Cybercrime,
Cybercrime as-a-Service,
Fraud Management & Cybercrime
Russian and Armenian Operators Linked to Logistics-Centric ‘Diesel Vortex’ Group
In a recent investigation, cybersecurity experts have disrupted a systematic phishing-as-a-service operation targeting Western users of leading logistics platforms. This criminal enterprise, which primarily employed Russian-speaking developers, sold its services across various Russian-language cybercrime forums, allowing subscribers to use cryptocurrency payments via external processors.
According to researchers from the cybersecurity firm Have I Been Squatted, the phishing infrastructure linked to this effort deployed 52 phishing domains and aimed to compromise around 57,000 email addresses to capture login credentials. Additionally, the operation was associated with 35 instances of attempted Electronic Funds Source (EFS) check fraud. The operation has been designated as “Diesel Vortex.”
Investigators reported that within five months, the group targeted freight and logistics companies across the United States and Europe, successfully stealing over 1,600 unique login credentials from prominent platforms, including DAT Truckstop and Penske Logistics. The threat actors operated with sophistication, revealing a clear understanding of their target sector and its vulnerabilities.
Collaboration between Have I Been Squatted and threat intelligence firm Ctrl-Alt-Int3l unveiled that this operation began in September and was recently shut down. This collaborative effort employed deep investigative techniques, supported by intelligence from various technology firms, to mitigate the threat.
The compromised phishing platform featured sophisticated infrastructure tailored to logistics, targeting everyday tools used by freight brokers and supply chain operators. The attackers adeptly exploited security gaps in these platforms, which are often overlooked in enterprise security strategies. An operational security oversight by the attackers opened their infrastructure to discovery, leading researchers to gather critical evidence about their organization and future intentions.
While the core operation was predominantly Russian-speaking, indications suggest the involvement of Armenian operators as well, evidenced by recovered communication logs. The use of Telegram for coordinating attacks and managing operations reflects the group’s technical capabilities and their adaptation to secure channels for executing fraudulent activities.
As law enforcement agencies assist in notifying victims, important lessons arise from this incident regarding the nature of phishing attacks and the realization that even sophisticated criminal operations can err. Cybersecurity professionals emphasize the necessity for implementing phishing-resistant multifactor authentication solutions, such as FIDO2-compatible security keys, to thwart similar future infiltration attempts.
This incident sheds light on the broader landscape of phishing-as-a-service offerings. The potential for more operators with unique sector-specific knowledge raises pressing concerns for industries characterized by high transaction volumes and remote workforces. As the landscape evolves, the need for robust defenses against targeted phishing schemes becomes increasingly crucial to safeguard sensitive operational data.
Based on the investigation, tactics indicated in the MITRE ATT&CK framework that may have been employed include initial access via phishing, credential dumping for theft of user credentials, and exfiltration of sensitive data. As this narrative unfolds, continued vigilance and innovative security measures are imperative for protecting against sophisticated cyber threats.