In case they needed one, the transportation and logistics industry got a reminder — in the form of the ransomware attack on Colonial Pipeline — of the kind of havoc hackers can wreak on businesses and their customers. The shutdown of a vital supplier of the diesel that keeps trucks moving could just as easily have happened to a major truckload carrier or any other company in the supply chain.
And chances are a catastrophic attack will hit the industry — again. In 2020, the big ones struck Forward Air (NASDAQ:FWRD) and CMA CGM, causing widespread disruption to their complex operations. Meanwhile smaller companies keep getting hit on a regular basis.
“The trucking and logistics industry is an attractive target because many of its customers are expecting deliveries,” Jérôme Segura, director of threat intelligence at Malwarebytes, told FreightWaves in an email.
Ransomware attacks have been around for years. They involve malware that infiltrates a system or systems and then encrypts data. The attackers then demand a sum of money — usually in the form of bitcoin — to unlock the data.
While these attacks were at first small in scale and primarily affected individual computer users, they have since become the mainstay of a billion-dollar industry that targets businesses including major multinational corporations, schools, government agencies and even hospitals. Increasingly, the hackers also steal data.
Ransomware gangs claim new victims in trucking regularly
There isn’t hard data on how often ransomware attacks occur in trucking and logistics because most simply go unreported. Often their disclosure comes after the criminal groups responsible post sensitive stolen data to the dark web in a bid to shame victims into paying.
Recent examples include Pennsylvania-based Greatwide Truckload Management, Canadian carrier Boutin Express and Germany’s Seifert Logistics Group. None of the companies responded to FreightWaves’ request for comment. Seifert, one of the largest logistics providers in Germany, appears to have been hit twice in less than a year.
And then there are the attacks in the larger ecosystem of suppliers and customers. Recently trailer maker Utility Trailer Manufacturing took a hit. Earlier in the spring, electronic-data interchange provider Faxinating Solutions fell victim to an attack.
“They will continue to occur, and even with all the focus that’s being put on on cybersecurity and hardening your systems,” said Russ Felker, chief technology officer of GlobalTranz, a U.S.-based third-party logistics provider that works with over 50,000 partner carriers in North America.
That isn’t because the attacks are so sophisticated or impervious to most cybersecurity measures. The problem, according to Felker, stems from security measures failing to keep pace with the rapid adoption of technology.
Before Felker joined GlobalTranz as CTO in 2019, he advised private equity firms on potential acquisitions and investments involving tech companies. As part of that, he vetted companies’ cybersecurity preparedness. The most common problem, Felker said, stemmed from companies not understanding how systems interact with one another, and the security vulnerabilities they create.
“There’s still so much happening in transportation, around digital transformation and introduction of different types of digital communications between companies,” Felker said. “Every digital transformation a company puts in place is a potential security incident.”
‘Many attacks can be prevented or at least minimized’
Ransomware attacks vary in sophistication, but they generally succeed through the hackers’ ability to leverage foreseeable, and sometimes glaringly obvious, security vulnerabilities, according to cybersecurity experts.
“Many attacks can be prevented or at least minimized by implementing security best practices. But the day-to-day reality is that many organizations are not prepared and are not doing enough,” Segura said.
The initial entry point could be a phishing email with a malicious attachment or link to malware, or an unpatched vulnerability in an aging piece of software, among others. A more sophisticated type of cyberattack, a supply-chain attack, leverages a third party, such as a software provider, to gain access.
Hackers often linger in systems for weeks or even months before actually deploying ransomware. It gives them time to analyze systems, disable internal security and steal data. Having adequate security to prevent and mitigate these attacks can be complicated and requires multilayered defenses so that a company’s network isn’t brought down in the event of an attack.
The Colonial ransomware attack wasn’t that sophisticated, expert says
The DarkSide ransomware gang’s attack on Colonial, despite the incredible disruption it caused to the U.S. fuel supply, wasn’t particularly sophisticated, said Brett Callow, a threat analyst at cybersecurity software firm Emsisoft.
“It didn’t take a complex supply chain attack by a sophisticated adversary to (almost) bring the U.S. to its knees; it just took a vanilla ransomware attack by a vanilla cybercrime gang who headed for the hills when they realized the seriousness of the attack,” Callow said.
DarkSide purportedly disbanded in the aftermath of the Colonial attack, having secured a ransom of over $4 million but also finding itself in the crosshairs of the U.S. government, including the FBI and President Joe Biden himself.
As astonishing as the pipeline shutdown was, Callow noted it was “shocking” something like it hadn’t happened sooner.