Organizations vulnerable to cargo theft are encouraged to review the National Motor Freight Traffic Association Cargo Crime Reduction Framework. Adopting these robust cybersecurity measures is essential for the logistics sector to counter the ongoing evolution of these sophisticated cyber-physical attack tactics.