In the final article of our cyber security series, former Knights of Old director Paul Abbott tells Jack Carfrae how a ransomware attack felled a haulage firm with 450 vehicles and 900 staff in just three months.
(FEATURE FIRST PUBLISHED IN TRANSPORT NEWS SEPTEMBER 2024)
Our last two cyber security articles explained why the haulage industry is such a target for hackers and how operators can mitigate against attacks. This is a story about what happens when cyber criminals prey on a trucking company, and it does not have a happy ending.
Readers will likely remember Knights of Old. Founded in 1865 and based in Kettering, Northamptonshire, the group was later known as KNP Logistics and incorporated AE Parker, Knights of Old (which remained the primary company), Nelson Distribution, NDL Holdings, Steve Porter Transport, and driver training firm Merlin Supply Chain Solutions.
It was the UK’s 42nd biggest haulier according to the 2022 Motor Transport Top 100, its last appearance in the index, with a 450-strong fleet and 900 employees across the group.
GOT HACKED
On 14 June 2023, the company discovered that hackers had planted ransomware in its IT system, which used a mixture of on-site and cloud-based servers. Paul Abbott, the company’s director at the time, told TN how events unfolded.
“[The hackers] had gotten hold of somebody’s password, got into our email network and continued to penetrate, probably with AI tools… They encrypted key operating systems so that we couldn’t function. We lost our transport system, we lost our warehouse system, we lost our email, we lost our finance system. It was all frozen.”
The systems went down in the morning, so the IT department began restarting servers and restoring files, but it hit a wall later in the day.
“It came to a point where it stopped restoring,” he said, “as the IT guys were rebooting the main server, a file popped up and… we basically just got stuck on that. When they interrogated the content, it was a TXT file containing the ransom note. They [the hackers] had embedded it into the server.”
The note encouraged the firm to get in touch with the hackers via a link in the file to discuss a ransom payment in exchange for freeing up its systems. It didn’t name an amount, but IT support specialists assisting with the incident and familiar with similar attacks expected a fee of between $2.7m and $5.8m, payable in Bitcoin.
The hackers were identified as the Akira group – a cyber-criminal organisation believed to be based in Russia. According to online reports, the group has been active since March 2023 and made $42m in its first nine months by attacking more than 250 companies.
JUST IN TIME
If there is an upside, it’s that KNP’s cyber security insurance policy kicked in a month before the breach – and it was a good one. Insurance won’t stop criminals, but a comprehensive specialist policy will provide support in the event of an attack, which is exactly what happened.
Paul Abbott.
“We were able to call upon first responders from the insurance company to tell us what to do,” Paul Abbott explained, “they parachuted in a team of experts – forensic people to basically clean our systems and get us in a place to start a rebuild.
“They knew of the Akira group… so they were familiar with what had occurred in as much they’d got into our system and potentially compromised every point of computerisation – printers, scanners, handheld devices, photocopiers – anything on the network.”
The result was that every single computer or device connected to the company’s network had to be shut down so specialists could get to work on cleansing the infected equipment.
“You’ve got to call everybody and tell them all to come off, when you’ve got 200-odd people [with computers], that’s a difficult thing to do when they’re not all in one place,” he revealed.
The labour-intensive purge involved wiping, then reinstating every affected device: “It’s purely to cleanse it to make sure there’s nothing hidden in there, we had a dirty room and a clean room, so all the equipment that could be affected went into the dirty room, it got cleaned, and it was then put into the clean room and redistributed from there. It sounds like a real wooden process, but there’s no other way of doing it.”
The attack was debilitating but the business got back on its feet pretty quickly, at least in part, and he said the operational side of things was in reasonable shape before long.
“Sales was fine, because we had magical little transport management system in the draw that we activated within 48 hours to process all our bookings, take orders online from customers, and produce an invoice,” he said, “it was a very, very good little tool in the box, which fortunately allowed us to service customers.
“We weren’t short of commercial business, we weren’t short of sales, we weren’t short of energy. We were a thriving business, notwithstanding the usual challenges that exist within the haulage sector – cost of operation and low margins etc.”
THE STING
It would be a triumph of procedure if Knights’ story ended there, but the sad fact is that it doesn’t. It seems trivial when held up against the bigger picture, but the attack left the company unable to provide financial reports to its lenders, which ultimately led to its downfall.
“It was the general reporting that’s required by funders, sponsors, banks,” Paul Abbott explained, “whenever you’ve got borrowings, they want you to report your performance, on a monthly basis, to monitor to the worthiness of the debt.
“It’s information that we’d circulate around the board table for shareholders. They want to see what your sales and your costs were, what your profit levels were, and any exceptional expenditure.
“If you can’t provide those reports, you’re basically in breach of the covenants that you’ve signed, and the bank are at liberty to take whatever action they want.”
In the bank’s defence, it gave KNP more time to gather the information and Paul said it acknowledged that the company was able to continue trading. However, he claimed the bank previously had a bust haulage firm on its books, which made it increasingly nervous about KNP’s inability to issue reports.
“To be fair to the bank, they were understanding and supportive, and the fact that we were able to maintain sales and continue the business in terms of selling and billing – they gained comfort from that,” he remarked.
They gave us more time… we were probably running behind by two or three months [with reports]. They were being relatively patient, but obviously they ran out of patience, and we ran out of time”
END OF THE ROAD
KNP Logistics closed its doors on 26 September 2023, three months and 12 days after the ransomware attack and 158 years since Knights of Old began trading.
Reports from the time say 730 staff were made redundant. Nelson Distribution – one of KNP’s subsidiaries, based in Derbyshire – survived the attack, and its 170 employees reportedly kept their jobs when the business was sold to Kinaxia Logistics, also in September 2023.
The strength of the cyber insurance policy and the expertise of the insurer’s specialists meant the company didn’t pay the ransom and left the attackers empty-handed, but they had nothing to lose. By Paul Abbott’s account, the business could well have remained operational, but it was the clerical end of things that felled it.
He added: “Everything else was fine, but we just couldn’t provide the reporting. If we could have, even if it was bad news, like, ‘we’ve got a £2m drop here somewhere,’ we could have managed, and the bank would’ve supported us through that. But if you can’t report, they’re not going to say, ‘here’s a couple of million quid to keep you going’.”
Paul has since set up shop as a consultant specialising in cyber security, among other areas, and was keen to stress that it should be classified as a security issue – not an IT one.
“It’s not an IT issue. You need to work with IT on it, because that’s essentially the part of the business you’re looking to protect, but whoever looks after your facilities and security, this really sits with them.”
THE FUTURE
As the threat of such attacks increases, so too will the ripple effect for the haulage industry. As well as simply being more vulnerable to them, the existential risk could percolate to financiers, insurers, regulators, and to contract tenders.
Paul Abbott predicted that hauliers may eventually need to prove they have taken action to mitigate against cyber criminals to secure such services or to win business, in much the same way as insurers now require them to demonstrate efforts to improve safety, and that large and/or public sector contracts might demand accreditation, such as ISO standards, certain FORS levels, or evidence of ethical and environmental efforts.
“I can see normal insurers and banks start to address this,” he said, “it’ll be, ‘your insurance costs are going to go up if you don’t do something about this,’ or ‘do something or you won’t get insurance’…
“If you haven’t got cyber protection, you can’t come to the party, or, ‘what is your cyber policy? Who is your provider and what are they protecting?’ I can see it coming, because there are too many businesses that have been compromised.”
If that elicits a sigh and a groan, try to look on the bright side. Nobody wants to jump through more hoops for contracts or insurance, but our first article in this series documented how easy a target the haulage industry is for cyber criminals.
If they can take down a company the size of KNP – which acknowledged the threat and took steps to protect itself before it was attacked – then fellow operators are at least as exposed, if not more so. By hook or by crook, hauliers need decent cyber security, and if it’s insurance policies or contract clauses that force their hands, then so be it.
“Pay for security before you pay for an insurance policy,” was Paul Abbott’s parting shot, “if you’ve got good security, you don’t need a policy. That’s what I would stand up in front of 30 people and say… engage with a credible specialist security company that can work alongside your existing IT arrangements, whether it’s in-house or external, but don’t necessarily rely on your internal or your appointed external provider. Go and get an independent view on it, because the skill of the attack groups is above and beyond any normal IT.”
THE LONG GAME: PROCURING CYBER INSURANCE
Standard-issue haulage insurance will not cover a cyber-attack, and if it’s financial and operational support you’re after, then a specialist policy is the way forward. You don’t tend to find these on the likes of Gocompare, and applying for and buying one can be much more involved than anything a haulier might previously have come across.
Shutterstock.
The procurement process for KNP’s cyber insurance policy lasted nine months, the first of which was simply gathering initial information from departments across the business. Paul Abbott explained the process: “There’s an awful lot more interrogatory information that they want from you. They want to know about your network, your patching and your protocols, your GDPR, and your training process.
“I’d say it probably takes about a month, for a sizeable business, by the time you’ve received a form and gone around to every department, because every department’s affected by it – finance, IT, commercial…
“They want to get under the skin of your network, and it’s stuff that, as an operator who was in charge of a lot of commercial things, I had no idea what it meant, so I needed to give the form to the IT director and [other department heads]. It was a lot more in-depth.”
As a point of comparison, he told TN that he would generally expect a quote for conventional haulage insurance within two days, after being quizzed by the insurers over the phone and filling out a straightforward form.
Given the situation in which KNP found itself, Abbott was convinced that both the arduous procurement and the cost of the policy were worth it.
“If we hadn’t had that policy, we wouldn’t have known who to contact. If nothing else, the policy gave us the line into highly skilled people to actually deal with the situation. It was the first response.”
