{
	"id": "baea79c0-11bd-48ba-911e-f3a3e0acc65b",
	"created_at": "2026-04-06T00:21:11.748929Z",
	"updated_at": "2026-04-10T03:22:12.841422Z",
	"deleted_at": null,
	"sha1_hash": "425f8bdc2cbb6143efc428db763e49706909e83e",
	"title": "How cybercriminals create turbulence for the transportation industry",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41669,
	"plain_text": "How cybercriminals create turbulence for the transportation\r\nindustry\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 17:29:37 UTC\r\nWhen you break down how transportation companies actually work, you can find yourself looking at nothing but\r\nsupply chains. From moving people or goods from one place to another, keeping track of the vehicles that are\r\ntransporting those people or goods, the third parties that are responsible for the maintenance and operations of\r\nthose vehicles, along with a list of other business-critical functions, it’s easy to see how these companies would\r\nneed to lean heavily on internet-connected technology in order to be successful.\r\nHowever, since these companies are so reliant on the internet, they present a juicy target for the cybercrime\r\nunderground. Transportation companies are constantly in the discussions on criminal forums, with nefarious actors\r\nattempting (and some succeeding) to attack companies’ infrastructure along their supply chains for their own\r\nillegal gains.\r\nBelow are just some of the examples Intel 471 has observed when it comes to criminals going after transportation\r\ncompanies.\r\nAccess to Networks\r\nIntel 471 has long tracked criminals who specialize in selling access to compromised systems or stolen\r\ninformation. Some of those we have tracked have used their ability to target transportation companies as a way to\r\nstand out in the cybercrime underground. Here are some of the instances we have observed:\r\nIn November 2020, an Iranian-based actor advertised unauthorized access to a system belonging to an\r\nIranian-based airline. The actor shared a demonstration video which looked to be from an internal\r\nemployee portal, which allowed people to access employee account numbers, national codes, passwords,\r\npayments, phone numbers, usernames and more. The advertisement was shared on a popular Telegram\r\nchannel dedicated to cybercrime, with over 19,000 members.\r\nIn January 2021, Intel 471 observed a well-known cybercriminal selling network access to a number of\r\ncompanies they allegedly pulled from malware logs. Among the advertised access was a Citrix Gateway\r\nbelieved to be associated with a large, multinational aviation company. The platform detailed access to\r\nanother aviation company based in Scandinavia, mainly showcasing programs designed for training. The\r\nactor is well-known for selling access to Citrix Gateways on various cybercriminal forums.\r\nAlso in January 2021, an actor offered to sell information on a remote code execution (RCE) vulnerability\r\nallegedly impacting a European-based cargo airline. The actor sought US $150 for the information about\r\nthe vulnerability that allegedly could be exploited to exfiltrate several internal documents and access login\r\ncredentials. The actor further claimed they also uploaded a web shell to the impacted server.\r\nGift Cards\r\nhttps://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry\r\nPage 1 of 3\n\nGift cards have long been a staple of the cybercrime underground, utilized by criminals as a way to move money.\r\nWhether it be physical cards or solely online credits, numerous transportation companies use gift cards as a way\r\nfrom customers to buy flights. There are actors that have leveraged that ability for their own crimes.\r\nOne actor Intel 471 has tracked has been in the gift card fraud business since at least 2017. The actor, who\r\nwas previously engaged in selling compromised remote desktop protocol (RDP) credentials, bought ready-to-use gift cards from other actors, derived them from compromised accounts and sourced access from\r\nmalware logs. The companies the actor expressed interest in included three well-known airlines based in\r\nthe United States, along with one multinational hotel chain. The actor bought gift cards for half or a quarter\r\nof their value.\r\nAnother actor Intel 471 has tracked allegedly claimed to have a large number of digital gift cards issued by\r\nthree well-known airlines based in the United States for sale each day. The gift cards were not carded using\r\ncompromised payment cards, but purchased with points from compromised accounts with rewards\r\nprograms or cash-back services. The actor primarily obtained credentials for such accounts from malware\r\nlogs purchased on forums.\r\nRansomware\r\nRansomware is a top threat for all internet-connected businesses. The transportation sector is no different.\r\nIntel 471 has observed numerous attacks on transportation-based organizations, including entities in both the\r\npublic and private sector. These incidents have all the hallmarks of a ransomware-as-a-service attack, with crews\r\n“renting” software to launch the attack, hundreds of gigabytes in data stolen, and calls for million-dollar ransom\r\npayments.\r\nIn March 2021, the operator or operators behind the NEFILIM ransomware-as-a-service affiliate program\r\nclaimed the compromise of U.S.-based commercial airline Spirit Airlines, leaking 40GB of data with over\r\n33,000 files. According to open source reporting, Financial data and other personal information of\r\ncustomers who purchased tickets to fly with the airline between 2006 and 2021 were posted on a name-and-shame blog.\r\nIn April 2021, a group using the Mount Locker ransomware attacked the Santa Clara Valley Transportation\r\nAuthority, stealing about 130 GB of corporate data. The responsible parties are likely an offshoot of those\r\nwho developed the ransomware, as the organization’s data was posted on a name-and-shame blog operated\r\nby a different criminal group. Intel 471 also observed that the criminal crew applied a “double extortion”\r\ntactic by calling and threatening the victim’s employees.\r\nConclusion\r\nTransportation companies are as dependent on technology as any other company. With that trend likely to keep\r\ngrowing, is it imperative that these companies understand where their weak spots are when it comes to\r\ncybersecurity and how the cybercrime underground will exploit them if those weaknesses are left unchecked.\r\nKeys to a successful business often rely on the internet, just as cybercriminals rely on it to carry out their crimes.\r\nBy being proactive in assessing risk and closing vulnerabilities, transportation companies will prevent their\r\ntechnology stacks from being a target for the cybercrime underground.\r\nhttps://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry\r\nPage 2 of 3\n\nSource: https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry\r\nhttps://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry"
	],
	"report_names": [
		"how-cybercriminals-create-turbulence-for-the-transportation-industry"
	],
	"threat_actors": [],
	"ts_created_at": 1775434871,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/425f8bdc2cbb6143efc428db763e49706909e83e.pdf",
		"text": "https://archive.orkl.eu/425f8bdc2cbb6143efc428db763e49706909e83e.txt",
		"img": "https://archive.orkl.eu/425f8bdc2cbb6143efc428db763e49706909e83e.jpg"
	}
}