Russian-Linked Hackers Target Global Logistics: A Deep Dive into the ‘Diesel Vortex’ Campaign
A sophisticated phishing campaign dubbed “Diesel Vortex” is wreaking havoc across the freight and logistics industries in the U.S. And Europe. This financially motivated threat group has stolen over 1,649 unique credentials since September 2025, targeting critical platforms used daily by trucking companies, freight brokers, and supply chain operators.
Who is Diesel Vortex?
Researchers have identified Diesel Vortex as a Russian-linked cybercrime group, with evidence suggesting Armenian-speaking actors are involved. The operation isn’t a lone wolf effort; it’s a structured, financially driven criminal service marketed to other cybercriminals under the name “MC Profit Always” and “Global Profit.” The group utilizes a highly organized operation, complete with dedicated roles including call-center staff, mail support, programmers, and personnel focused on identifying potential targets.
How Does the Attack Work?
Diesel Vortex employs a multi-layered phishing strategy. Attacks begin with phishing emails sent through kits utilizing Zoho SMTP and Zeptomail, often incorporating Cyrillic homoglyphs to bypass security filters. They also leverage voice phishing (vishing) and infiltrate Telegram channels frequented by logistics professionals.
Once a victim clicks a malicious link, they are redirected through a complex cloaking process – a 9-stage system involving multiple domains – to a pixel-perfect replica of legitimate logistics platforms. These fake pages capture a wide range of sensitive information, including credentials, permit data, MC/DOT numbers, two-factor authentication codes, and even financial details like payment amounts and check numbers.
Source: Have I Been Squatted
Key Targets and Impact
Several major players in the freight and logistics sector have already been impacted by Diesel Vortex, including DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source (EFS). The stolen credentials are used for a variety of malicious activities, including shipment information interception, personal data theft, and financial fraud.
Specifically, the group coordinates activities related to freight impersonation, mailbox compromise, and double-brokering – a tactic where stolen carrier identities are used to reroute cargo to fraudulent pickup locations for theft. This echoes previous incidents where hackers have exploited vulnerabilities in freight systems to steal shipments.
Disruption and Investigation
A coordinated effort involving GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft Threat Intelligence Center has successfully disrupted the Diesel Vortex operation, taking down phishing panels, domains, and related repositories. Ctrl-Alt-Intel’s OSINT investigation, starting with Telegram chats, revealed connections to individuals and companies in Russia involved in wholesale trade, transportation, and warehousing.
Future Trends and What to Expect
The Diesel Vortex campaign highlights several emerging trends in cybercrime targeting the logistics industry:
- Increased Sophistication of Phishing Attacks: The use of multi-stage cloaking, pixel-perfect phishing pages, and evasion techniques like Cyrillic homoglyphs demonstrates a growing level of sophistication.
- Targeting of Supply Chain Infrastructure: Logistics companies are increasingly becoming attractive targets due to their critical role in the global economy and the potential for widespread disruption.
- Phishing-as-a-Service Model: The “MC Profit Always” offering indicates a growing trend of cybercriminals selling their tools and services to others, lowering the barrier to entry for malicious activity.
- Exploitation of Telegram for Coordination: The use of Telegram for communication and control underscores the importance of monitoring and analyzing activity on these platforms.
One can anticipate a continued focus on the logistics sector, with attackers refining their techniques and exploring new vulnerabilities. Expect to see more sophisticated phishing campaigns, increased use of automation, and a greater emphasis on social engineering tactics.
Pro Tip
Regularly educate employees about phishing threats and best practices for identifying and reporting suspicious emails and messages.
FAQ
What is double brokering? Double brokering involves using stolen carrier identities to book loads and then rerouting the freight to fraudulent locations for theft.
Who is behind Diesel Vortex? Researchers believe Diesel Vortex is a Russian-linked cybercrime group with Armenian-speaking actors involved.
What types of data are stolen in these attacks? The group targets a wide range of data, including credentials, permit information, two-factor authentication codes, and financial details.
How can logistics companies protect themselves? Implementing robust security measures, employee training, and monitoring for suspicious activity are crucial steps.
Where can I find more information about the indicators of compromise? The full list of IoCs is available in the Have I Been Squatted report.
To stay ahead of evolving threats, explore resources from organizations like CISA and NIST for the latest cybersecurity guidance.
