This is a real incident Eye Security investigated at Move Intermodal. The events, techniques, and lessons described are drawn directly from our experience on the ground and are shared with permission of Move Intermodal.
Move Intermodal, based in Genk, is a leading European intermodal logistics company that keeps thousands of shipments moving every day across road, rail and water. CIO Tomas Tempelaars oversees an IT operation where timing and continuity are everything, especially when cargo needs to be delivered on time.
The call that changed a Friday
It started on a Friday before sunrise. Tomas was five minutes into his commute when his phone rang. “There are a few numbers where, if they call before half past eight, you know something is wrong,” he recalls. Their managed service provider had already taken first containment steps. By the time Tomas reached the office, more action had been taken, and analysis had begun. Before ten o’clock, their IT partner concluded the situation was beyond their remit.
“The MSP acted fast, immediately isolating the first affected systems,” Tomas recalls. “Still, they recognized this wasn’t just another alert. That’s why they reached out to Eye Security, a team they already trusted from earlier cooperation. Within ninety minutes we were in a joint intake call with all the right people, which gave us the reassurance that the incident was being managed properly.”
What triggered the escalation was telemetry from the night before. Endpoint detection had flagged suspicious activity: attempts to harvest credentials, files being packaged for exfiltration, and unusual administrative connections. While the MSP’s quick isolation limited immediate damage, the deeper entry point was still unresolved. The pattern fit the classic double extortion playbook: data theft was already underway, with ransomware deployment likely to follow.
Containing the threat
For Move Intermodal, the response was guided by a simple principle: assume breach. Not if, but when. Attackers had already explored the backup estate, creating accounts in the Veeam environment. If not stopped, the next step would have been to disable backups and detonate ransomware.
“Continuity comes first,” Tomas emphasizes. “We knew quickly that core operational servers were not down, but we switched to maximum containment to keep the problem as small as possible.”
Bas van den Berg, Principal Cyber Security Expert at Eye Security, led the response and recalls the pressure of those first hours. “When we entered the environment, the attackers were only hours away from deploying ransomware. Our first task was to eradicate persistence and find the root cause before they had a chance to return. We removed backdoors, collected forensic evidence and worked with the MSP to reset all credentials and take the vulnerable VPN offline. From there we connected the environment to our SOC so every move could be monitored in real time.”
Thanks to these measures, business continuity was preserved. “People could not use the file server for a few days, and printing was unavailable,” Tomas says, “but the core processes continued.”
Lessons for Logistics Leaders
The suspected entry point was a SonicWall SSL VPN vulnerability that had been patched weeks earlier, leaving just enough time for opportunistic attackers to gain access. Similar activity was reported across Europe, with ransomware groups like Akira buying and exploiting VPN footholds.
For Tomas, the bigger lesson lies in the nature of logistics. “One full day of disruption is dramatic from a planning perspective. Transport would start to stall and restoring visibility becomes exponentially harder. That costs revenue and can trigger contractual exposure.”
“The updates were short and clear, we never sat with open questions,” Tomas says. “The way Eye Security worked with our own team gave us peace of mind. They brought structure in the middle of the incident and helped us make the right decisions quickly.”
The fact that recovery went so quickly was not just luck. Cybersecurity was already a priority at Move Intermodal. EDR was in place, a dedicated taskforce met regularly to improve security posture, and key processes such as patch management and access control were on the agenda long before this incident. That foundation meant the organization could absorb the shock and recover rapidly once Eye Security stepped in.
Bas underlines why that mattered. “Preparation makes the difference. Because Move Intermodal already had EDR and a security program running, we could build on that instead of starting from scratch. From there, our role was to contain, eradicate, and monitor so attackers couldn’t return. Without EDR in place, it is very likely this would have escalated into a large-scale ransomware attack. That combination, preparedness inside the company and immediate external support, is what stopped this from turning into a shutdown.”
Beyond Incident Response
The ransomware attack was stopped in time, but the threat is not going away. That is why Move Intermodal made the decision to continue with Eye Security as a Managed Detection and Response customer.
Bas explains: “MDR means constant vigilance. We don’t just react when something happens, we continuously watch, hunt, and respond. For a sector where every hour of downtime has direct financial and contractual impact, this level of monitoring and response is essential.”
For Tomas, the value is clear: “Now our systems are monitored around the clock, and if something happens again, we know it will be spotted and contained before it spirals out of control. That allows us to focus on what matters: keeping goods moving.”
About Move Intermodal
For more than thirty-five years, Move Intermodal has delivered intermodal logistics across Europe through a network and partnership model. The company employs around three hundred people in nine countries, operates roughly three thousand load units and two hundred trucks, and runs about sixty company trains per week, together enabling over one thousand shipments per day.
For logistics companies, continuity is everything. Move Intermodal avoided disaster because they acted quickly and brought in the right support. You can do the same. Talk to Eye Security and make sure your company is protected before attackers get their chance.
