Philippe Lin, Senior Researcher
This Situational Awareness Report provides a summary of key cybersecurity developments observed in the automotive, transportation, and logistics sectors during Q3 2025. Serving as a precursor to the upcoming VicOne Automotive Cybersecurity Report 2026, this update highlights the significant attack trends and emerging risks shaping the threat landscape this quarter.
Threat landscape overview
In Q3 2025, the global threat landscape continued to evolve, driven by the convergence of ransomware operations, data stealer campaigns, and newly disclosed vulnerabilities. The quarter was marked by major law enforcement actions that resulted in multiple arrests and disrupted several criminal operations. At the same time, significant breaches such as the Salesforce supply chain attack, which affected nearly 1 billion records, and the TransUnion data breach, which exposed 4.4 million Americans, underscored the widening scale and impact of data-centric attacks.
Phishing-as-a-service (PhaaS) platforms also continued to lower the barrier to entry for cybercrime. SheByte gained momentum following the Labhost takedown, offering advanced features such as geo-filtering, connection filtering, real-time target flow control, and sophisticated infostealing capabilities like one-time password (OTP) interception. SheByte’s customizable templates targeted banks, telecommunication operators, and crypto providers in North America, demonstrating how phishing toolkits are increasingly tailored and becoming more user-friendly for their affiliates.
Compared with Q2’s emphasis on state-sponsored infrastructure attacks and geopolitical cyber operations, Q3 2025 reflected a shift toward large-scale data extortion campaigns, the evolution of ransomware collaboration networks, and the emergence of AI as both a threat vector and a tool for cybercriminals. Heading into Q4, organizations should prepare for more AI-enabled malware development and advanced defense evasion techniques, such as EDR-Freeze.
Ransomware activities
Figure 1. Number of ransomware incidents by month in Q3
VicOne observed 90 ransomware attacks targeting the automotive, transportation, and logistics sectors and their verticals in Q3 2025, with a noticeable spike in September. The quarter recorded 11 incidents in July, 34 in August, and 45 in September. Among the affected industries, automotive and its related verticals were the most impacted (54), followed by transportation (18) and logistics (15).
Figure 2. Distribution of ransomware incidents across automotive, transportation, and logistics sectors and their verticals in Q3 2025
A total of 45 ransomware groups were identified during the quarter. Qilin led with 10 incidents, followed by Akira (8) and Incransom (also known as Inc., 6). Beyond these, the data showed a long-tail pattern in which a few dominant groups are responsible for most incidents, while a smaller number of operators commit only one or two attacks.
Figure 3. Number of ransomware incidents by group in Q3 2025
The top 10 ransomware groups that targeted automotive, transportation, and logistics largely mirrored the overall global distribution — where Qilin, Akira, Incransom, Play, and SafePay remained dominant — indicating that these threat groups did not specifically target our sectors of interest.
Qilin, also known as the Agenda ransomware group, operates as a ransom-as-a-service (RaaS) model that favors vulnerability-driven mass exploitation rather than industry-specific targeting. This means that any organization exposed to a known vulnerability is at heightened risk.
Akira, one of the most active ransomware groups across all sectors in Q3 2025, exploited vulnerabilities in SonicWall SSL VPN and firewall devices to gain initial access and stole OTPs to bypass multi-factor authentication (MFA). Incransom, meanwhile, targeted network devices via spear-phishing and the exploitation of vulnerabilities to gain a foothold within enterprise networks.
Prominent names in the automotive industry were among the victims this quarter. Scania was reportedly ransomed by TeamXXX, while three Toyota subsidiaries in Asia were compromised by BlackNevas. Several government agencies connected to transportation were also affected, including the Philippines’ Land Transportation Office, the Maryland Department of Transportation, and Brunei’s postal service.
While no ransomware group demonstrated consistent targeting of a specific vertical, automotive dealerships were highly vulnerable throughout 2025. Incrasom was observed attacking a few automotive parts manufacturers, but its campaigns also extended beyond the automotive supply chain.
One of the most disruptive incidents of the quarter involved Jaguar Land Rover (JLR), which shut down its IT systems on September 1 after detecting an intrusion. They halted production at facilities in Solihull, Halewood, Castle Bromwich, and Wolverhampton, with the attack costing an estimated £50 million per week. The Scattered Lapsus$ Hunters group claimed responsibility, suggesting collaboration between Scattered Spider, Lapsus$, and ShinyHunters. The attack coincided with the UK’s critical September vehicle registration period.
It is notable that Shiny Hunters and Scattered Spider also exploited Salesloft Drift OAuth tokens and stole approximately 1.5 billion Salesforce records from major companies. Around 760 organizations — including Toyota, Stellantis, UPS, and FedEx — were reportedly affected.
Data leaks
VicOne identified 34 data leak incidents affecting the automotive, transportation, and logistics sectors during Q3 2025, based on activity observed in the dark web. Of these, 15 involved personally identifiable information (PII), including customer data, employee data, license plate numbers, and vehicle identification numbers (VINs).
Notably, three government agencies were affected by breaches that exposed transportation-related data, and four incidents involved highly detailed shipping records, including goods in transit and tracking numbers that could lead to customer reidentification. Data associated with BMW, GM, and Toyota dealerships were also found in the leaked materials.
Figure 4. Screenshot showing a victim’s sandglass or data exposure post displayed on Everest Group’s leak site
Figure 5. The Lynx group has a page for “leaks,” which misleadingly presents stolen data as public disclosures
In several cases, leaked data appeared after victims refused to pay ransom demands. While VicOne recognizes that paying ransoms can perpetuate the criminal ecosystem, organizations must also ensure that loss-mitigation measures are implemented within appropriate legal and regulatory frameworks.
Figure 6. Data “published” by The Gentlemen group on its leak site
Vulnerabilities
VicOne recorded 353 Common Vulnerabilities and Exposures (CVEs) related to the automotive, transportation, and logistics sector in Q3 2025. Among these, in-vehicle systems — particularly in-vehicle infotainment (IVI) systems and operating systems (OSs) — were the most affected.
A clear trend also emerged in charging infrastructure and connected-vehicle backend services, where an increasing number of vulnerabilities were disclosed throughout the quarter.
Figure 7. Distribution of disclosed CVEs by affected domains in Q3 2025
Conclusion
VicOne continues to monitor activity across the clear, deep, and dark web for ransomware operations, data leaks, and vulnerability disclosures affecting the automotive, transportation, and logistics sectors. Q3 2025 was notably active, marked by a steady rise in ransom and extortion incidents. We have not yet seen actors exploit leaked shipping records, as the potential profit from such data appears limited for now.
Beyond successful intrusions, we urge customers and industry stakeholders to remain vigilant against PhaaS platforms, which have lowered the barrier for cybercriminals to access enterprise networks, resulting in more tailored and widespread attacks.
As we look ahead to Q4 2025, organizations should continue strengthening their detection and response capabilities through security protocols and countermeasures such as endpoint detection and response (EDR), managed detection and response (MDR), extended detection and response (XDR), and security information and event management (SIEM) — particularly for identifying data exfiltration and defense evasion attempts.
Attention should also extend beyond traditional IT risks such as phishing and ransomware, to include vulnerabilities in connected vehicle backend services, which may be exploited for lateral movement or unauthorized data access within increasingly integrated mobility ecosystems.
Finally, as AI accelerates the automation of offensive tools, the potential speed and scale of attacks will expand significantly. This underscores the critical need for Vehicle Security Operations Centers (VSOCs) and AI-driven threat intelligence platforms to maintain proactive visibility, rapid containment, and resilient cyber-defense posture across the connected mobility landscape.
This blog references Trend Micro’s AIM Situational Awareness Report Q3 2025. To request a copy of the report, contact a Trend Micro sales representative in your region.
