Exclusive: Ransomware attacks on U.S. supply chain are undermining national security, CBP bulletin warns

Ransomware attacks on the supply chain are undermining national security, according to a U.S. Customs and Border Protection intelligence bulletin obtained by Yahoo News, and will cause further congestion at ports of entry and delays in shipping nationwide.

Hackers and ransomware groups are targeting American logistics and shipping companies, the bulletin states, and the ongoing attacks threaten to cripple the already strained supply chain, limiting customs enforcement capabilities and undermining national security.

“Cybercriminals are targeting multibillion-dollar industries, including the logistics supply chain to make a profit, disrupt international economies and trade, and cause social, economic and potentially political instability,” states the CBP bulletin, which is dated March 7.

On Monday, President Biden announced new measures to defend against the threat of cyberattacks from Russia.

Joe Biden
President Biden at the Eisenhower Executive Office Building on Friday. (Ken Cedeno/Bloomberg via Getty Images)

“There is now evolving intelligence that Russia may be exploring options for potential cyberattacks,” the White House said in a press release, announcing several cybersecurity measures.

“The President has launched public-private action plans to shore up the cybersecurity of the electricity, pipeline, and water sectors and has directed Departments and Agencies to use all existing government authorities to mandate new cybersecurity and network defense measures,” the White House announced.

“Internationally, the Administration brought together more than 30 allies and partners to cooperate to detect and disrupt ransomware threats, rallied G7 countries to hold accountable nations who harbor ransomware criminals, and taken steps with partners and allies to publicly attribute malicious activity.”

The CBP bulletin mentions last year’s ransomware attack on a major German-based logistics firm, last month’s attack on a Swiss airport management service and two German oil suppliers. BlackCat, the Russian ransomware group behind last year’s Colonial Pipeline attack, “is likely behind these events,” the alert says, citing an analysis of ransomware attacks from January 2021 though February 2022.

The bulletin focuses in part on the recent cyberattack on Expeditors International, the Seattle-based freight forwarding company that is the sixth largest in the world. On Feb. 20, the company announced an unspecified cyberattack forcing a shutdown of its computer systems.

The document stops short of saying who is behind this attack, but it does detail the threat posed by BlackCat.

Expeditors International
Expeditors International of Washington state was the victim of a recent cyberattack. (Igor Golovniov/SOPA Images/LightRocket via Getty Images)

“The recent cyberattack on Expeditors International will likely exacerbate current issue with global trade and supply chains,” the bulletin states. Expeditors International are members of CBP’s Customs-Trade Partnership Against Terrorism and “facilitate every aspect of transportation, from storing products to ensuring safe and legal passage through customs,” the bulletin notes.

“Ransomware persists to be the most common and destructive form of cyberattacks, allowing malicious entities to threaten data leaks on illicit markets, and expose information on critical infrastructure,” the bulletin states. “Large-scale attacks on the logistics industry pose the risk of increased illicit activity through ports of entry due to the shutdowns of computer systems which are essential to CBP processing and security procedures.”

While U.S. officials have been bracing for potential Russian-based cyberattacks on U.S. banks or critical infrastructure, cybersecurity and intelligence officials have been focused on recent and ongoing ransomware attacks by groups tied to or acting in support of the Kremlin. Those attacks have targeted the U.S. supply chain, according to law enforcement and intelligence documents and cybersecurity and intelligence officials.

The attacks against manufacturing and logistics companies come amid growing concern that Russian oligarchs and government officials could be using ransomware payments to evade sanctions imposed by the U.S. The Justice Department turned up the heat with its March 2 launch of Task Force KleptoCapture, which is aimed at seizing yachts and other assets of those sanctioned.

“The Justice Department will use all of its authorities to seize the assets of individuals and entities who violate these sanctions,” said Attorney General Merrick Garland. “We will leave no stone unturned in our efforts to investigate, arrest, and prosecute those whose criminal acts enable the Russian government to continue this unjust war. Let me be clear: If you violate our laws, we will hold you accountable.”

On March 7, the Treasury Department sent an alert warning financial institutions that Russian oligarchs and government officials may be using ransomware payments to skirt U.S. sanctions.

Attorney General Merrick Garland
Attorney General Merrick Garland. (Leigh Vogel/Abaca/Bloomberg via Getty Images)

“Everyone talks about critical infrastructure and financial as the two major areas that Russia would attack, and that’s potentially true in a military conflict sense, but when you want to nail the United States, you go after manufacturing, you go after the supply chain, you go after those types of endeavors because it’s going to start to have a major impact on your economy, and that’s where we see a lot of these ransomware groups targeting.” said David Kennedy, a former NSA hacker who is currently the CEO of TrustedSec, a company providing incident response related to Russia-based ransomware attacks.

“There’s a lot going on right now, and a lot of the ransomware groups that operate out of Russia are actually targeting a lot of the companies here in the United States ... and they’re basically a wing or extension of the Russian military side of the house,” Kennedy told Yahoo News.

The CBP bulletin warns that the ransomware attack on Expeditors International will have a potentially dramatic impact on the global economy.

“Since Expeditors International has a presence in 100 countries and provides critical logistics and customs services for airfreight and maritime shipping, the effects of the cyberattack are likely to have a detrimental economic impact on the greater supply chain this attack is likely to intensify congestion at U.S. ports, and pose risks for customs enforcement capabilities,” the bulletin states.

With computer systems disabled, terrorists or criminals could be able to smuggle in illicit goods, the bulletin states.

“Basically when it’s down, it’s down, we have no clue who or what is coming or going and no real way to check,” a CBP official with direct knowledge of the impact of the Expeditor attack said of the company’s disabled computer system. “[We] don’t know who or what is coming or going, flying blind so to speak, and that is really, really bad.”

The attack on Expeditors also raises questions about the ability of CBP and the DHS to secure the supply chain.

A Department of Homeland Security patch
Ramin Talaie/Corbis via Getty Images

Membership in CBP’s trade partnership is granted to a company only after an extensive application process and is given only to companies deemed most secure and low risk, according to CBP’s website.

It’s unclear how the hackers breached the network security at Expeditors International or why CBP’s security standards did not prevent the attack.

CBP declined to comment, citing policy not to speak about products categorized as Law Enforcement Sensitive such as the March 7 bulletin.

Expeditors International has not said if this attack was ransomware, but the CBP bulletin references a ransom note and communications between the company and the group holding its data hostage. Expeditors International did not return Yahoo News’ phone calls requesting comment. The company has provided updates on the cyberattack on its website. The most recent, dated March 13, notes that the company is working with law enforcement and has made some progress putting aspects of its business back online.

“We continue to make further meaningful restoration and related progress with our business continuity plan coordinating our operations,” the statement posted to the company’s website says. “Systems resumption will continue to expand this week and into the next few weeks, barring unforeseen circumstances. Our cooperation with law enforcement and collaboration with private sector security organizations continues in an effort to prevent future attacks. We are overwhelmed by the perseverance and encouragement throughout and beyond our network.”

The CBP bulletin also cites a November report by cybercrime intelligence firm Intel471, which warned that cybercriminals were trying to sell network access of critical infrastructure and technology systems to be used to install ransomware to steal data.

Hacker attacking internet
A hacker at work.

Greg Otto, who wrote the blog post referenced in the CBP bulletin, told Yahoo News he’d seen cybercriminals on the dark web claiming to sell credentials to U.S. freight forwarding companies in recent months.

“With how bad the supply chain is across the world right now, for any big logistics company — especially one that does shipping overseas — an attack like this couldn’t come at a worse time,” Otto said. “If you can’t have access to your IT systems, which track your inventory, which track manifest logs, then you could have no idea what’s in some of those containers or what gets added or taken off, so it’s a ripe area for criminal exploitation.”

Otto has seen an uptick in interest by cybercriminals hawking credentials purportedly to companies involved in aspects of the supply chain. He said there are often a few months between when he sees credentials pop up online and news that a company has been hit by a cyberattack.

It’s critical that companies take aggressive steps to secure their networks, Otto said, including checking to see if credentials are being sold on the dark web, and taking more basic steps to fortify known vulnerabilities.

The CBP bulletin and a separate Department of Homeland Security alert from last week stated that companies are failing to keep up with security issues and are not patching systems or conducting proper defensive security measures.

The seal of the U.S. Department of Homeland Security
The seal of the U.S. Department of Homeland Security. (Marco Bello/Reuters)

“Hackers take advantage of known vulnerabilities in computer and network systems. Several companies have either failed to address or adapt to security shifts to get ahead of cybercriminal capabilities. Targeted sectors include, but are not limited to, construction and engineering, retail, commercial services, insurance, transportation, telecommunications, and pharmaceuticals, the CBP bulletin states.

Cyber groups now have the capability to wipe or reformat backup systems, the bulletin states, including at “billion-dollar industries such as oil companies or logistics enterprises.”

“As a result, it is likely that it will take considerably longer for companies to defend against, and resolve, ransomware attacks, thus undermining national security, CBP services and economic prosperity,” the bulletin states.

DHS Secretary Alejandro Mayorkas referenced vulnerability to cyberattacks during a Thursday call with reporters and noted that ransomware attacks last year increased 300% from the year before.

A March 11 DHS bulletin echoed those concerns, warning that cybercriminal groups and nation-state hackers — including those operating in Russia or carried out by the Russian government — are exploiting known vulnerabilities to steal data for later use in ransomware attacks.

The bulletin focuses on a specific vulnerability, Log4j, which it notes Russia exploited in its January attacks on websites in Ukraine.

“In January 2022, suspected Russian cyber actors exploited the Log4j vulnerability to conduct disruptive and destructive operations against Ukraine, including distributed denial-of-service attacks, wiper malware deployment, and the defacement of multiple Ukrainian Government websites,” the DHS bulletin notes. “Russia also uses common vulnerabilities to compromise critical infrastructure in the United States and allied and partner countries and, in some cases, possibly to demonstrate its ability to damage infrastructure in a crisis.”