Logistics in the sights of hackers

IT networks are exposed to increasingly sophisticated attacks – and defensive strategies are adapting to the threats.

Most attempted attacks that target logistics IT fail, while others cause millions in damages. The sector is countering these attempts with concepts that focus on defence and reaction, and HHLA also provides specific responses to the major security issues.

Logistics service provider Raben, the intralogistics specialists at Ferag and freight company Hellmann Worldwide have more than their sector in common; they are some of the German logistics companies that were recently targeted by cyberattacks. This is becoming an increasingly frequent and common occurrence.

Alfredo Khanji, IT Security Manager at HHLA, confirms: “There has been a clear increase in the last five years.” On the other hand, he points out that this increase should primarily be seen quantitatively. Every day, security systems fend off automated attacks. In general, there are three reasons for the increase. The first is the increasing expansion of digitalisation, including in logistics. The more the sector becomes connected, the more there are interfaces that must be secured.

This is an opportunity for cybercriminals, who want to use data to steal money. Encrypting this data and disrupting business processes is rarely the main goal. Instead, criminal hackers try to steal sensitive data and threaten to publish it. Encrypting data that is important to the company can be an additional means of exerting pressure if the attacker has gained access to the company network.

Carrying out attacks is becoming increasingly easy

The second reason is that hacking software is becoming more widespread via the dark web and clever programmers. It is now much easier to prepare and carry out such attacks than it was ten years ago. Khanji specifies that the options available to attackers have reached a threatening level. Entire platforms offer “software as a service” for hackers and make it possible for even small players to carry out extensive attacks.

Thirdly, it must be mentioned that state-controlled actors are involved in this so-called “cyber warfare”. A number of current attacks are suspected of having been carried out by Russia or North Korea. It cannot be ruled out that these states will also increasingly target critical infrastructure.

What is considered critical infrastructure (KRITIS)?

Companies with logistics centres handling over 17.55 million tonnes of goods or 53.2 million shipments are included in the “critical infrastructure” group. This is also true for ship or rail transit control centres, as well as for air traffic freight handlers that handle a certain minimum volume. Legislators recently updated the list by means of the KRITIS regulation of 2021. This is a defining component of German IT Security Act 2.0, which came into force on 1 January 2022.

Companies of a particular size were called upon to verify whether they exceeded these thresholds. They needed to register by 1 April 2022 at the latest. Companies included in KRITIS must meet special technical requirements concerning both IT protection and the usage of particular components.

On the other hand, they receive specific support in the form of guidelines, recommendations, workshops and personal consultation. The German Federal Office for Information Security (BSI) acts not only as the supervisory authority but also as the advisory body.

Due to its container handling activities, HHLA falls under KRITIS and has prepared emergency plans. Should such a scenario materialise, the BSI provides a digital rescue chain, which extends from self-help via an online guide to contact with IT security experts for these situations.

One of the decisive reasons for increasing attacks on the transport network is that comparably low effort can generate a great deal of damage. Many transport and logistics companies are small and medium-sized enterprises. Their IT departments are smaller and company-wide updates are less frequent. Criminals see a bigger opportunity to find loopholes and use them to conduct more successful attacks.

The relevance of global supply chains is more apparent

Furthermore, at least since the shortages caused by the coronavirus, hackers have recognised the great relevance of global supply chains. IT experts in the area of logistics say that the focus is currently on the entire sector because the supply issues have been circulating in the news for months.

The notorious Lazarus Group developed special backdoor software called Vyveva for logistics companies. Nevertheless, there is hardly a business sector left that is not in the cross hairs of cybercriminals. Many search the networks specifically for loopholes, scan IP addresses and ping ports with the help of automated programmes. As Gavin Ashton, former IT security expert at Danish logistics group Maersk, put it to news magazine CNBC: “It is inevitable that one of them will get through one day.”

Hellmann Worldwide: prominent victim goes offline

With revenue of approximately 4 billion euros, Hellmann Worldwide is one of the heavyweights of the logistics industry. Last year, the group took a hard hit: in December, hackers attacked its IT system and attempted to encrypt data. The next step would normally be to blackmail the company, so that either money or all its data is lost.

If such a ransomware attack is detected at an early stage, there are options. Hellmann’s Chief Information Officer Sami Awad Harmann decided: “We’re going offline.” He recalls his darkest hours: “As soon as you take this step, you stop. You can’t work anymore.” But he did achieve a goal, stopping the spread of the virus and preventing encryption of the data.

There are still 70 gigabytes of company data in the dark web, but it could have been much worse. To prevent the attack from penetrating further into the infrastructure, he pulled the plug and cut off connections to data centres. Container giant Maersk did not manage to do this in 2017. Jim Hagemann Snabe, Maersk top manager at the time, later admitted that operations were completely analogue for ten days. He estimated the damage to the associated company at between $ 200 and 300 million. However, it does not need to come to this.

32 new ransomware families and good antidotes

IT security researchers keep a vigilant eye on the hacker market. Readers of their analyses can identify a key element: regardless of how much hacker software appears on the market every year and how sophisticated the latest tools may be, the majority of attacks exploit old weaknesses.

This is how the “REvil” hacker group created a malicious “update package” targeting the “CVE-2021-30116” weak spot in Kaseya’s “VSA” remote access software (RMM). On the one hand, this means that hackers have recently begun targeting software suites used in the logistics industry. On the other, all sectors should take note that unpatched security flaws are what make most ransomware attacks possible.

At the same time, the other aspect of the battle for the networks cannot go unmentioned: by now, there are proven defence concepts that combat many attacks and types of attacks. Global IT security has increasingly closed ranks, and at the same time, the Federal Republic of Germany and the German states are supporting the fight against hackers more strongly than ever before. Furthermore, everyone involved is working to sensitise people – one of the most critical IT entry points – to the dangers and methods of cyberattacks.

The majority of attacks exploit old weaknesses.

Keep checking

The first commandment is to keep software up-to-date and to patch vulnerabilities as quickly as possible. HHLA expert Khanji’s advice goes beyond that: “Generally speaking, systems must be constantly brought up to speed with the latest standards. This means that methods and concepts, as well as the way systems are designed or guidelines are developed, must be continually reviewed.”

Responsible for IT security at HHLA: Alfredo Khanji

The company is governed by common standards such as ISO norm 27001 and the basic IT protection guidelines of the German Federal Office for Information Security. “These are frameworks that cover major areas of IT security. From the perspective of attackers, it is becoming increasingly difficult to break through technical interfaces while remaining undetected,” explains Khanji.

Confidence tricks and social engineering are a current trend

Hackers apparently agree, because they increasingly resort to manipulating what they perceive to be the weakest part of the system: people. To do this, they rely on “classic” confidence tricks. In IT circles, this method is known as “social engineering”.

Criminals approach targets or indirect contact persons under false pretences. Using fake identities, they make attractive offers, ask for “help” or offer “business opportunities” to manipulate their victims. They use people’s ignorance, willingness to help, fear and stress to provoke them into risky actions. This might be the sharing of confidential information such as login data or downloading a file that secretly installs a malicious programme.

Criminals may present themselves as technicians, staff members, service providers or even IT administrators. In the past, they even got high-ranking managers to indirectly disclose secret company information.

The company’s protective shield: staff members

Khanji also confirms that alleged Microsoft employees have called HHLA numbers. The security expert commends his colleagues: “Our staff members’ reaction was outstanding. They are part of the company’s protective shield today, and we cannot forget this.”

HHLA employees are well prepared for IT attacks and manipulations.

HHLA relies on awareness measures and training to prepare staff members for such attacks. Khanji emphasises that these do not focus on a particular scenario. Instead, they are meant to strengthen individual sensitivity to information that has no place outside the company. “If someone has the feeling that something is not right, we provide them with a number of measures to take,” says Khanji. He points out that such “odd” conversations can be shut down properly: “You cannot let them put you under pressure. That’s something we also teach in the training sessions.”

Don’t offer hackers “a cup of tea when they come in”

IT specialist Gavin Ashton advises people not to let their guard down in the face of the overwhelmingly threatening situation that has been created by 32 new ransomware suites in the last twelve months. “You should of course be ready for the worst-case scenario. However, that doesn’t mean that you shouldn’t try to fight a good fight to stop these attacks in their tracks,” says Ashton in an interview.

His closing remark was: “Just because you know the bad guys are coming, it doesn’t mean you hold the door open and offer them a cup of tea when they come in.” He is alluding to two additional requirements for effectively fending off hacker attacks. In addition to the latest software, experts who are capable of countering attacks should also be at hand.

Furthermore, good preparation helps enormously when it comes to reacting properly and quickly in case of emergency. Especially with ransomware attacks that encrypt the entire company system, time is of the essence – as the Hellmann case illustrates. However, HHLA’s IT security manager warns against relying solely on preparation: “In the end, a contingency plan for a specific scenario is simply not enough. Everything needs to be thoroughly tested to ensure that everything works seamlessly in a stress situation created by an actual attack.

Published 11.10.2022