Ever had one of those Snickers “Wanna get away?” moments?
Wade Anderson, Chief Information Officer for Eagan, Minnesota-based multi-modal hauler Bay and Bay Transportation did. And it was only his fourth day on the job.
July 12, 2018, is a day Anderson is unlikely to forget. It was that afternoon that an offshoot of the infamous SamSam ransomware ransacked the company’s entire IT infrastructure, encrypting all essential files across the carrier’s 80 servers, and the hacker was demanding Bitcoin to release them.
“I had a 30-, 60- and 90-day plan for what I wanted to do, and a security review was in the 30-day plan,” Anderson said, “not the third day plan.”
Anderson and his team were able to cobble together a plan. Bay and Bay’s cloud-based logistics systems were not impacted. They were able to restore some files and emails from backups and were working toward bringing the transportation management system back online when it all came to a grinding halt.
“I had a 30-, 60- and 90-day plan for what I wanted to do and a security review was in the 30-day plan, not the third day plan.” —Wade Anderson, Chief Information Officer, Bay and Bay Transportation
“[The hacker] came back into the network and saw that we were working on restoration,” Anderson said, noting the attacker stopped the restoration process before deleting the backups, undoing about five hours of recovery work in mere seconds.
Exhausted and out of options, Bay and Bay paid the ransom in exchange for the decryption keys. The team – which now included various security experts, acquittances of Anderson’s, third party providers, Bay and Bay's insurance company and the FBI – spent the next 36 hours bringing 95% of the systems and data back online.
“Decrypting takes a lot more time than encrypting,” he joked.
Following the three-day ordeal, Anderson said the only data lost were recent emails and two old servers. The company later discovered that none of its data ever left its network. The hacker held the information hostage but never did anything with it, and customer information was never exposed.
The FBI found the culprits were two groups of cyber criminals that teamed up to install and execute the breach about 12 hours before unleashing it, exploiting an open firewall port.
The hackers were eventually identified and indicted but there was little satisfaction in that for Anderson and his team. Two Iranian citizens were charged in the case but extradition from Iran to the U.S. is nearly impossible, making it unlikely the attackers will ever be held accountable.
A high percentage of malware, ransomware and other types of cyberattacks against businesses – including motor carriers – stems from someone inside the organization clicking a link they shouldn’t have, without any intention of potentially crippling a company’s ability to perform daily operations.
While ultimately not the culprit in the Bay and Bay attack, Anderson and his team initially thought the company was the victim of a phishing email campaign on an unsuspecting employee.
“For the first several hours we thought it was a user entry; that someone clicked a phishing link in an email,” he said. “It sounded plausible.”
Drivers, training and cyber security
During the interview process for its Best Fleets to Drive For, CarriersEdge Co-Founder Jane Jazrawy said the company asked carriers about their cybersecurity efforts at the request of the one company’s insurance partners. More than 75% of respondents to the survey said they had systems in place to protect against a cyber attack and offered some degree of training to employees, but rarely was that training extended to the company’s drivers.
“Many of [the carriers] told us that they didn’t provide anything for drivers – no training, no extra security measures at all,” she said. “Some fleets told us that because drivers use tablets, it’s not necessary because tablets have built-in protection. Fleets said they tend to focus on office staff when they put in additional protections or provide training. In their view, drivers aren’t a risk because don’t have corporate email addresses or access to internal networks.”
In reality, drivers carry significant exposure to a phishing attack by mixing work and personal computing on smartphones or tablets, while also accessing email, loadboards and other internal networks.
“From their cab … they’re into your firewall, and they’re accessing external websites on their device,” said Chris Wolfe, CEO of asset tracking provider PowerFleet. “Educating your employees – that’s No. 1. You need to educate them about phishing attacks and tell them not to download things from the Internet, especially on company computers.”
Jazrawy agreed, adding that all the devices drivers use provide a potential portal directly into a carrier's IT systems.
"Drivers use free email systems, browsing websites and social networks that hackers frequently target,” she said. “Drivers may unknowingly be passing viruses to the office staff through text or email, so it would make sense to at least include them in training. It’s a gap waiting to be exploited.”
"Drivers may unknowingly be passing viruses to the office staff through text or email, so it would make sense to at least include them in training." —CarriersEdge Co-Founder Jane Jazrawy
The brief assumption that a clicked email link was the root of Bay and Bay’s problem is what allowed the hacker to return to the system once restoration was underway, as the original firewall access point was still open.
“We were just so focused on getting everything back up and running,” Anderson said, “but the first thing you should do is always check the perimeter. Set up your blocking and tackling from your firewall – at your perimeter.”
Since drivers are on the road, their perimeter can look different than office staff. Kevin Linardic, chief technology officer for LTL and final mile TMS provider Carrier Logistics, noted that drivers who connect to public WiFi should always do so via virtual private network (VPN), which enables users to send and receive encrypted data across shared or public networks.
Leonard’s Express, a 500-truck fleet based in Farmington, New York, experienced a phishing attack in June 2017 after one of its employees clicked a phishing link in an email.
“When a user initiates something, they’re already in,” said Chris DeMillo, the company’s head of information systems. “You’ve got this protection suite…once a pinhole is exposed and open into your environment, it just floods,” he said. “I was amazed at how fast [malware] can run rampant across your network. It was mind blowing and scary.”
The fleet was able to fight off the attack after three days, with little impact on its operations and finances, but the company was “on pen and paper” during that time, said DeMillo.
Though there are always steps fleets can take to bolster their IT infrastructure to better protect themselves, much of cybersecurity protection starts with educating your workforce. And that’s the biggest area that Leonard’s concentrated on in the wake of its exposure. “Education, education, education, training – and then re-education,” said Mike Riccio, the company’s chief marketing officer.
As the industry has grown more complex and digitally connected, “there are so many entry points,” said Riccio, in the modern environment for hackers to break into a fleet’s network. “It requires constant vigilance,” he said. “You have to continue to educate your employees.”
“We thought we had sufficient protection,” said DeMillo. “We learned a lot of hard lessons, but good, valuable lessons. We realized the importance of investment.”