Are Cybercriminals Targeting Transport and Supply Chains?

Microsoft warns that supply chains and the wider transportation sector are now in the crosshairs of cybercriminals.

In its latest Digital Defense Report, the company outlines how attackers shift away from traditional intrusion methods and towards abusing identity systems, digital trust and third-party access to gain entry into critical systems.

Human-operated ransomware remains among the top threats facing organisations, and the impact is being felt across logistics, manufacturing and distribution.

Microsoft reveals how attackers use compromised partners or vendors to move through complex networks, exposing entire ecosystems built on interdependence.

Amy Hogan-Burney, Corporate Vice President for Customer Security & Trust at Microsoft, explains that most cyberattacks now focus on financial gain.

“In 80% of the cyber incidents Microsoft’s security teams investigated last year,” Amy says, “attackers sought to steal data – a trend driven more by financial gain than intelligence gathering.”

“Over half of cyber attacks with known motives were driven by extortion or ransomware. That’s at least 52% of incidents fuelled by financial gain, while attacks focused solely on espionage made up just 4%.”

“Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organisations face today come from opportunistic criminals looking to make a profit.”

Shipping and logistics face growing cyber exposure

One case in the report illustrates how quickly events can escalate.

In February 2025, a global shipping company identifies and contains a ransomware attack in just 14 minutes.

But even this swift response underscores a broader risk.

“Had the company’s systems been taken offline for even a few hours, the cascading effect would have impacted trade and industry around the world,” the report states.

The attack serves as a warning of the interconnected nature of global logistics. Port operations, shipping schedules, customs handling and inventory systems all rely on digital infrastructure.

Microsoft warns that "supply chains, both physical and digital, increase our attack surface".

Transportation now ranks among the 10 sectors most affected by ransomware, with 223 affected organisations.

Retail, wholesale and distribution, which feed directly into the logistics pipeline, show even higher exposure, with 441 organisations impacted.

Attackers deliberately go after these value chains, using supply chain compromise to reach high-value targets.

Microsoft says: "Sophisticated threat actors are also targeting supply chains and trusted third-party relationships. By compromising a less secure partner or vendor… attackers could potentially impact more hardened targets in multistage attacks.”

This kind of lateral movement makes security gaps in one system a threat to many. In environments where services and processes are tightly linked, even one breach can have wide-reaching consequences.

Cybercriminals and state-linked groups exploit digital trust

While most threats stem from financially motivated groups, state-aligned actors also feature in Microsoft’s analysis.

They focus on gaining long-term access to strategic digital infrastructure, often targeting critical sectors like shipping and logistics.

Microsoft says: “In the last year, three Iranian actors targeted shipping and logistics operations across Europe and the Persian Gulf.”

These state-affiliated attackers aim to extract operational or commercial data and maintain persistent access to networks.

Microsoft notes that Iranian actors account for 6% of attacks in the transportation sector. Chinese-linked groups also appear, but at a lower frequency, comprising around 2%.

Both criminal and state-aligned groups increasingly use cloud infrastructure to maintain access or manage command and control functions. This tactic allows attackers to remain embedded over time without detection.

According to the report, supply chain compromise accounts for 2% of breaches analysed and features in 3% of incident response cases.

Though these numbers appear low, Microsoft flags them as evidence of an upward trend and a warning that trust between partners is becoming a key vulnerability.

Attackers frequently use web-facing assets and remote services to gain a foothold, then leverage third-party access to move laterally through systems.

While government and IT sectors face the heaviest targeting, ripple effects reach across retail, manufacturing and transport.

Microsoft urges new security priorities and stronger regulations

Microsoft argues that defending against these threats requires more than software patches. Cybersecurity must be built into leadership strategies and operational design.

Amy says: “In this environment, organisational leaders must treat cybersecurity as a core strategic priority – not just an IT issue – and build resilience into their technology and operations from the ground up.”

The report outlines the scale of activity Microsoft observes daily: “Every day, Microsoft processes more than 100 trillion signals, blocks approximately 4.5 million new malware attempts, analyses 38 million identity risk detections and screens five billion emails for malware and phishing.”

Amy also notes how automation tools and AI allow attackers with minimal technical skill to launch effective campaigns.

“Advances in automation and readily available off-the-shelf tools have enabled cybercriminals – even those with limited technical expertise – to expand their operations significantly.

“The use of AI has further added to this trend with cybercriminals accelerating malware development and creating more realistic synthetic content, enhancing the efficiency of activities such as phishing and ransomware attacks.

“As a result, opportunistic malicious actors now target everyone, big or small, making cybercrime a universal, ever-present threat that spills into our daily lives.”

Microsoft recommends stronger identity controls, better visibility into third-party risk and supply chain transparency.

It supports practices such as secure-by-design principles, use of software bills of materials (SBOMs) and consistent vulnerability disclosure protocols.

Finally, Microsoft calls for greater regulatory coordination.

Fragmented rules, it says, slow down collective defences. Harmonised standards would help prevent gaps and delays when responding to threats that cut across sectors and borders.

Attackers now focus on exploiting the supply chain as a path into complex digital ecosystems.

Microsoft’s message is direct: cybersecurity resilience must be built in from the start.