Maritime Cyber Security - Will the CISO go down with his ship?

Oct 11, 2022
14 min read

As technology has transformed the global economy, cyber security risks have increased. The maritime industry has felt the effects of the growth in cybercrime, with ships, ports, and communication terminals all subjects of increasing attacks over the last decade.

This article will detail the last decade (2013 - 2022) of maritime cyber crime and explore what it can tell us about risk management in the world of ocean-faring vehicles.

The state of global maritime cyber security

The maritime industry is a vital cog in the worldwide distribution of goods. Food, gas and oil, medicine, consumer products, and more all rely on sea-faring vessels, which is why maritime cyber security is vital.

The maritime industry must deal with increased exposure as digital transformation continues across the sector. Ships, ports, and onboard systems are vulnerable to attacks from many vectors.

2013

#1. Port of Antwerp, Belgium

Between 2011 and 2013, a Netherlands-based drug trafficking ring hacked the cargo systems of the Port of Antwerp so they could arrange pick-ups with their own drivers. The gang used spear phishing and malware attacks on port workers and shipping companies to gain access to two container terminals.

Their plan worked because they managed to change the time and location of deliveries and send their own drivers to collect the containers. Once shipping firms grew suspicious, they contacted police, who set up a bust resulting in the capture of one ton of cocaine. Nine people were arrested. [1]

#2. South Korea and Japan

Kaspersky identified Icefog, a series of Advanced Persistent Threats (APTs) in Japan and South Korea that occurred between 2011 and 2013. The attack precisely targeted individuals with malware that gave hackers one-on-one access to compromised systems.

The threat, which came from China, targeted defense, heavy industry, telecoms, and maritime and shipbuilding companies. Perpetrators used a mix of spear phishing and Windows and Java exploits to steal important documents and data. The attacks were referred to by Kaspersky as hit-and-run espionage carried out by "cyber mercenaries" on behalf of actors hired within China. [2]

#3. Gulf of Mexico

Workers on a drilling rig in the Gulf of Mexico inadvertently connected their local network with USBs and PCs carrying malware. The threat was caused by downloading music and video that was infected with a virus, which spread throughout computers and systems.

Eventually, the malware spread through the network, disturbing communications between thrusters and the dynamic positioning system. The consequence was severe, with drilling operations halted. The lesson learned was that any security system is only as good as the weakest link, which in this case was the security hygiene of the rig workers who accessed computers after a grueling day's work. [3]

2014

#4. USA

Initially reported by CyberKeel in a 2014 whitepaper, this attack involved hackers intercepting and altering emails containing financial information. The breaches targeted shipping lines communications between suppliers and shipyards where criminals changed bank details to redirect money from maritime companies into their own bank accounts. The US Federal Bureau of Investigation suggests as much as $1.65 million was stolen.

Hackers placed software between the systems of two companies, monitoring emails. This software only needed to be installed on one system, highlighting how even shipping companies with excellent cyber security are exposed to risk when dealing with vendors or third parties. [4]

#5. International

As reported by Wynyard, Automatic Identification Systems (AIS) identification numbers were faked by around 1% of ships between 2012 and 2014. These onboard cybercrimes happen when ships conceal their identity, location, or destination to avoid detection for financial gain.

Some of the practices uncovered in the report (which examined over 200,000 vessels) included "Going Dark," spoofing AIS, manipulating GPS, and identity fraud. Manipulating AIS corrupts the ship's data and undermines the entire global maritime data. Some of the crimes facilitated include human trafficking, smuggling, and terrorism. [5]

2016

#6. South Korea

While proof was hard to find, South Korea reported a GPS jamming attack that caused over 280 vessels to experience navigational system issues. Some of the GPS systems stopped working, while others received incorrect information. These problems forced the ships to turn back, wreaking havoc with scheduling and causing expensive delays.

While North Korea denied the attack, it prompted South Korea to invest in eLoran, a land-based GPS system. [6]

2017

#7. Norway

The Norwegian Coastal Administration analyzed historical AIS data between 2014 and 2017 and found irregularities with Russian civilian vessels making regular stops along its coastline. These stops constituted unauthorized stops that were not part of the vessel's stated objectives.

Further analysis found a link between these incidents and NATO drills and training. As a result, it was strongly suspected that the reason for these stops was espionage and may have involved the transfer of arms from Russia and Ukraine on "behalf of government sellers." [7]

#8. United Kingdom

The British shipping company Clarkson was hacked in 2017. They reported that between May and November, their internal systems were breached by a hacker copying sensitive data and demanding a ransom. Some of the data that was stolen included employee information, date of birth, and passport copies.

Clarkson revealed that the attack was caused by a "single isolated user account" and that the vulnerability was quickly fixed. They added that while they recovered the data, they didn't pay the ransom and ran the risk of the data being released. Thankfully, a data dump never arrived, but their stock value dropped by up to 5%. [8]

#9. International

Danish shipping giant Maersk suffered one of the most high-profile ransomware attacks of all time when their operation was disrupted for weeks by the NotPetya virus. The cause of the virus was an infected update of MeDoc, a popular tax accounting software in Ukraine.

The attack was responsible for outages across Maersk's IT infrastructure. After the event, the business estimated the events cost them somewhere in the region of $200 to $300 million. Experts suggest this cyber security breach affected 76 ports and almost 20% of the shipping industry. The exploit was based on EternalBlue, a leaked cyber attack software previously developed by the NSA. [9]

#10. Russia

In 2018, a 37,000-ton tanker was traveling from the Bosphorus strait to the Black Sea. Once again, GPS spoofing in the Novorossiysk area caused havoc, with the alarms raised on board after the ship's location jumped to Gelendzhik airport — almost 20 miles away.

Additionally, over 20 ships reported that their navigation positioning data was compromised by GNSS Spoofing, with ships suggesting that their GPS showed similarly inaccurate positions.

While confirmation was hard to ascertain, some sources indicated it was the first example of a new type of Russian cyber weapon involving GPS misdirection. While GPS jamming attacks had been seen in the past, they were easier to detect. However, this incident marked the first detection of a false signal sent from a ground station to confuse a satellite receiver seen in the wild. [10]

2018

#11. United States

In a shocking breach of US Navy cyber security, Chinese hackers steal a raft of information from subcontractors. Some of the information stolen included data on advanced military security and missile systems. The series of attacks happened over the course of 18 months and included attacks on universities with military research facilities.

These hacks highlight the vulnerabilities involved in dealing with contracts and subcontractors. Beijing was linked to the attacks because of malware that emerged from Hainan province and the use of a suite of hacking tools that are common among Chinese operatives. [11]

#12. Spain

A reported cyber attack in the Port of Barcelona turns out to be an incidence of the Ryuk ransomware. The attack affects the ports systems and servers and forces the launch of contingency backup plans. Ship traffic was not affected during the incident.

The Ryuk ransomware allows attackers to encrypt network drives and delete endpoint shadow copies. This allows attackers to disable Windows System Restore, meaning firms need external backups to get back online. [12]

#13. San Diego

Just five days after the Ryuk incident in the Port of Barcelona, the Port of San Diego reports major disruptions to its IT infrastructure. Once again, the Ryuk ransomware is the culprit. While authorities can't prove the link between the incident, it was suggested that they had the same source.

The Port of San Diego didn't release much information about the event. However, sources suggest it forced workers to work with limited functionality. [13]

#14. Australia

Iranian hackers are accused of perpetrating a cyber security attack and extorting the Australian shipping company Austal. The Perth-based shipbuilder, which also provides vessels for the US, saw staff data and ship drawings and designs were stolen in the cyber security breach. Later, the information was offered for sale on the dark web.

Australian Cyber Security Centre (ACSC) confirmed no sensitive government data was stolen. However, the incident marked increased cyber threats from Iran in Australia, with an attempt to steal real research and intellectual property from universities via a spear-phishing campaign. [14]

#15. Japan and South Korea

Between 2017 and 2018, Japanese and South Korean maritime companies were attacked when a Nigerian hacking group compromised and spoofed shipping business emails. The group, called Gold Galleon, successfully stole hundreds of thousands of US dollars using malware, crypters, social engineering, and phishing emails that target shipping employees.

While experts suggest the group are not highly sophisticated hackers, they used social engineering and a high level of persistence to complete their tasks. From there, they stole user credentials and fake emails to redirect payments. [15]

#16. USA

The American branches of the Chinese shipping company COSCO were targeted by a ransomware attack in 2018. The Windows attack forced the closure of its North American email and phone service for five days. As a result, staff was forced to use communication tools like Twitter to update clients on services.

While the exact type of ransomware went unreported, COSCO warned employees not to open suspicious emails. This could suggest the breach was caused by phishing. The shipping container giant was forced to close communication with other regions while it investigated, but thankfully its shipping lines went unaffected. [16]

#17. Middle East

The Middle Eastern branch of the Italian subsea engineering and oil firm Saipem reported a server attack in 2018. About 400 servers were affected, with officials at Saipem believing the attack originated in India. Servers in UAE and Saudi Arabia were shut down.

Thankfully, Saipem had backup servers, so they didn't lose any data during the attack. The gateway for the attack was a variant of the Shamoon virus, which attacked Windows vulnerabilities and was first detected in 2012. [17]

#18. USA

In February 2019, a vessel bound for New York was subject to a malware attack. The captain radioed the US Coast Guard and reported a serious incident affecting the shipboard network. While the attack significantly reduced functionality onboard the vessel, essential systems were protected, and the ship arrived at the port safely.

The source of the attack was the Emotet malware, which had been used to compromise both government and corporate networks in 2018. At the time, the Department of Homeland Security said it was one of the most costly viruses to fix, with estimates suggesting about $1 million per attack was standard. [18]

#19. Norway

GPS jamming in Northern Norway throughout 2018 and 2019 was detailed by the Norwegian Intelligence Service. It was noted that these incidents occurred during NATO drills and echoed incidents in Norway between 2014 and 2017. The more recent attacks affected aviation and marine traffic. However, there were no accidents.

The attacks emanated from the Kola Peninsula in Russia. While Moscow denied involvement, Finland and Norway say Russia was behind these GPS disruptions. [19]

#20. USA

A Maritime Transportation Security Act (MTSA) regulated facility was affected by Ryuk ransomware in 2018. The attack took down its entire IT infrastructure for 30 hours. While the exact location of the facility was not named, the attack targeted cargo transfer industrial control systems, which led experts to suggest it was a port.

The attack started when an employee opened an email and clicked a malicious link. [20]

#21. United Kingdom

Maritime services provider James Fisher & Sons was subject to a cyber security attack that shut down its entire systems. The ransomware variant blocked access to files, but the company said the attack did not lead to the loss of sensitive data. The source of the attack has yet to be revealed.

The attack shook investor confidence, wiping 7% off its share price. [21]

#22. USA

An unnamed US pipeline operator suffered a ransomware attack — suspected to be Ryuk — that caused two days of downtime. The ransomware targeted IT and ICS assets and hit visibility and control, forcing the facility to shut down processes.

While the CISA provided limited details, it was believed to be caused by ransomware via a phishing email. [22]

#23. Finland

An oil tanker traveling near the port of Naantali, Finland, suffers an administration server attack that causes its backup disk to be wiped. The most probable attack vectors are a malicious email attachment or an infected USB device. Four months later, the same tanker suffered a similar attack. [23]

2020

#24. United Kingdom

A vessel anchored near Tynemouth in the United Kingdom is infected with Ryuk ransomware. Its servers and several PCs are infected, and all data is encrypted and lost. The vessel's IT admin must perform a full reinstall, but losses are limited due to cyber security insurance. [24]

#25. Switzerland

MSC, a US-based shipping company, suffers a malware attack in its Geneva HQ. The incident shut down the company's Switzerland office for five days. Files are encrypted, and some of the machines at the data center are targeted by ransomware. [25]

#26. Iran

The busy Shahid Rajaee port terminal in Iran grinds to a halt. Computer systems that track ships and vehicles are knocked offline, causing backups on the waterways. The US government suggests the attack originated in Israel. Officials speculate that the attack is revenge for a failed hijacking attempt on Israeli water distribution networks in April of that year. [26]

#27. Norway

Vard, a Norwegian shipbuilder, is hit by a ransomware attack at their Langston shipyard. Servers are hit by the virus, leading to widespread disruption. Vard Group VS reportedly paid $5.5 million to a hacker group to have their data decrypted a few months later after a similar attack. However, the full details remain sketchy. [27]

#28. United States

Florida-based cruise operator Carnival Corporation reports a ransomware attack that encrypts servers and steals customer data, including personal and financial information, on guests and employees. While specific details are not included, Carnival Corporation indicates that they will incur losses as a result of damages due to the data breach. [28]

#29. Malta

Transport Malta suffers a cyber attack that shuts down its sea and air systems. Despite an immediate response, service remains down for five days. A data breach occurs, prompting Transport Malta to demand employees change email passwords, which provides some clues about the source of the breach. [29]

#30. Greece

Greek shipping company Diana Shipping is hit by an Egregor ransom attack. While details are scarce, the incident is part of a wide series of attacks hitting multinational companies. It is believed billing software is attacked, data is encrypted, and businesses are given three days to pay the ransom before the sensitive data is shared or sold. [30]

#31. China

The French shipping container company, CMA CGM SA, is hit by a ransomware attack at its Chinese offices. The attack was launched using Ragnar Locker, a data encryption malware. The company shut down its websites to stop further properties from being affected. Maritime and port operations remain unaffected. [31]

#32. United Kingdom

The International Maritime Organization (IMO), part of the United Nations, was hit by a cyber attack that took down some of its systems and its website and web services. The organization describes the attack as "sophisticated" by providing little details. Some experts suggest a DDoS attack. However, there is little by way of confirmation. [32]

#33. United Kingdom

UK ferry operator Red Funnel is hit by a malicious attack that takes down IT services and results in a significant disturbance. Online booking is halted; however, officials say that customer and financial data has not been stolen. [33]

#34. USA

The WIndows REvil ransomware targets US shipping firm Matson. Screenshots of company tax and financial data are posted on the dark web, with hackers claiming they have stolen over one terabyte of sensitive information. Cargo operations are not affected. [34]

#35. USA

The small Port of Kennewick in Washington State suffered a debilitating cyber attack that took down its IT systems in another case of ransomware. While not a port of major international significance, the municipal dock serves surrounding communities. After reporting the incident to the FBI, the port is advised to refuse to pay the $200,000 ransom to decrypt its files. Systems went down for several days before they were restored from backups. [35]

#36. Norway

Hurtigruten, a Norwegian cruise liner, is hit by a huge cyber attack that takes down its systems. Key IT systems are down for days while customer data is stolen. Hackers encrypted computer systems related to two of their ships, the Farm and Midnatsol.

The company suggests no financial data was stolen. However, ID numbers and contact details may have been compromised. [36]

#37. Germany

Popular German cruise operator AIDA suffered a debilitating IT attack. The issue affected two ships, the Aidamar and the Aidaperla, and led the company to cancel other trips. Passengers onboard the ships reported that financial terminals were down and that billing was reduced. The ships themselves were not significantly affected. With no ransom request left, some commenters suggest it was a targeted sabotage. [37]

2021

#38. South Korea

HMM, South Korea's biggest national carrier, was subject to a cyber security attack in June 2021. The breach mainly affected the company's email servers, forcing them offline for a number of days. With a relatively quick restore and no sensitive data loss, it's a testament to HMM's good cyber security risk management policies. [38]

#39. Japan

Japan's "K" line was the victim of two cyber security attacks in 2021. The first incident involved a malware attack that took the company's IT network down for ten days. The second saw their overseas subsidiaries suffer a data breach.

While details are scarce about the second attack, it has been suggested that the vulnerability involved the theft of data from a third party, underlining the need for good risk management around these businesses. [39]

#40. France

French shipping container company CMA CGM suffered a data breach in September 2021 that exposed customer data. Critical systems were not disrupted, but sensitive customer information was lost to hackers.

Company websites went down as CMA CGM worked to resolve the incident, which was uncovered when IT staff monitored business APIs. [40]

#41. South Africa

Large South African logistic firm Transnet was the victim of a ransomware attack that targeted the firm's container terminals. The terminals were taken down for a week, causing a major supply chain disruption. In the face of this chaos, several vessels didn't complete their expected stops, and the firm declared force majeure. [41]

#42. Greece

Danaos Management Consultants, a Greek IT consulting firm, suffered a supply chain attack in late 2021. The incident affected several shipping firms that use their IT services. Files were encrypted with hackers demanding ransomware from their business.

About 10% of the business's clients were affected, demonstrating that risk management needs to pay plenty of attention to third-party threats. [42]

2022

#43. Singapore

Voyager Worldwide, a Singapore-based maritime technology solutions provider, suffered a cyber security attack in late 2022 that saw all IT systems taken offline. They provide IT solutions for over 1000 shipping companies worldwide. [43]

#44. India

The Jawaharlal Nehru Port Container Terminal (JNPCT) in the Nhava Sheva container gateway was the subject of a ransomware attack that hit the port's critical operating systems. Controllers at the port were forced to turn ships away from the Mumbai port. No clues as to who the perpetrators of the attack were have been released so far. [44]

#45. Western Europe

In early February 2022, attacks on Western European ports, including the Amsterdam-Rotterdam-Antwerp oil hub, saw Oiltanking and Mabanaft declare force majeure. The ransomware attacks hit loading and unloading operations at key terminals and forced major companies to re-route their oil supplies. The incident caused severe damage to inland supplies already operating under the strain of fuel shortages. [45]

#46. Germany

German shipping and container company Hapag-Lloyd was hit with a spear phishing attack that targeted customers' personal information. Emails were sent to customers containing links to a replica Hapag-Lloyd website with the aim of stealing financial data. [46]

#47. United States

The Port of Los Angeles, one of the world's busiest ports, has reported that post-COVID-19, it is dealing with around 40 million cyber security attacks each month. The ports suggest the threats are emanating from Russia and Europe and include malware, spear phishing, ransomware, and credential harvesting. Many of these incidents threatened the flow of cargo.

While extortion and death theft are significant drivers, authorities suggest disrupting US financial activity is the main objective. In response to the rise in attacks and threats against US infrastructure, the port has partnered with the FBI to create one of the world's-first Cyber Resilience Centers. [48]

Conclusion

Maritime cyber security is on the rise. As the sector becomes more reliant on technology, it has created vulnerabilities that are being exposed by a range of different actors. While the majority of threats over the last decade have involved ransomware, there are a worrying amount of malicious government actors involved too.

Gathering open-source intelligence (OSINT) is an important part of risk management. It can help you measure the risk to your business and the development and understanding of the actors involved in cyber security threats alongside their preferred attack vectors.

Remember, these incidents are just the tip of the iceberg. Cyber security attacks have increased by 400% since 2020, with many incidents going unreported too.

Subscribe to our newsletter