Maritime organisation suffers ransomware attack, impacting 1,000 shipping vessels

Home / Threat Intelligence bulletins / Maritime organisation suffers ransomware attack, impacting 1,000 shipping vessels

Target Industry

Maritime industry sector.

Overview

Approximately 1,000 shipping vessels have incurred a ransomware attack against a major software supplier for ships. The maritime organisation, DNV, reported that it had been targeted by a ransomware attack on 7th January 2023, which resulted in the company shutting down their IT servers, which were connected to the “ShipManager” system. At the time of writing, there have been no indications that any additional software systems or data belonging to DNV have been affected. Furthermore, users have been reassured that they can continue to use the offline functionalities of the “ShipManager” system.

In total, the attack has affected 70 clients, operating approximately 1,000 vessels.

Further details regarding the incident are currently unavailable. DNV has not released any information pertaining to the threat group behind the attack, nor the method of implementation of the deployed ransomware. Moreover, no threat actor group has yet claimed responsibility for the attack.

The attack follows several very recent ransomware attacks affecting the maritime industry. These include, but are not limited to:

– The ransomware attack against the Port of Lisbon, accountability of which was claimed by the LockBit ransomware group
– Oil companies, Oiltanking and Mabanaft, both owned by German logistics conglomerate Marquard & Bahls, suffered a cyber-attack that crippled their loading and unloading systems in February 2022
– The Russian NotPetya worm paralyzed maritime supply chains by locking up ports and shipping companies worldwide – costing billions of dollars in direct and collateral damage.

A cyber security researcher from Claroty, stated that: “With aging infrastructure, IT and OT systems in ports represent a prime target for cyber criminals to extract a payment for ransomware attacks.”

They added that for foreign adversaries, “A cyber-attack against a port creates an opportunity to project power by taking down supply chains and seize up an economy without using bombs or bullets.”

Moreover, leading cyber security researchers, from Nozomi Networks, have stated that disrupting port operations can have cascading impacts into other sectors, similar to attacks on power infrastructure. For instance, organisations within China are heavily reliant on their port systems to provide resources for their energy infrastructure framework.

According to SynSaber, ports and maritime operations possess unique attributes which lead to them being lucrative targets for potential threat actors. These include:

– Global footprint
– High frequency of contact
– Amplified impact of loss.

Impact

Successful system exploitation via any ransomware strain will inevitably result in the compromise of the integrity of the data of the target organisation, stolen data and encrypted devices. This will expose the victim to extortion attempts, with a resulting negative reputational impact.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware strains. These security solutions can also alert system users of potential breaches and prevent further progress of the identified threat prior to any successful exploitation.

Affected Products

ShipManager software system.

Containment, Mitigations & Remediations

As mentioned previously, the main method of reducing the threat of any ransomware strain is to detect it in the early stages through the utilisation of an effective and monitored EDR solution. This will increase detection of malicious attempts of ransomware compromise and halt them if detected.

Moreover, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) recommend the following mitigation steps to be adhered to, with regards to reducing the risk of incurring a successful compromise by a ransomware group:

– Back-up critical data offline
– Ensure copies of critical data are in the cloud, on an external hard drive or storage device. This information should not be accessible from the compromised network
– Secure your back-ups and ensure that data is not accessible for modification or deletion from the system where the data resides
– Utilise the multi-factor authentication requirement with strong passwords, including for remote access services
– Ensure that computers, devices, and applications have been patched
– Monitor cyber threat reporting regarding the publication of compromised Virtual Private Network (VPN) login credentials
– Consider adding an email banner to emails received from outside your organization
– Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs
– Audit user accounts with administrative privileges and configure access controls in accordance with the principle of least privilege
– Implement network segmentation.

Thus, if a successful exploitation occurs and the business can no longer function, a back-up is ready to use, and the business can continue to operate with limited levels of disruption. However, this does not nullify the fact that client and employee data may have also been lost, and potentially released at will by the threat actor, if associated demands are not met.

Indicators of Compromise

Due to the lack of detail with regards to the ransomware strain and the associated threat actor group, no indicators of compromise have been identified at the time of writing.

Threat Landscape

Due to the lack of detail with regards to the ransomware strain and the associated threat actor group, a threat landscape with regards to the attack pertaining to DNV has not been established at the time of writing.

Threat Group

Due to the lack of detail with regards to the ransomware strain and the associated threat actor group, the threat actor responsible for this attack is yet to be identified.

Mitre Methodologies

Due to the lack of detail with regards to the ransomware strain and the associated threat actor group, the tactics, techniques and procedures (TTPs) associated with the particular strain of ransomware of the attack have not yet been identified.