U.S.-based satellite telecommunications and logistics company ORBCOMM recently revealed that a ransomware attack was the root cause of an incident that disrupted trucking fleet management systems. The responsible threat actors have not been identified, and the full extent of the attack’s impact on the flow of goods in the U.S. remains to be seen. Following the ORBCOMM attack, Cybersixgill detected ORBCOMM portal credentials advertised on a popular cybercrime marketplace.

THE HEADLINE

On September 15, 2023, satellite telecommunications and logistics giant ORBCOMM[1] announced that a ransomware attack was the ultimate cause of a disruptive incident initially disclosed a week earlier. Specifically, two of ORBCOMM’s products experienced service outages that affected major trucking companies’ ability to manage their fleets. While the company did not specifically address supply chain[2] interruptions, the effects of attacks on logistics and transportation companies can ripple through multiple industries and geographic locations.

The ORBCOMM outages began on September 6, 2023, when customers communicated that they were unable to use the company’s products to track inventory en route to partners. Concurrently, truck drivers reported that they were unable to use ORBCOMM’s Blue Tree[3] Electronic Logging Devices[4] (ELD), which keep track of drivers’ hours in compliance with federal safety regulations. Due to the outage, truckers resorted to paper logs, receiving a special waiver from the U.S. Federal Motor Carrier Safety Administration (FMCSA) issued in response to the outage (expiration September 29, 2023).

As of September 15, 2023, ORBCOMM acknowledged that a ransomware attack had impacted its FleetManager platform and Blue Tree product line, which apparently affected customers’ ability to monitor transportation assets. According to ORBCOMM, all of its other systems and services remained completely operational. Reports on a leading open source (OSINT) news site stated that the outage affected some of the U.S.' largest freight transportation companies, preventing them from tracking truck fleets and inventory in transit.

No specific ransomware operation was identified as the attackers, nor did ORBCOMM release any details about the ransom demanded. In general, the U.S. Federal Bureau of Investigations (FBI) does not recommend paying ransoms. Such payments don’t guarantee the return of stolen data, but can incentivize additional attacks on the same victim. Cybersixgill did not observe any threat actors taking credit for the ORBCOMM attack on dedicated leak sites[5] (DLS).

Organizations in the transportation industry remain attractive targets for ransomware gangs due to the centrality of this sector to the economy, on the local, national, and global levels. As the sector responsible for moving goods, no developed economy can function without a robust transportation sector. As a result, ransomware attacks on this sector can have repercussions well outside specific victims, disrupting supply chains, commerce, healthcare, and travel. Ultimately, ransomware attacks against major transportation and logistic organizations can cause severe financial damage.

DIVING DEEPER

While investigating the attack on ORBCOMM, Cybersixgill observed credentials for what appear to be internal portals, which were advertised on a popular black market site. In one of the posts, Cybersixgill observed a highly active threat actor advertising logs for an ORBCOMM portal used by customers of the company. These credentials were initially harvested using a well-known information stealer written in the C programming language, which is advertised on Russian-language cybercrime forums and licensed using the Malware-as-a-Service[6] (MaaS) model.

Based on the information requested in the login page of the portal associated with these credentials, it appears to be a customer portal. This means that a customer's machine was likely compromised and its systems were infected with the stealer malware at some point. Once threat actors gain unauthorized access, they may be able to steal customer data, which could potentially be used for extortion or resold to other threat actors. As such, protecting login credentials is critical to prevent unauthorized access and cyber attacks.

In addition to the credentials in the post discussed above, Cybersixgill also observed an advertisement for what appeared to be login credentials for a portal related to an ORBCOMM satellite communications platform. The service is designed for tracking and monitoring assets in remote areas where traditional cellular or terrestrial communication networks are unavailable. While it is unclear from the login page which customer data can be reached from this portal, it is possible that sensitive data is available.

TAKEAWAYS

The recent attack on ORBCOMM demonstrates the ultimate danger of cyber attacks on transportation, logistics, and telecommunications industry victims. In this case, the attack caused service outages that may have resulted in supply chain interruptions. In light of the dangers associated with such attacks, all organizations should implement the following security measures and practices to avoid being the target of a data breach:

Enable multi-factor authentication (MFA) processes to add another layer of security, making it more difficult for cybercriminals to access corporate devices and accounts.

Create data copies and backups on external servers that are isolated from the business network, and build a dedicated incident response team to work closely with staff and quickly mitigate emerging risks.

Limit health record access to specialists who require it to perform their jobs.

Evaluate the risks of all third-party vendors, contractors and partners that manage data by monitoring assets on the Cybersixgill Investigative Portal for a more proactive detection approach.

[1] ORBCOMM provides satellite and cellular-based communication services to remotely track, monitor, and manage assets, vehicles, and equipment. ORBCOMM’s products are used in multiple industries and sectors, including transportation, government, natural resources, supply chain logistics, warehousing/inventory, and maritime.

[2] Last year, for example, Japan-based auto manufacturer Toyota was forced to interrupt production at 14 of its facilities after one of its primary suppliers suffered a major IT failure.

[3] Blue Tree is an ORBCOMM subsidiary that provides transportation management solutions for trucks and trailers in North America, the European Union, United Kingdom, Australia, and New Zealand.

[4] Truckers can only use paper logs for eight days out of every 30-day period, and must otherwise use Electronic Logging Devices (ELD), which are digital tools for automatically recording and managing a commercial drivers’ hours of service.

[5] A dedicated leak site (DLS) is a website on which threat actors publish stolen data during ransomware attacks when victims do not pay. This strategy is part of the double extortion technique implemented by cyber criminals to maximize the odds of receiving payment from the victims.

[6] Malware-as-a-service (MaaS) offers malware for sale or rent to cybercriminals of all proficiency levels, who can then use it to launch attacks on targeted systems.