In the first in a series of articles on cybercrime in road transport, Jack Carfrae explains why haulage firms are such prime targets for hackers.
(FEATURE FIRST PUBLISHED IN TRANSPORT NEWS JULY 2024)
Most readers would likely agree that haulage is, by comparison, not the most hi-tech of industries. It has unquestionably developed, and you’ve only to glance at tailpipe emissions, aerodynamics, or telematics, among plenty of other areas, for a snapshot of how far it’s come, but it’s tempting to think of the trucking game as a noble old business next to, say, Silicon Valley’s spangly and controversial produce.
That perception comes with a false sense of security because a low-tech image often leads to apathy with IT.
PLC behemoths will almost certainly have teams of staff dedicated to batting off cyber criminals, but small and medium-sized operators are less likely to consider themselves targets for hackers, and the risks are well on the up.
UK hauliers Owens Group, Dawson Group, and KNP Logistics, the parent company of Knights of Old, were all reportedly hit by hackers in the past year. The latter company, which was founded in 1865 and employed 900 people across the group, went into administration three months after its attack in June 2023.
The industry is a prime target for cyber-attacks. In its 2024 X-Force Threat Intelligence Index, which analyses global cybercrime by sector, IBM said 4.3% of attacks were aimed at transportation companies in 2023, up from 3.9% the year before.
OLDER TOOLS
Hackers like hauliers not so much because of the perceived value of a company itself (although that doesn’t mean they won’t hit individual operators), rather the potential to use its various interlocking systems as a kind of digital springboard into other suppliers, many of which contain juicier loot. That, and the sector is known for using older, less secure IT systems, which are relatively easy to circumvent.
Shutterstock.
“You’ve got a lot of supply chain links between the systems that the companies use themselves and those that their suppliers use,” explained Richard Payne, support business development manager at Fusion IT Management, which has experience with haulage companies, “that industry has got a bit of a reputation for not updating its systems or operating on quite old applications which… don’t really have some of the modern security features that you need.
“The reason they get targeted is because they hold a hell of a lot of data about an awful lot of things,” added Richard Payne’s colleague, client strategy director, Jim Houston, “if you think about a pallet delivery, they’ve got your address, your phone number, your email address and, when they leave, they’ve probably got your signature. I mean, what more do you need to take someone’s life over?”
The road transport industry is far from alone in its vulnerability to cyber-attacks and others are open goals due to an equally forgivable lack of awareness (the same IBM report said manufacturing was the most targeted sector, with a 25.7% share in 2023). However, as Jim Houston explained, certain common practices and items of equipment underscore its exposure.
“They often have things like scanners, mobile devices, TomToms, etc that are running ancient versions of software that are just inherently not secure.
“I also think a lot of the smaller ones – the ones that are probably family owned, organically grown, maybe 20/30/40 years old – are probably using the same systems they’ve had for most of that time.”
- What happens during a cyber-attack?
The fortunate among us, who’ve never seen or experienced a cyber-attack, could be excused for having no idea what happens or what it looks like. The first indicator for companies without beefy digital security will usually be when things stop working, but that aside, what would the victim of a hack actually see on their screen?
“[It] depends on the ‘flavour’ of ransomware and how the attack is conducted,” said Alistair Wesson, director at Mongoose Cyber Security, “often, the criminals play upon the ‘hacker’ image and use ASCII artwork [images generated from computer text or code; see example left/right/above/below], stating that the user has been a victim and demanding a ransom.
“Ransomware can be purchased via online marketplaces, so the ‘brand’ of ransomware will often dictate its feel and theme.”
Alistair Wesson said ‘gaining a foothold’ – the digital equivalent of a burglar picking a lock – was the hardest part for hackers, and can often be initiated by a phishing email (see below). Once they’re in, though, most will have the knowhow to ascend the various levels of access, even if their entry point is an employee with basic clearance.
“If they’re just logged in as Leanne, the secretary on the front desk, that’s all they really want, because from there they can either move across or up,” added Alistair, “they’ll be looking to go to Dave, for example – the domain administrator. Then they’ll want to be at the top – the IT director’s account. Whoever has the oversight, that’s the goal.”
KEYBOARD WARRIOR
Think hacker and you picture a teenage computer whizz tucked up in their bedroom with a hoodie and an energy drink. They exist and no doubt pose a threat, but a far lesser one than professional gangs, which operate on global and industrial scales. They are often based in Russia or China and, depending on the target and the objectives, may or may not be state backed.
“A kid in his bedroom might have a go at Eddie Stobart, but chances are he is not going to have the resources, time, and expertise,” he explained, “but when you start talking about Russian ransomware gangs, there’s a lot of crossover between nation states and criminal gangs. They have serious resources, serious money, it’s serious kit.”
Many are also savvy enough to exploit the regulatory, financial, and reputational penalties facing operators in event of a serious data breach: “The ransomware gangs are pretty smart,” said Alistair Wesson, “they know you’ll get a GDPR fine. They know what it is and [how much] it’s going to be, so they’ll offer the ransom just below [the cost of] a GDPR fine. They’ll say, ‘look, we can embarrass you and you’ll get hit with fine, or you can pay a little bit less, and this will all go away.”
GONE PHISHING
Phishing scams are said to be the most common way for hackers to access haulage industry IT. They typically comprise an email with a link which, when the recipient clicks on it, can sabotage the victim’s system.
Shutterstock.
You can spot the old-school ones a mile off, because they’re usually from a member of a royal family, thousands of miles away, who needs your bank details to transfer you a tidy sum. Phishing has very much moved with the times, though, and the composition of the messages and accompanying techniques are far more sophisticated and can be extremely difficult to spot.
We’ve already mentioned that Knights of Old was felled by a ransomware attack last year. Its former director, Paul Abbott, now consults on cybercrime, among other areas, and told Transport News what modern phishing involves.
“Typically, you get an email that looks like it’s come from somebody in your trust, but in that email address, they’ve used hieroglyphics instead of letters.
“At a glance, it looks like it’s from your wife or from your driver, and it says, ‘I need you to do this’ or ‘click on this link here because I need you to pay this bill’. You click on the link and, all of a sudden, you’ve opened up your bedroom.”
Hackers frequently examine the likes of ‘about us’ or ‘meet the team’ pages on company websites – which sometimes include direct email addresses – to get a sense of who’s who at a particular organisation and will often fan out to social media for further context and details. They also use artificial intelligence tools to make the content of the messages more convincing, rendering them even harder to spot.
“Phishing is becoming more and more difficult to detect because of generative AI,” said Fusion IT’s Richard Payne, “the phishers can now create emails and messages that have got exactly the right tone of voice that mirrors the behaviour of the real person… they can craft messages that are very timely and very accurate to hoodwink you.”
Short of a full-on ransomware attack, some of the most financially damaging scenarios to arise from phishing include successfully mimicking senior personnel and falsifying payment details.
“The other really common one is reinterpreting invoicing,” said Jim Houston, “they’ll pretend to be the MD of a firm and say to the junior member of the accounts team, ‘I need a hundred grand in this account by 12pm’. The junior person’s probably a little bit scared of their boss, so they think, ‘right, hundred grand, sent’. All of a sudden, you’ve had a huge embezzlement.
“The worst one is when they get the password, log into your mailbox, and you don’t even know… it’s no longer you, and ‘fake you’ says [to a customer], ‘we’ve changed the bank details. Now you pay into this account instead. I’ve cc’d the boss,’ but they’ve spelled the boss’s name wrong [in the email address] in such a way that you can’t really see it, and this only comes out when that money goes missing.”
Smish smash: hacking by toll road
One of the very latest and arguably among the most creative hacking initiatives is infiltrating what is now pretty old tech – but road users are right in the firing line. Smishing – a portmanteau of SMS and phishing – involves sending old-school text messages with tantalisingly clickable links and is not itself a new phenomenon.
Shutterstock.
On 12 April, the FBI issued an alert after it received more than 2,000 reports from at least three US states about texts encouraging recipients to settle an outstanding toll road fee. As TN understands it, this particular trend has not yet made it to the UK, but cyber specialists are nonetheless warning drivers and operators not to consider texts benign just because they don’t require an internet connection.
“Drivers are driving through toll roads in the States, then receiving a text message telling them that they haven’t paid the fee for the toll road,” explains Fusion IT’s Jim Houston, “[it says] click on this link now to make a payment, so you click on that link, and it hacks your phone.
“It’s only in a particular region of the States, but it wouldn’t surprise me if that appeared on toll roads like the M25 – the Dartford Tunnel – or the M6. I could absolutely see it making its way to the UK.”
Ask the experts: help is at hand from cyber specialists
Each of the cyber security specialists TN spoke to for this article appealed to hauliers to get in touch either with them or with any fellow consultant. That could easily come across as a cheap shot at some free advertising but, frankly, we’ve dodged enough of those to spot the difference between publicity hunger and an earnest call to an industry at risk. When they say, ‘it doesn’t have to be us’, that usually means they’re not just trying to flog you something.
Mongoose’s Alistair Wesson offered TN readers free consultations. “I’ll happily do what we’re doing now,” he said during our video call, “if someone says, ‘I’ve got 20 vehicles, I’ve got this [IT], what do I need to do?’ I’ll just tell them the truth.”
“If anybody wants to engage or speak to me about it, I’m happy to do that on an independent, confidential basis, because some people just really don’t know where to go with it,” said Paul Abbott.
“The best advice we could give – and I promise you this isn’t a sales pitch – is that people in transport and logistics need to realise their strengths and their weaknesses,” added Fusion’s Jim Houston, “there are hundreds of [specialists] like us in this country. Any of them would work with a transport company.
“If you don’t know about cybersecurity, you don’t understand it, just ring one of them up. Ask someone to go in for a day and sit and talk with them; show them what you’ve got. There’s no shame in not knowing cybersecurity. It’s hard. There aren’t very many transport-specific [specialists] like there are for legal, but it’s generalist, and nothing we’ve said here is specific to logistics.”
