Three weeks after a ransomware attack on DNV’s ShipManager software, the classification society is still striving to get servers for the vessel and fleet management system back online.
Up to 1,000 ships, operated by 70 companies, have been affected with the possibility of core operational data being hit, it is believed.
DNV has said its ShipManager software is a modular product that supports the management of vessels and fleets in all technical, operational and compliance aspects.
But the fact the criminal attack broke into a supply-chain linked system means hackers have the potential to target companies from which they can try to extract payments, according to cyber security sources.
In its last update, DNV said: “Affected customers have been advised to consider relevant mitigating measures depending on the types of data they have uploaded to the system.”
Cyber security firm CyberOwl’s chief executive Daniel Ng told TradeWinds that shop owners who have strong security policies in place are more likely to have been able to quickly recover operations — possibly moving to back-up or manual processes within hours of an incident.
“Owners at the more mature end of the cyber security scale have built-in redundancy plans, which means they can get their business and fleet operations up and running again despite the situation,” he said.
A key element of resilience involves gaining visibility of risks ahead of any issue as it allows response plans to be set in motion much faster, he added.
“If you are able to understand that a system is behaving abnormally and what other systems are affected in a similar way relatively quickly [then] often you can take action in response a lot more quickly than waiting for it to go dark.”
Waiting to understand that problems are more than just an outage can be too late, he said. “By that time the issue has spread.”
DNV added that the outage does not impact any other of its services as the ShipManager IT-infrastructure is isolated from other servers.
“The forensic investigation conducted by DNV’s global IT security partners has confirmed that no lateral movement to other parts of the DNV IT-infrastructure was detected as part of the attack,” it said.
US cyber security firm Vectra AI took a similar line to Ng, with chief technology officer Christian Borst saying offline features of ShipManager software are allowing affected ships to operate in a limited capacity while servers are down.
“But this attack should act as a reminder that infiltrating critical systems can give hackers control of physical processes, disrupt vital services and damage specialised equipment.
“Once ransomware is deployed, the damage has already been done,” he added.
Borst also called for fleet managers to focus on improving threat detection and response capabilities to spot the signs of an attack as soon as possible.
Ng said the UK-based cyber security firm, which launched in 2019, is monitoring a “worrying pattern” of three attacks on suppliers of critical software in the maritime supply chain over the last six months.
The DNV attack followed one on navigation services technology group Voyager Worldwide last December, which led to systems being taken offline by the company that has more than 1,000 shipping customers. Earlier, Danaos Management Consultants was also hit.
Although Ng said he felt the DNV attack was “more sinister” than a late-2021 one on Bureau Veritas, as it took down specific ship management software critical to fleet operations rather than the attack on the French group’s general IT systems, which were taken down as a precautionary measure.
But he said he does not believe the pattern is sufficiently great to establish that maritime software is being targeted.
It is unclear who is behind the assault on DNV, but it is not thought to have been a targeted attack such as the high-profile attack on the UK’s Royal Mail overseas activities, believed to have been undertaken by Russian criminal hacking organisation LockBit.
LockBit was responsible for about a quarter of all known ransomware attacks in 2022, according to Israeli security firm CyberInt, and last year demanded $1.5m from the Port of Lisbon to not leak data after claiming its ransomware had shut down the Portuguese port’s computer systems.
In mid-2022, maritime law firm Ince also reported a ransomware attack that cost it about £5m was a major factor in it needing to raise $8.6m.
A shipping cyber security survey last year by CyberOwl with maritime innovation firm Thetius and law group HFW revealed that 44% of respondents said they had been the subject of an attack in the last three years. Ransoms were paid by 3% of companies at an average cost of $3.1m.
At sea, 26% of seafarers said they did not know what actions are required of them during a cyber security incident, and 32% do not conduct any regular cyber security drills or training. Ashore, 38% of senior leaders either do not have a cyber security response plan or are unsure if their organisation has one.
