You've been hacked: Top 5 signs and what trucking CIOs do next

6 computer monitors displaying pixel graphics
Trimble Transportation uses sophisticated programs that instantly identify changes in network behaviors.
Trimble Transportation

Editor's note: This is the first of a two-part series on mitigating the risks of cyberattacks. Today's installment covers what fleets should do when they spot the indicators of compromise. Part 2 will explore preventative strategies.

Cyberattacks are costing transportation companies millions and thrusting some into national headlines. In the past year,  Manitoulin Transport (July 2020), TFI International (August 2020), and Forward Air (December 2020) are a few prominent companies that have been victimized.

Rebuilding a reputation after such events is not an easy road, notes Dave Brajkovich, chief technology officer of Polaris Transport, a less-than-truckload carrier based in Toronto with a fleet of more than 120 trucks. “It always sticks to people’s minds that you have been breached.” 

Like many carriers, Polaris has invested heavily in technology to protect itself from the ever-evolving threat landscape. Yet the types of breaches happening today are what Cory Staheli, chief information officer of Trans-System (CCJ Top 250, No. 100), calls “silent killers.” Perpetrators seldom allow their targets to be ready or proactive to mitigate risk.

[Related: Cyberattacks in trucking could have doubled in 2020]

“The attacks today are so sophisticated they are becoming too difficult to spot, if not already impossible,” Staheli said. Trans-System is based in Cheney, Wash., and operates more than 1,050 power units in flatbed, refrigerated, dry and liquid bulk operations.

Transportation companies take 192 days, on average, to detect a breach and another 60 days to contain it, according to an IBM report

Because cyberattacks may go unnoticed for an extended period, when these 5 signs do appear it may be too late. Even so, some critical first steps can prevent a bad situation from getting worse.

1.    You have a software vendor get attacked
Last Spring, Texas-based SolarWinds made a routine software update available to its customers. Russia’s foreign intelligence service, SVR, trojanized the update and used it as a vehicle to launch a massive cyberattack against America.

System hacked alertMost cyberattacks enter computer networks through web traffic.The attack had far-reaching impacts for SolarWind’s 1,800 customers that included U.S. government agencies. The ripple effects were also felt in the transportation industry.

Mesilla Valley Transportation does not use SolarWinds and so Mike Kelley, chief information officer, initially had no reason to believe the Las Cruces, N.M.-based fleet (CCJ Top 250, No. 74) was affected until he received an urgent email notification from Mimecast, a software vendor that MVT uses for email security.

Mimecast is a customer of SolarWinds. Kelley quickly followed the steps outlined by Mimecast to secure its account.

This experience was a wake-up call for how quickly and furtively cyberattacks spread. Most cyberattacks enter computer networks through web traffic, and the only way companies detect these attacks in the early stages is by monitoring all web traffic to find if DNS queries are being made to a specific set of DNS servers from hostile actors, Kelley explains.

This is a daunting task that is nearly impossible to do without advanced software and professional services, said Kelley. He compares doing it alone to finding a specific type of bent needle in a stack of needles.

When software vendors release patches, or updates, this could also be a warning sign that a “zero day” threat has been discovered. A zero-day threat is a new virus or malware for which antivirus software signatures are not yet available to detect.

About one month ago, Brett Corlett, systems engineer for Superior, Wis.-based Halvor Lines (CCJ Top 250, No. 168), a dry van and flatbed carrier with more than 600 drivers, discovered a vulnerability in the company’s email server. This became obvious after the vendor had a new patch to  download.

Halvor Lines had rules in its firewall that prevented an attacker from moving laterally and gaining access to other systems. “We were able to head that off,” he said.

When an attacker gains access to an email server, they typically will start running code against other Internet-facing servers to download viruses and payloads, he explains.

First steps: Kelley, Corlett and other IT executives interviewed by CCJ advise to act quickly if a software vendor is compromised or releases a security patch. Follow the vendor’s instructions; disable access to the software from outside; clean and patch server(s); and scan other PCs and servers to make sure the attack has not moved laterally.

2.     You notice a degradation in system performance
If you hear grumblings from an employee, or group of employees, about a software system that is running slow or having issues connecting to a particular website or application, “dive into it,” Corbett said.

Man typing on keyboard sitting in front of 2 monitorsA slow-running computer system is a sign you’ve already been compromised, but it’s never too late to stop a cyberattack from spreading.This is a sign you’ve been compromised, and it may not be too late to stop the cyberattack from spreading.

Instances of viruses and malware getting into systems and slowing them down have increased during the COVID-19 pandemic with employees working from home, said Chris Sandberg, vice president of information security and application architecture for Trimble Transportation.

Employees that work in an office are generally less exposed to cyber threats than remote workers. When using a personal computer at home, workers are more susceptible to web traffic or using applications they normally wouldn't have in a corporate environment, he said.

If employees notice performance issues with a cloud-based software system, such as an ELD, the vendor should be notified.

Trimble Transportation uses sophisticated programs that instantly identify changes in network behaviors. Instances of ELD and fleet mobility systems being compromised are extremely rare, he said. If a change is detected, Trimble has “instant response shooters” to lock down the production environment of infected customers until it fixes the problem and gets them back online, which usually happens in a matter of minutes, he said.

First steps: If you detect a downgrade in system performance, immediately take the system offline and off the company’s network. If a user account is also compromised, disable that account and take it off the network until the problem is resolved.

3.     Someone clicks on a suspicious email
Cybercriminals do not always target a big payday. Some will try to get in the middle of transactions between fleets and their customers and suppliers. 

Man with arms crossed in front of parked semi trucksMike Kelley, CIO of Mesilla Valley Transportation recommends not reprimanding employees if they fall victim to a phishing attack. This may cause them to not report future instances.About three years ago, an employee in MVT’s accounting department came to Kelley. The employee had a customer on the phone who received emails from the MVT employee. The emails asked the customer to change the bank information the customer had been using to send electronic payments.

Kelley looked at the emails the customer had received. They did not appear spoofed. This led him to conclude that at some point the customer had been victimized by a phishing attack. The user must have clicked on a link and entered a username and password, which the hacker used to begin intercepting emails.

“Luckily, the customer called,” Kelley said. The issue was resolved by having the customer change the email password to kick the hacker out of the user’s account.

Phishing attacks in business emails are the easiest entry point for hackers, Kelley explained, but they are also the easiest to defend against when employees are trained, aware and constantly vigilant. Kelley recommends that companies not reprimand employees that fall victim to a phishing attack as this may cause them to not report future instances.

Several years ago, an accounting employee at Tradewinds, a Hoosier, Ind.-based fleet that operates 75 trucks, received a fake phishing email that looked convincing. The employee clicked a link and unknowingly entered an email and password into a fake website. The hacker was able to use the password to gain access to the company’s online banking website and immediately transferred $10,000 and disappeared before the user was aware.

[Related: Watch--how to avoid a cyberattack]

Benjamin Ramsay, vice president of technology at Tradewinds, said the most obvious sign that a user has been victimized by a phishing attack is that a large number of “Undeliverable” messages show up in their inbox.

“This happens when the hacker sends spam to an invalid email address, and the email system sends back an ‘Undeliverable’ error,” he said.

Many cloud-based email systems like Office 365 will quickly alert the IT administrator when it appears that an account has been hacked and is sending out spam. However, this indicator appears to be less reliable over the last year or two, said Barry Lance, network administrator of AIM Transportation Solutions.

“It seems attackers have adjusted by slowing down their attacks to avoid being caught by this type of monitoring,” he said. Girard, Ohio-based AIM (CCJ Top 250, No. 152) operates a full-service equipment leasing business with more than 12,000 power units and dedicated fleets for shipper customers.

Lance recommends setting alerts for when a new mailbox rule is created or an existing rule is modified, such as when an external email forwarding rule is created by any email client. Also, set an alert for any attempts by an email to spoof the name of anyone in ownership or senior management positions.

First steps: At the first sign of a phishing attack, Lance recommends locking the affected user account access on premise and in the cloud as well as terminating existing login sessions. Passwords should be immediately changed, and if the user account was not configured for multi-factor authentication, enable it at this time.

4.     You identify suspicious network activity
Cybercriminals are harnessing the power of artificial intelligence (AI) to exploit vulnerabilities on a massive scale. This level of sophistication makes it harder for transportation companies to prevent and identify breaches, said Cory Staheli with Trans-System. 

Cory Staheli“The attack landscape has evolved so much that I do not believe in relying on humans to ‘tell’ if a system has been breached or victimized by a cyberattack,” said Cory Staheli, CIO of Trans-System.A few years ago, Trans-System purchased a product that monitors for suspicious behavior on servers, PCs, and file systems. The software has the capability to warn and, if configured, stop a compromise until an administrator can investigate and fully remediate the event, he explains.

[Related: Lack of driver training in cybersecurity a 'gap waiting to be exploited']

“Just this last year it caught and alerted us to several instances where malware was found on a PC,” he said. “The malware kicked off a brute force attack and another infection tried passing a dictionary of common usernames and passwords for authentication. Without the system in place, we would not have known the malware was loaded and running silently in the background.

“We were able to isolate the systems, identify the source of the infection, clean, and remediate before the attacks successfully compromised any credentials,” Staheli concluded.

Trans-System lets the software automate the response. The risk and impact of shutting down a legitimate false positive is far lower than the impact of a full-on ransomware attack, he explains.

“One day we got an alert that the system stopped a ransomware attack. After a few brief moments of panic at the thought of facing a ransomware attack, we were relieved to find out the system detected a developer compiling code in a non-typical location and tagged the action as ransomware. It stopped the actions. We investigated, reset the account, and things went back to normal," Staheli said.

AIM Transportation Solutions' Barry Lance said he regularly looks for unusual or impossible login activity in the company’s cloud directory service. For example, if logins occur from areas outside where the company conducts business—such as from Los Angeles for an employee based in Ohio.

“We are mainly only concerned about the successful logins and filter out the failure to make this indicator a little less noisy,” he said. Without an automated system, keeping up with such activities is difficult because successful logins is a trailing indicator of compromise. "By the time the reporting data is collected, filtered, emailed, and read several hours may have passed where an attack may be present, but unreported," Lance said.

Even so, this strategy can help identify potential hot spots where an attacker may be looking around but hasn’t yet launched an attack, he added.

Polaris Transportation uses an advanced threat monitoring system from Splunk that continuously looks at all activities on the company’s network switches, routers and ports to spot suspicious trends.

When Polaris began using Splunk, it discovered hits coming from China and Russia that were slowing down its networks. The company shut down some of its routers in response. The company is spending about $6,500 a month for this tool, which Brajkovich compares to having a full-time network security guard.

First steps: Using advanced software to detect suspicious activity is just the beginning. Even if the software notices a higher-than-normal utilization, “you don’t know what’s bad,” Brajkovich said. “You still have to dive into it.”

5.     Your files are encrypted
Ransomware is perhaps the most serious and lucrative cyberattack. This malicious software either threatens to publish the victim's data or perpetually block access to it unless a ransom is paid.

Dave BrajkovichPolaris Transportation uses advanced threat monitoring systems to spot suspicious trends, said Dave Brajkovich, CTO.Some ransomware may lock the system in a way that is not difficult for a knowledgeable person to reverse. More advanced cybercriminals will encrypt the victim's files, making them inaccessible without paying a ransom to decrypt them.

If you get a message on the screen that says you have files that are encrypted, the damage has already been done. Another sign of ransomware is that a company’s website is encrypted and prohibits customers or traffic from visiting it.

As with other cybersecurity strategies, the best way to deal with ransomware is prevention but when it does happen, the best option is to restore files using a disaster recovery system.

Polaris Transportation doesn’t keep any files on premise. The company has a disaster recovery hot sync site, and if the company were to be hit by ransomware, Brajkovich said Polaris Transportation could restore its systems within minutes. The carrier has a technology partner, Simnet, to assist in these and other efforts as a provider of IT managed services.

First steps: If an end user clicks on a suspicious link with the potential for ransomware, immediately cut power to the computer and disconnect it from the Internet and shut off the main file server. This may be the only step that can prevent ransomware from moving to another system.