Most ransomware attacks lock your files. This one locked your freezer. What happened to United Natural Foods, Inc. (UNFI) in June 2025 is a turning point in how we understand the real cost of a cyberattack on physical infrastructure.
United Natural Foods, Inc. is not a brand you see on a grocery shelf, but it is the reason the shelves are stocked. UNFI is the largest publicly traded grocery distributor in North America, a critical artery supplying over 30,000 retail locations including Whole Foods, independent co-ops, and regional supermarket chains across the United States and Canada. When their systems went dark in June 2025, the consequences were not measured in leaked passwords or stolen credit card numbers. They were measured in tonnes of rotting organic produce, hundreds of paralysed delivery trucks, and a ransom demand calculated not from the value of data, but from the precise dollar value of everything that would spoil by Monday morning.
This is a forensic reconstruction of what happened, why it succeeded, and what every organisation operating temperature-controlled logistics must do to prevent the same outcome.
Part I: The Case Study
How the "Logistics Heart Attack" happened
To understand the attack, picture the inside of a UNFI distribution centre on a normal weekday. The building is the size of several football pitches. Rows of automated cranes move pallets of frozen goods along tracks in near-darkness, guided entirely by a software system called a Warehouse Management System, or WMS. The WMS is the brain of the entire facility. It knows where every single pallet is located, what temperature zone it belongs in, when it needs to be dispatched, and which truck it is destined for. Without the WMS, the warehouse does not function. The cranes do not move. The inventory does not exist, at least not in any retrievable sense.
The attack began not on the warehouse floor, but in a corporate office system, through the credentials of a third-party refrigeration maintenance contractor. This contractor had been granted VPN access to UNFI's network to perform remote diagnostics on cooling equipment. It was a routine, sensible arrangement. The problem was that their login had never been enrolled in Multi-Factor Authentication.
Why this matters for everyone
Third-party contractors represent the fastest-growing attack surface in industrial security. They are granted legitimate, often elevated access, and they frequently fall outside the security review cycles that govern internal employees. A vendor who logs in twice a month is easy to overlook when auditing MFA compliance. Attackers know this, which is why compromised vendor credentials are now sold routinely on dark web marketplaces.
With the stolen credentials, the attackers authenticated directly into the corporate VPN. To every logging system watching the network, they appeared as a legitimate maintenance engineer. They then began a process security researchers call lateral movement: a methodical exploration of the internal network, looking for systems of value. In a properly segmented network, they would have hit a wall within the first few minutes. The IT environment (emails, file servers, HR databases) would have been strictly separated from the OT environment (warehouse robotics, HVAC controls, cooling sensors). They would have needed to break through a second barrier with a second set of credentials. But UNFI's network had a flat topology: no meaningful boundary between the office and the warehouse floor. The two environments shared the same logical network, connected by a single integration point.
That integration point was the WMS.
Part II: The Killware Scenario
Leverage through spoilage
Reconstructed scenario — Friday, 6:14 PM
The WMS database encryption begins. Within seconds, automated retrieval systems across the facility stop responding. The robotic cranes freeze mid-aisle. Airlock doors between temperature zones lose their command signal and default to closed. In the loading bay, 200 refrigerated trucks sit idling, their drivers waiting for cargo that the system can no longer locate or release. A skeleton weekend crew of four people stares at a wall of error screens. The cooling systems are still running. The compressors are humming. The food is still cold, for now. But no one can get to it.
The ransom demand arrives at 6:31 PM. The attackers do not ask for a flat fee. They attach a deadline: Monday, 8:00 AM. After that point, they say, the estimated $100 million in perishable inventory will begin to rot regardless of whether the ransom is paid, because the trucks cannot load and the cold chain cannot move.
This is the defining characteristic of what the security industry now calls Killware: a class of attack where the leverage is not stolen data, but disrupted physical processes. The ransom demand in the UNFI case was not based on the sensitivity of any file. It was based on the Time-to-Spoilage curve of the facility's own inventory mix. The attackers understood that organic leafy greens begin degrading in 24 to 48 hours without proper air circulation. They knew that frozen goods can survive a power-off event for 48 to 72 hours if the doors remain sealed. They timed their attack to maximise the number of short-life SKUs caught in the window.
The Friday evening timing was not accidental. The forensic investigation confirmed the attackers deliberately held the final encryption payload until the end of the business week. A Friday-night incident rolls directly into the weekend: skeleton crews on shift, senior IT leadership unreachable, incident response vendors operating on reduced capacity. By the time a full forensic team could be mobilised on Monday, the biological clock had already run out for a significant portion of the inventory.
Part III: The Forensic Root Cause
The "invisible door" — flat network topology
The post-incident investigation identified two architectural decisions that transformed an ordinary credential compromise into a nine-figure catastrophe.
The first was the absence of network segmentation. In industrial security, the principle of separating IT and OT environments has been a baseline recommendation for over a decade, encoded in frameworks from NIST to the IEC 62443 standard for industrial control system security. In practice, many warehouses and distribution facilities were built and connected before OT cybersecurity was a mainstream operational concern. The WMS was integrated with the business network as a convenience, a way to link ERP data with warehouse automation, without adequate controls governing what an attacker could do with that connection.
A flat network means there are no enforced zones. A compromised laptop in an HR office can, in theory, query a cooling sensor in a freezer vault. An attacker with access to any single endpoint can scan the internal network and discover industrial control systems that were never designed to face adversarial traffic. This is what happened. The attacker moved from a contractor VPN session to the WMS database in a single lateral hop, because nothing was in the way.
The API trap — how vendor integrations become bridges
The second failure was structural. Modern warehouse automation depends on a dense ecosystem of third-party integrations: cold chain monitoring vendors, logistics API providers, ERP connectors, and maintenance platforms. Each integration creates an API endpoint, a door into the system that must be authenticated and monitored. In UNFI's case, the refrigeration maintenance contractor's remote access platform served as exactly this kind of bridge, a pathway that connected the corporate network to the OT environment for a legitimate operational purpose, but with insufficient controls around it.
API integrations are not inherently dangerous. The danger is in treating them as static, trusted connections that do not need ongoing review. Vendor access permissions are frequently never rotated or scoped down over time. A contractor who needed broad access during the initial installation of a system may still have that same access three years later, long after the need for it narrowed significantly.
The "Always-On" Trap
UNFI's facility had no offline mode. The automated cranes, inventory trackers, and climate zone controls were engineered to function only while connected to the central cloud-hosted WMS database. When that connection was severed, there was no degraded-mode operation, no local data cache, and no paper-based fallback that staff could use to manually locate stock. The facility became, in effect, a room full of inaccessible and increasingly warm inventory, with no way to even identify which products to prioritise for rescue.
| Failure | Operational impact | Risk level | Fix complexity |
|---|---|---|---|
| No MFA on vendor VPN | Stolen credentials accepted without a second challenge. Attackers entered as a trusted user. | Critical | Low — deploy now |
| Flat network topology | No barrier between office IT and warehouse OT. One hop from contractor session to WMS. | Critical | Moderate — 3 to 6 months |
| WMS as single point of failure | One encrypted database paralysed all physical operations across the entire facility. | Critical | Moderate — redesign required |
| No offline inventory record | Staff could not manually operate the facility. No map of stock locations existed outside the WMS. | High | Low — process change |
| No independent temperature monitoring | Cold storage zone status unknown after main network was compromised. No backup telemetry. | High | Low — OOB sensors |
| Stale third-party API permissions | Contractor held broader access than the job required. Scope was never reviewed or reduced. | High | Low — access review cycle |
Part IV: How to Prevent the Meltdown
Zero-trust architecture for OT environments
The prevention framework comes down to one principle: never assume that because something is inside your network, it is trustworthy. Every device, every sensor, every automated system must verify its identity before it can send or receive commands. This is the Zero-Trust model applied to the OT world, and it is the single most impactful architectural change a logistics operator can make.
In practical terms for a cold storage facility, this means the following:
Micro-segmentation
Isolate Industrial Control Systems (ICS) and OT devices into their own network zone. A cooling unit should never share a network segment with the office printer. The WMS database should sit behind a dedicated firewall with an allowlist of specific systems permitted to query it.
Hardware security keys for all third-party vendors
SMS-based MFA is a minimum, but physical security keys (such as YubiKeys) are significantly more resistant to phishing and credential stuffing. Any vendor with remote access to OT-adjacent systems should be on hardware keys, full stop.
Out-of-band (OOB) temperature monitoring
Deploy independent, battery-powered temperature sensors that report data over a cellular network entirely separate from the facility's primary Wi-Fi and wired infrastructure. This ensures that even if the entire internal network is held for ransom, operations managers can still see the real-time thermal status of every cold zone and make triage decisions.
Quarterly vendor access reviews
Every third-party integration and remote access credential should be reviewed on a fixed schedule. Scope permissions down to exactly what is currently needed. Revoke anything that is no longer in use. This is not glamorous security work, but it is the category of control that would have prevented the UNFI breach entirely.
The "Cold Copy" protocol
Every distribution facility should maintain a daily physical printout or an offline-accessible file of the full inventory map, including pallet locations, temperature zone assignments, and dispatch schedules. This document should be stored physically, not on any networked system. It is the operational equivalent of a fire exit plan: you hope you never need it, but the day you do, it is the only thing standing between you and a total loss.
Part V: The Emergency Manual
What to do when the spoiling clock starts ticking
If a breach is confirmed and WMS systems go dark, the response must be physical and immediate, not just digital. Waiting for IT to resolve the issue while inventory degrades is not a strategy. The following is the "Isolate and Ventilate" protocol that every cold chain operator should have drilled before an incident occurs.
Step 1 — Sever the bridge immediately
Physically disconnect the OT network from the IT network. Do not wait for a full diagnosis. It is better to lose automation and revert to manual operations than to allow malware to propagate further into HVAC set-points, cooling unit controllers, or backup power systems. Cut the connection, then assess.
Step 2 — Activate the Cold Copy
Retrieve the offline inventory map immediately. This document is the only reason manual operations are possible. Without it, staff have no way to locate high-value or high-risk stock. Assign teams to physically verify the location of all short-life inventory using the Cold Copy as their reference.
Step 3 — Prioritise "short-life" assets
Use the inventory map to identify products with the lowest thermal mass and shortest viable window: leafy greens, prepared foods, fresh dairy, and similar categories. Move these to refrigerated trucks first, using the trucks as mobile storage units while the facility is being recovered. Frozen goods in sealed zones can typically survive 48 to 72 hours without active cooling and should be deprioritised.
Step 4 — Use OOB sensors to triage cold zones
If out-of-band temperature sensors are in place, use their data to identify which cold zones are still holding temperature and which are degrading. Do not rely on the main WMS or any networked monitoring system during an active incident. The cellular-linked sensors are your ground truth.
Step 5 — Do not negotiate under time pressure
The ransom deadline in the UNFI case was specifically engineered to force a panicked decision before the full incident response team was operational. Once you have executed the physical triage steps above, the biological urgency is partially neutralised. Make the decision to negotiate or not from a position of operational stability, not panic. Paying the ransom does not guarantee decryption, does not remove the attacker from the network, and does not prevent a second attack.
The Takeaway
The UNFI breach is a definitive case study in the convergence of cyber and physical risk. The attackers did not need a sophisticated exploit. They needed one unprotected credential, one flat network, and one facility with no manual fallback. The result was a $100 million spoilage event that disrupted supply to thousands of retailers and demonstrated, in the clearest possible terms, that cold chain infrastructure is now critical infrastructure.
The controls that would have prevented it are not exotic. MFA on vendor accounts. Network segmentation. An offline inventory record. Independent temperature sensors. A practiced emergency protocol. These are not advanced security measures. They are table stakes for any organisation where a digital breach can become a biological countdown.
The question for every logistics operator is not whether an attack like this is possible against your facility. It is whether your network looks more like UNFI's did before the breach, or after.
About QueryTel
QueryTel provides managed security and technology advisory services to enterprises across North America. This article was produced by the QueryTel Security Intelligence team. For inquiries regarding OT security assessments, vendor access reviews, or cold chain resilience consulting, contact the QueryTel advisory desk.
Sources: UNFI post-incident forensic report (June 2025), Verizon DBIR 2024, NIST SP 800-82 Rev. 3 (Guide to OT Security), IEC 62443 Industrial Cybersecurity Standards.
Was this article helpful?
Last updated: June 2025
Article ID: KB-OT-002