Archive, Industry News

Under cyber attack

The recent ransomware on Toll Group underscores the susceptibility of Australia’s transport and logistics sector to cybercrime.

 

At one stage 500 Toll applications were shut down during the attack

It started with an inconspicuous message on Toll Group’s website about a precautionary shut-down of its IT systems and unfolded into the highest-profile cyberattacks in Australian transport and logistics history – let alone the corporate world.

In the meantime it’s brought into sharp relief the vulnerability of an industry ever-reliant on technology to fall victim to cybercrime, especially if a corporate giant with vast resources such as Toll is susceptible.

Though it’s still early days in the aftermath, the attack may have a lasting technological and financial impact on Australia’s T&L sector.

Rapid timeline

The warning message appeared on a Friday, January 31, soon after “unusual activity” was detected in some of Toll’s IT systems, a company spokesperson says.

“Based on our early assessment, we moved quickly to disable our servers in order to contain the risk,” they explain.

After further risk assessment revealed the extent of the incident, the company moved into crisis management mode, disabling its IT network. 

“That included shutting down some 500 applications that support all of our operations and deploying our business continuity plan, which included a combination of manual and automated processes to maintain operations and services.”

The original message flew under the radar over the weekend – but then came the social media grumblings from customers, and speculation from media and IT analysts.

Toll had to act fast – not just behind the scenes, but also publicly. 

On one hand it was dealing with a ransomware attack, consulting with authorities including the Australian government’s lead cybersecurity agency, the Australian Cyber Security Centre (ACSC), on a recovery. On the other it still had a business to run, meaning reassuring customers – and the public – on the functionality of its operations.

“We have detailed business continuity plans designed for a range major incidents and scenarios, including cyberattacks of the kind we’ve experienced,” the spokesperson says.

“While every situation is different, our business continuity processes were instrumental in ensuring we were able to keep things moving as we swung into action over the ensuing days and weeks to progressively and securely reactivate systems.

 “The nature of large-scale cyberattacks calls for a balance between how much information is disclosed publicly without compromising investigations into what is a serious criminal activity.

“While mindful of this, open and timely communication is clearly important and we moved quickly to instigate our crisis communication processes to ensure we were able to keep our customers, our employees and the broader market informed.”

Toll did, within a few days, disclose that it was the victim of a ‘Mailto’ ransomware attack, which attacks Windows systems. 

The company did not pay the ransom – experts advise victims not to, as there’s no guarantee the perpetrators will cooperate anyway – and did not suspect any personal data was breached. 

In the meantime, staffing increased at contact centres to assist with customer service while global cyber security experts were on the case to find a fix and criminal investigations were underway. 

“For MyToll customers who transact with us online, we boosted resources for our call centres and provided regular updates via the MyToll website including FAQs and the like,” the spokesperson says.  

“For our enterprise-level customers, it’s been a targeted and tailored process to address their specific needs.”

Eventually, throughout February, services across large parts of the network globally started to return to full service.

Reviews of the affected IT hardware including servers, systems and devices continued to ensure any risk associated with the incident has been appropriately managed and neutralised.

“We’ve made good progress in reactivating many of our systems and we’re well-placed to resume normal operations across the entire global network,” the spokesperson says.

“At the same time, there are some customers where more complex reintegration of systems is required and we’re working closely with them to make that happen as soon as possible.”

Most updates came an apology for the ongoing inconvenience, and a thanks for patience and understanding. 

The public response, as it can be in this situation, was mixed. Many sympathised with the situation but other affected consumers weren’t as amiable. 

Toll Group MD Thomas Knudsen visiting Toll Global Forwarding’s Center of Excellence in Penang, Malaysia, to oversee the operations support efforts

HOW MALWARE WORKS

Cybercrime operations are relentless and come in many shapes and sizes, with the personal and corporate toll continuing to mount.

Last year, IT security company Mimecast observed a coordinated campaign targeting T&L operators over four days between October 22-25, using masses of Emotet, a malware strain that started in 2014 as a Trojan aimed at stealing banking credentials, and identified as a key threat here by the ACSC on October 24, 2019.

On day one, more than 2,200 instances of Emotet were detected, followed by 1,500 detections on day two, 1,900 on day three, and an apparent last push of 2,900 detections.

Mimecast Australia principal technical consultant Garrett O’Hara says such nefarious cyber operations are always evolving but can be traced back to existing code bases.

This can include malicious links, weaponised attachments, credit harvesting or even ‘social engineering’ – more on that later. 

“The things that we were protecting against in the 1990s, we still have to protect against them now. It’s not like they’ve magically gone away,” he says.

The scariest prospect is that there often aren’t any overt signs of an incident. 

“Attackers can often be lurking in the background of an organisation for months – known as dwell time – traversing networks, jumping around and trying to get themselves embedded as much as possible.” 

In fact, IT giant IBM’s 2019 Cost of a Data Breach report places the average time to identify and contain a breach at 279 days, and the full lifecycle of a malicious attack from breach to containment at 314 days. 

Mimecast Australia principal technical consultant Garrett O’Hara

WHY TRANSPORT?

Craig McDonald, founder of cloud-based web and email security company Mailguard, notes the logistics industry is a favourite among cybercriminals primarily for three reasons. 

“Firstly, logistics companies typically maintain a wide network of third-party relationships – making them a gold mine of data,” he writes in a blog.

“Secondly, companies like Toll Group have a large and complex supply chain ecosystem that relies heavily on cyber-based control, navigation, tracking, positioning and communications systems. This means they contain multiple digital vulnerabilities that make it easier for cybercriminals to infiltrate their networks. 

“Third, the very nature of their business is time critical, so they are under more pressure than most to make a call on paying the ransom so as to not disrupt their operations, and the businesses of all of those that are depending on their deliveries.”

O’Hara expands on that latter point, and how T&L is especially vulnerable to massive losses of both customer trust and revenue.

“The fallout for a transport operator is much more significant than other industry types that are not operating in that ‘just in time’ model,” he says.

“When you think about everything that gets shipped all around the world, when systems go down and you lose the ability to sign off documents and dockets, it can grind to a halt. 

“If you are able to pop a transport organisation or operator, they’re not really in a position to continue operating unless they’ve got a good incident response plan and they’re well protected. 

“The impact to transport is much more significant than many other industry type.” 

Toll CIO Françoise Russo has been leading the firm’s technology transformation strategy and implementation “of a standard set of IT offerings and improvements in service provision”

SAFEGUARDING

While defence systems are ever-improving, and today automated systems can detect a breach, contain it and disable an infected system “at a speed a human is incapable of”, ultimately it comes back to user education, O’Hara says. 

After all, an unpatched Windows system and one clicked malevolent link is all it takes.

“We’ve started to think about malware in zones, with zone one being what was traditionally the perimeter – that’s going to protect against your basic viruses, things like malicious links and attachments,” O’Hara says.

“Then there’s zone two, which relates to the inside of the organisation. Users will often have access to their Gmail accounts, where they can log on and bring down links and attachments, which can bypass your corporate email security. 

“That’s where you need to educate the users so they know the right thing to do; they won’t click on links, they won’t open attachments, all the things you hope that they’re smart enough to do.” 

There’s an emergence of attacks where the attacker registers a domain that, to an employee, will look like their own company’s. 

“What they’re trying to do is convince the end user that they’re seeing something that’s from their corporate domain, or maybe a domain that is a vendor organisation or a partner organisation for a logistics company. 

“For example, they’ll register a domain that looks like Toll Group, then send an email back into Toll Group, or whatever the company may be. 

“There’s a trust and a social engineering thing that happens there. 

“So, Zone three is about companies looking outside of the organisation to analyse the infinite web for domains that they don’t own. 

“Through scanning and using technologies like machine learning, we can understand if there are sites out there that look similar to the organisation’s domains in a suspicious way. 

“Then you can automatically take that domain down. What you’re getting into then is more proactive protection against the huge variety of malware and ransomware that is out there.”

Finally, O’Hara says it’s imperative that transport operators ensure their data is backed up and secure. 

“This is so that, for example, you still know where in the world a particular shipping container is, or a package is about to arrive at somebody’s house; that critical data, which if lost, would leave you in a fair amount of trouble. 

“Emails are an important part of that too. Having secondary copies of that data in a secure place is very important.” 

At one stage 500 Toll applications were shut down during the attack

COMMUNICATION CRITICAL

If an incident does occur, there’s no point trying to sweep it under the carpet, O’Hara contends. It’s accepted that cyberattacks occur and companies are better off being front foot to customers and the public about it. 

“A mistake that some organisations have made is to shut down communications, and what often happens then is that people kind of assume the worst and you’ll see social media going wild with speculation,” he says.

“You need to respond in terms of being able to deal with the media and manage the conversation to customers of the particular organisation so that they’re aware of the status.

“Controlling the narrative post breach is very important for those large organisations.

“Even if the news is that there is no news other than there’s an ongoing investigation, having that open communication is still important so that people know the organisation is taking action.”

Though some may not agree, McDonald backs Toll’s communications approach to the incident. 

“While a few media outlets have criticised them for not being more forthcoming about the attack, the transparency of their response is reassuring. 

“Many businesses today still prefer to remain tight-lipped when their company experiences a cyberattack.

“By contrast, Toll Group [provided] regular updates about what has happened and the measures that are being undertaken to protect their customers.”

M8YKJ4.jpg

COUNTING THE COST

Cybercrime can be a lucrative business for the perpetrators and crippling for the victim and associated party.

Cost of a Data Breach estimates the average cost of a data breach is A$5.52 million per firm, and the ripple effect costs third parties $560,000.

At the higher end of the corporate spectrum, that figure rapidly multiplies.

American courier giant FedEx reported 2017’s ‘NotPetya’ malware attack on its Dutch subsidiary TNT Express had “an estimated US$300 million (A$374 million) impact”; the same attack on Danish logistics conglomerate Maersk bore similar damage. 

Toll hasn’t yet put a figure on the attack but public records show this attack comes at an inopportune time. 

Parent Japan Post’s results for the nine months up to December 31, 2019 reveal a $78 million loss, “owing to deterioration of external environment including a slowing Australian economy and U.S.-China trade friction”, and that’s before counting the cost of the Australian bushfire season, Covid-19 and the Mailto attack.

“These are complex issues and we don’t hide from the fact that not everything’s working perfectly. We’ve made good progress in isolating the problem and we’re working to gradually reinstate systems securely,” Toll’s managing director Thomas Knudsen noted on social media at the time.

“While Toll Group’s recent cyberattack has presented significant challenges, as incidents of this scale will do, we mobilised quickly and decisively to firstly contain the risk and then to focus on supporting our customers.”

Industry commentary from peak importers, exporters and logistics providers body the Freight and Trade Alliance (FTA) director Paul Zalai notes the industry still felt “widespread downstream problems” caused by Maersk’s 2017 attack, but “most firms” had still not made their systems more resilient. 

“Toll would not be the only major provider exposed by the same risk. For whatever reason they got cracked, but I think they were the unlucky ones and I think there would be many others that are just as vulnerable,” he says in a communique. 

“The bigger thing that this has exposed is the risk to other logistics providers as well … We are well aware that many are hosting their own servers and their own technology, they run with a myriad of different systems and are trying to piece them all together. 

“The more complex these systems architecture are, then the greater the risk is for cyberattack.” 

Zalai points the finger at “rampant merger and activity and numerous firms making a false economy of running old tech systems into the ground [meaning] well organised cyber criminals could easily run wild”. 

It’s a sentiment Toll, still undergoing its “largest ever” IT rationalisation effort led by CIO Françoise Russo, doesn’t necessarily agree with.

“We’re well down the path of a three-year IT transformation program which puts us in a much better position than we might’ve been a few years ago to deal with a situation like this,” Toll’s spokesperson says.

Toll fill pic 2.jpg

GOING FORWARD

Toll’s spokesperson sums up the situation by admitting: “Incidents of the scale and complexity that we’ve experienced test every aspect of your business and, in that sense, there are always learnings. 

“For us, we’ve come to realise the value of robust business continuity plans and processes. 

“Certainly, ours stood up well in terms of being able to keep things moving for our customers, albeit with the inevitable challenges that come when services are disrupted. 

“Another is making sure you have the right people on hand to supplement the in-house team, from cyber security experts to agencies like the ACSC. 

“Communicating early and often is also vitally important. That means being ready to deploy a range of channels online and offline, including alternative platforms where the conventional options are unavailable. 

“For us, it was also about making sure the information we were providing was relevant to the needs and circumstances of different customer groups.”

Previous ArticleNext Article
Send this to a friend