Russian hacktivist organisations are behind a constant stream of cyber attacks targeting ports and shipyards based in countries that have supported Ukraine, a cyber conference heard Wednesday.
Groups, including the Cyber Army of Russia Reborn (CARR), are said to have targeted ports in countries including Australia, Germany and Poland as well as a Japanese shipyard in the past two months, said Tom Scriven of cyber security firm Mandiant, a Google subsidiary.
The groups are largely behind unsophisticated distributed denial-of-service (DDoS) attacks that flood websites with malicious traffic to stop online services.
Russia’s main state-backed cyber “attack dogs” responsible for targeting critical infrastructure in Ukraine have not joined the attacks on maritime facilities, Scriven said.
But he said that authorities should be aware of the potential escalation of tactics.
Scriven said links have been identified between the hacktivists and the more powerful state-sponsored group known as APT44, or Sandworm.
Attacks on maritime facilities include one by CARR on the Port of Brisbane last month and by another group, OverFlame, on ports in Germany and Poland in September and October.
The port of Nagoya in Japan was targeted by a third hacktivist group in October, Scriven said.
The US sanctioned CARR’s leader and its primary hacker in July.
Late last year, CARR started to claim responsibility for attacks on industrial control systems of US and European infrastructure targets including water supply, hydroelectric and energy facilities, the US Treasury Department said.
It said major damage had been avoided because of the group’s “lack of technical sophistication”.
“There is a lot of it [attacks] that we track as an organisation,” Scriven told a conference at the International Maritime Organization run by the Cyber-SHIP lab of the UK’s University of Plymouth.
“So at the moment, that’s fairly constant,” Scriven said.
As the situation in Ukraine changes the tactics were also likely to evolve into “more active, destructive-based attacks”, he said.
“But in this reporting period … that’s not what we’re seeing.”
Previous Cyber-SHIP conferences have highlighted the potentially devastating impact on shipping and global trade of cyber attacks on vessels.
But the cyber arm of classification society DNV said in a new report on Wednesday that the vast majority of cyber incidents involving shipping stem from indiscriminate wide-ranging attacks aimed at computer vulnerabilities.
Ships are at threat owing to outdated computer equipment and the use of potentially malware-infected USB sticks to update software.
Rory Hopcraft, a cybersecurity lecturer at Plymouth, said that the department had secured secondhand equipment from vessels for research that was found to be riddled with malware.
He said that plug-in-and-charge e-cigarettes, downloaded music and movies by seafarers on vessels and USB sticks all posed known cyber security risks.
The DNV report highlighted how a single USB stick used at one port spread espionage-linked malware to eight vessels.
Hopcraft told TradeWinds that research by labour organisations suggested that seafarers could be persuaded to plug in an infected USB stick for a $1,000 bribe in some parts of the world.
Scary security
“We buy secondhand kit from a variety of sources to see what’s already on there — and it’s scary,” he said.
“It’s just general malware picked up from general places, not specifically targeting [maritime] devices so it might not have a real-world impact.”
While ransomware and other malware might not work on shipping systems, it could still result in the kit malfunctioning, DNV said.
It found that some shipping companies simply replace malfunctioning kit without realising that the cause of the breakdown was a cyber attack.
Corey Ranslem, CEO of maritime intelligence company Dryad Global, said malware writers’ technical abilities had also significantly improved.
Two years ago malware could remain within a computer for 270 days before it had fully analysed systems to launch an attack. That was now down to four days, he said.
“The biggest implication is for the incident response teams as it decreases the time they have to detect there is malware on a ship,” he said. “But the tools they are using have improved as well.”
Read more
- Wallenius and ABB team up to provide fleet support for smaller shipowners
- Russia provided ship target data to Houthis to back deadly Red Sea campaign, intelligence sources claim
- A $50trn risk: War game reveals how extreme conflict could hit shipping and snarl global trade
- DNV snaps up British digital security firm CyberOwl
- ‘Intensified sabotage’: US warns Russia stepping up attacks on Western shipowners
