(An article about the subsequent return of Forward Air’s systems can be found here.)
The ransomware attack on Forward Air’s (NASDAQ: FRWD) operational and information technology systems more than a week ago has caused shipping delays for customers, especially those that use them to move loads to, from and between airports.
Cargo is moving, but the information flow is hampered without the automated interfaces companies rely on, logistics professionals say.
Freight forwarders and airlines are scrambling to locate freight, book loads and find other ways to communicate with Forward Air as well as their own customers in the absence of electronic connectivity, according to industry executives.
The outage is especially significant because of the timing and Forward Air’s market share in airport linehaul, logistics providers say. Options for alternative motor carriers are limited with most of them busy hauling goods during the seasonal holiday peak and having less supply as they try to get drivers home for Christmas.
Logistics providers are implementing expensive manual processes to work around the blackout, including for tendering.
“It’s impacting the flow of freight — where the freight is, what the status of the freight is, directing the freight, booking the freight,” said Bob Imbriani, executive vice president for international at Winnsboro, Texas-based Team Worldwide. “Every aspect of their service has been affected, including billing and pricing.”
Cyberattacks — mostly involving ransomware — are increasing in the freight transportation sector. On Monday, Central Freight Lines said it was the victim of a cyberattack that knocked out its systems. Other logistics companies that have been targeted in the past two years include Cardinal Logistics, Mediterranean Shipping Co., Maersk Line and Toll Group.
“We tell our members it’s not if but when” in regard to cyberattacks, said Brandon Fried, executive director of the Airforwarders Association.
The trade group recently began offering cyber insurance for its members through Roanoke Trade Services.
A ransomware gang called Hades blamed for Forward Air cyberattack
He said the group’s members are reporting that Forward Air is moving freight but is using manual processes, including paper documents that were thought to be part of the past.
The attack appears to have been the work of a new ransomware gang called Hades. The group left a text file on Forward Air computers following the attack on Dec. 15.
“By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise you can’t get back your data (NEVER),” the message states.
The group did not name its ransom for restoring access, but instead provided a link to a site on the dark web and instructions for initiating contact.
Customers say the Forward IT outage is impacting hazardous materials, imports and trans-border shipments, as well as general cargo.
A manager at another logistics provider, who didn’t want to be identified for business reasons, said shipment visibility for linehaul dispatches and transfers is severely inhibited without Forward’s tracking-and-tracing tools.
“Anything in transit is moving, but it’s not visible. No new bookings are being made,” another logistics executive, who asked to remain anonymous, said. “It reduces capacity for sure as they are a large player.”
Forward Air customer service is also not reachable by phone, sources said.
The trucking and logistics company was initially tight-lipped about what caused the IT outage, but on Monday afternoon acknowledged it was the victim of a ransomware attack. But Imbriani and another source said Forward Air has been very forthcoming with information updates about the situation.
Forward Air has advised customers that it has increased the percentage of updates through EDI to about 50%, although not all cities in its system are functional, according to one message shared with FreightWaves.
“Get it up and running, get things back and then it will be worth letting everyone know what happened and what they’re doing to prevent it from happening again,” Imbriani said.
Customers struggling to find additional capacity
Finding alternative capacity is getting difficult because competitors such as Land Air, American Linehaul and Sterling Transportation are reaching capacity in many locations, one source close to the situation said.
Forward Air consolidated market share in airport ground service with the 2015 acquisition of Towne Air Freight.
Airfreight shippers are not the only ones affected by Forward’s IT troubles. The Greenville, Tennessee, carrier in recent years has also increased its presence in intermodal drayage, final-mile delivery and expedited truckload.
Todd Fowler, equity research analyst at KeyBanc Capital Markets and one of the few sell-side analysts who follow Forward Air, said the company’s technology is actually “fantastic and gives them great competitive advantage.”
“On the other hand, when something like this happens, it can create issues,” he told FreightWaves. “But our sense would be that this is something that is going to be a setback, and our guess is they will be able to manage through it in the next couple of weeks.”
Fowler described Forward Air as the only national provider of deferred air cargo, which airlines and forwarders use as a cheaper, expedited option than domestic air. Forward Air has about 30% of that market, he said.
But there are other services the company provides, such as taking freight that is brought into international airports and taking it to final destinations or to distribution centers. The market share for that activity is believed to be much higher.
Fowler said he assumed Forward Air has backup procedures in place “to manage around it,” though the company’s first statement on the cyberattack was to note only that if a customer had freight already in the system, it would get to its destination but it was silent on new freight.
If the disruption continues into January, Fowler said, “then it becomes a risk to earnings estimates.”
Investors began asking Fowler about the cyberattack by Monday morning. “At first blush, the investment community has the tendency to look at some of these things as maybe not a big deal,” Fowler said. “But the longer it persists, the more concerning it becomes.”
Forward Air’s stock showed no reaction to the cyberattack last week, when it rose four days in a row. But a decline larger than its peers Monday was followed by further declines Tuesday. At approximately 10:50 a.m., Forward Air’s stock was down 1.69% to $75.69/share, more than the market decline of approxiatmely 0.1% in the S&P 500 at that time. Forward Air’s stocks also trailed its peers and the broader market on Monday.
Fowler said that while other companies might get a boost in market share while Forward Air is down, the lesson on risks is a serious one. He noted that the resources needed to combat an attack like this are significant, especially for a low-margin business like trucking or some other company in the freight sector.
Hades joins growing list of ransomware gangs attacking logistics providers
As far as the group behind the attack, Hades has emerged only recently, involved in just a handful of known incidents. Reached on a secure messaging service by FreightWaves, Hades declined to comment on the Forward Air attack, stating, “No info will be provided about FW.”
Brett Callow, a threat analyst at software firm Emsisoft, told FreightWaves that Hades resembles other gangs that have extorted companies around the world.
“There’s nothing unique about them as far as we can tell,” Callow said.
Ransomware gangs have increasingly targeted transportation and logistics companies in recent months, most recently Cardinal Logistics. They encrypt data and attempt to steal it, demanding ransom payments in exchange for unlocking it and promising not to post it.
Forward Air did not reveal any details about any sum demanded or whether the company decided not to pay. The extended outage of systems including its website suggests the company may not have paid.
It also did not address whether any data was stolen. Companies that have refused to pay the attackers often face extensive leaks of internal files in retaliation.
Forward Air previously said it had notified law enforcement about the attack. The FBI and Tennessee Bureau of Investigation have yet to confirm to FreightWaves whether the agencies are probing the attack.