In early March 2026, logistics giant Nexus Grid suffered a catastrophic intrusion that froze automated shipping docks across 16 countries and triggered a $42.5 million ransom demand. Attributed to a threat group tracked as Cobalt Veil, the incident exfiltrated roughly 1.2 terabytes of data and originated from a single neglected IoT device on the corporate network, according to reporting by ByteXel.

What Happened

On a Tuesday morning in early March, monitors at Nexus Grid's Chicago headquarters shifted to a flat purple wash as the new "V6" ransomware strain executed across the environment. Within twenty minutes, automated docks in 16 countries halted mid-cycle, leaving millions of tons of cargo in digital limbo. By March 12, attackers had completed full internal reconnaissance, mapped every server, and begun staged exfiltration. The ransom demand of $42.5 million arrived shortly after encryption completed, after attackers had already harvested operational data and bypassed multifactor protections on administrative accounts.

What Was Taken

Investigators identified roughly 1.2 terabytes of exfiltrated material moving at a steady 4 MB/s to infrastructure hosted in a non-extradition jurisdiction. The dataset included sensitive shipping manifests, client contracts, regional logistics records, and historical shipping data that had been improperly relocated by a regional manager to a public-facing Trello board. Operational disruption affected automated dock systems in 16 countries, with downstream impact on freight movement and contract fulfillment.

Why It Matters

The Nexus Grid intrusion is a textbook example of how IoT sprawl and shadow IT collapse the perimeter of even well-funded enterprises. A single unpatched appliance on a "non-critical" subnet provided the foothold for a full ransomware deployment against global logistics infrastructure. For defenders, the case underscores that operational technology, supply chain visibility, and unsanctioned SaaS use are now first-order risks, not peripheral hygiene issues. Cobalt Veil's use of mundane entry points to reach high-value OT environments mirrors a broader 2026 trend of ransomware crews targeting logistics, manufacturing, and critical infrastructure where downtime pressure accelerates ransom payment.

The Attack Technique

Initial access came through a known firmware vulnerability in a legacy smart coffee machine in the third-floor employee lounge. The device sat on a flat sub-network last patched in late 2024 and was treated as non-critical, giving Cobalt Veil a quiet beachhead from which to enumerate the environment. The operators then pivoted into shadow IT systems, including the misconfigured Trello board, harvesting credentials, session data, and configuration material that allowed them to bypass two-factor authentication on main administrative accounts. According to investigators, approximately 68% of observed lateral movement traversed unsanctioned tools rather than monitored corporate systems. Exfiltration ran for several days at a steady 4 MB/s before the V6 ransomware payload triggered network-wide encryption and OT disruption.

What Organizations Should Do

  1. Inventory and segment every IoT and OT device, including breakroom and facilities appliances, onto isolated VLANs with strict egress controls.
  2. Enforce a firmware patch SLA for all networked devices, and retire vendor equipment that no longer receives security updates.
  3. Deploy continuous network detection focused on anomalous outbound flows, particularly sustained low-and-slow exfiltration to foreign infrastructure.
  4. Audit for shadow IT through CASB or DNS-based discovery, and block public-cloud collaboration platforms that lack enterprise SSO and DLP integration.
  5. Require phishing-resistant MFA (FIDO2 or hardware tokens) on all administrative accounts, and monitor for session token reuse across unmanaged endpoints.
  6. Run tabletop exercises specifically modeling OT freeze scenarios so incident response teams can decouple IT recovery from operational restoration.

Sources: The $40 Million Ghost: Inside the 2026 Nexus Grid Breach - IT