Recent findings from Proofpoint shows hackers are infiltrating freight companies in a bid to intercept cargo shipments arriving at U.S. ports so they can steal the inventory before it reaches stores. Due to their value and demand, Apple shipments are seen as amongst the most likely to be targeted.
A copy of the report can be found here. Additional findings include:
- Digital transformation has led to an increase in cyber-enabled theft.
- Threat actors compromise these companies and use their access to bid on cargo shipments, to then steal and sell them.
- The threat actors typically deliver remote monitoring and management (RMM) tools, aligning with the broader trend of cybercriminals adopting these as a first-stage payload across the threat landscape.
The threat cluster engaged in suspected cargo theft has been active since at least June 2025, though evidence suggests the group’s campaigns began as early as January. The actor has delivered a range of RMM tools (or in some cases remote access software), including ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able and LogMeIn Resolve.
These RMMs/RAS are often used in tandem; for example, PDQ Connect has been observed downloading and installing both ScreenConnect and SimpleHelp. Once initial access is established, the threat actor conducts system and network reconnaissance and deploys credential harvesting tools such as WebBrowserPassView.
Industry stakeholders offered the following perspective.
Randolph Barr, CISO at Cequence Security
"What used to be thought of as only a physical crime has now become a complex mix of internet access and physical execution. It's not enough to just stop a truck or container from getting stolen today; it frequently starts with an API query.
"As logistics operations get more modern, so do enemies, who are now going after the digital infrastructure that supports the global supply chain. APIs are at the heart of that infrastructure.
"APIs are now the main tools that modern logistics use to get things done. They enable everything from shipment creation to final delivery. APIs let logistics companies arrange and bid on shipments between brokers and carriers, keep track of where cargo is and what it's doing in real time, and make sure that drivers and cars are who they say they are at ports, warehouses, and fulfillment centers.
"APIs also let merchants and distribution networks keep their inventories in sync, manage customs operations, and send electronic proof of delivery after a shipment is complete. These systems are not on the edge; they are the building blocks of how modern business works.
"Attackers don't need to break into a warehouse anymore to steal anything because of this strong connectivity. Instead, they steal passwords, use exposed API endpoints, or get in through phishing and other online methods. They exploit such access to abuse the system's logic by pretending to be trusted carriers, changing delivery routes, scraping real-time product availability, or changing destination and delivery data.
"The planning, targeting, and execution are all becoming more digital, even yet the theft is real.
"The worrisome issue is that these attacks don't set off normal security alarms. API abuse typically looks like normal traffic. It might come from the proper IP ranges and use the right credentials. It may even follow the expected call patterns, just at slightly abnormal frequencies or during odd times.
"Legacy defenses like WAFs or endpoint protection aren’t built to catch this. They’re designed to stop known attacks, not to interpret business intent or detect abuse of logic in a partner API.
"What this shows is a fundamental shift: attackers are exploiting operational urgency and digital trust. Logistics systems are often under constant time pressure, rushing to secure slots, approve carriers, and meet delivery windows. That urgency weakens verification and creates windows for adversaries to act quickly and quietly.
"When APIs are open to partners or the public, the risk of misuse increases dramatically, especially when organizations aren’t monitoring those APIs for behavioral anomalies. API security must now be treated as part of operational security, not just application security. Every API that moves goods, manages inventory, or confirms delivery needs to be scrutinized as part of a company’s threat surface.
"Without visibility into how APIs are being used, and misused, organizations are blind to one of the most active, high-impact threat vectors in their supply chain. To secure cargo today, you must secure the APIs that move it. The threat landscape has changed. And it’s not just about protecting the warehouse anymore, it’s about protecting the digital systems that drive the entire supply chain."
Shane Barney, CISO at Keeper Security
"Organized crime has evolved alongside digital transformation. Criminal groups are now using legitimate remote access tools and trusted business systems to infiltrate logistics networks and move real cargo for profit. This is no longer just about stealing data.
"Attackers are also exploiting access to manipulate physical operations and inflict direct financial loss. The real risk sits in the connections between systems, partners and vendors that keep modern supply chains running.
"Once an attacker has privileged access, they have control. Preventing that escalation is what stops a breach from turning into an operational crisis. Privileged Access Management (PAM) gives organizations the visibility and control to detect abnormal behavior, restrict access and end sessions before they cause damage. In transportation and logistics, protecting privileged accounts is essential, not just for cybersecurity, but for keeping physical goods moving and businesses running."
