China-based cyberattack hits logistics operators, shippers

A sophisticated computer attack launched from China stole financial records, customer data and shipment manifests from as many as seven shipping and logistics companies, using handheld scanners infected with malicious software to crack through corporate security systems.

The first cyberattack known to specifically target global shipping companies raises concerns about the security of supply chain information management systems, especially when a plethora of new peripheral devices are being plugged into enterprise-wide computing systems.

“We’re moving into a new era of threat factors,” said Carl Wright, general manager of security firm TrapX, which discovered the malware when testing a customer’s security system. “Over the last two years, there’s been a tremendous amount of profit from cyberattacks.”

This is the first enterprise-scale attack on supply chains Wright and TrapX have seen, he said. “We’ve recognized the risk, but heard more of things on the consumer level, like malware-infected phones,” he said. “This is the first time I’ve seen something like this.”

TrapX and the victims of the attack have not released estimates of the breadth or economic impact of the attacks. But the threat is clear. In addition to specific information, the attackers gained “complete situational visibility” into logistics operations and shipper information. 

The attack, dubbed “Zombie Zero” by TrapX, which released a report on the attack, underscores the growing security risks faced by shippers and their logistics and transportation partners in a wireless, mobile world where technology changes almost constantly.

Zombie Zero involved a particularly nasty type of polymorphic “advanced persistent malware” that adapted when it detected firewalls and found other routes to the data it was programmed to capture. The software sent that captured information back to a database in China.

The names of the logistics companies targeted in the attack have not been released, but they all purchased handheld scanners from a Chinese supplier, Wright said. Those scanners functioned as a Trojan Horse, with malware embedded in their Windows XP operating systems.

Once the handheld scanners were connected to the logistics operator’s wireless network, the malware activated and began to attack and compromise servers with the word “finance” in their host name. “They were pretty much able to get any data they wanted,” Wright said.

In the next phase of the attack, the malware uploaded a “weaponized payload” that established a stealth “command and control” network linked to a network in China. Not only were the attackers able to collect data, they were able to view and manipulate data on the servers as well.

The attack was discovered two months after the scanners were initially deployed, he said, when a logistics company asked TrapX to demonstrate its security solution, based on a “grid” of so-called high-tech honey pots designed to attract and detect malware and hackers.

“Within a few minutes, we detected these communications and the attacks their existing technology wasn’t detecting,” Wright said. “Within 90 minutes, we had an anatomy of the attack. We could see where the network was communicating out to the other network in China.”

Tracing sales of the handheld scanners, TrapX eventually identified a total of seven logistics operators that moved goods by land, sea and air and one manufacturer that were attacked.

The attackers, and their ultimate motive, have not been identified. The scanned data — which included the origins, destination and value of many shipments — was sent to a Chinese “botnet”  or network of connected Internet-based programs that terminated at the Lanxiang Vocational School, an institution already accused of involvement in cyberattacks on Google.

The manufacturer of the handheld scanners is located close to the Lanxiang Vocational School, TrapX said. The malware was embedded not only in many — though not all — of the company’s handheld scanners but was downloadable through its online support website as well.

“It was a very sophisticated attack, more like we would see from a nation state than a crime syndicate,” Wright said. “It’s hard to speculate about the total motivation.”

The investigation into the attack is ongoing, he said. TrapX published a report on the attack last week and will publish updated information as the investigation progresses.

Shippers are well aware of emerging threats posed by cyberattacks, especially after the massive online theft of customer information from retailer Target earlier this year. Wright urges them to consider more dynamic and adaptive modes of defense.  

“Enterprises have been executing the ‘defense-in-depth,’ a layered strategy, since the early 2000s, and that hasn’t been working as well in the last several years,” Wright said. That’s because the sophistication of data centers and the “bad actors” have both increased.

“This supply chain attack is a good example of things to come,” Wright said.

Contact William B. Cassidy at and follow him on Twitter at @wbcassidy_joc.