Today’s cyberattacks occur 24x7. Although most of the generic attacks can be prevented through basic security controls, more advanced attempts often slip through undetected, and the time from vulnerability identification to exploit tool creation is continually reducing. Attacks that would have been classed as sophisticated 12 months ago now appear in commodity based malware that can be freely found on the dark web.
These cyberattacks are increasingly targeting the maritime industry. Attacks are often not detected and frequently not reported but there is widespread recognition that the industry is becoming increasingly vulnerable as increased automation and new forms of connectivity are deployed to drive operational efficiencies. Through Nettitude and Lloyd’s Register’s combined research initiatives, we have conducted extensive threat modelling activities fueled by the analysis of historic maritime cyber security incidents. In this blog series, we will look at eight increasingly common attack vectors that are being observed across the sector, beginning with phishing and physical infiltration of ship equipment. For full details on these common attack vectors, please see our research report on the topic.1. Phishing
Phishing attacks remain the preferred attack method for gaining access to organisations and data, and it’s important to ensure your organisation is effectively protected. We have recently observed several phishing campaigns of different levels of sophistication specifically targeting maritime organisations, and here we outline how they could have affected your organisation had they been successful.
One of the most basic types of phishing campaigns are those aiming to get access to valid credentials for an online service or portal. These often take the form of an email with a link disguised to look like the legitimate service, and an enticement (usually a time-pressure) to get the user to click it.
For example, Nettitude encountered a case in which a PDF attachment titled ‘Mearskshippingdetails.pdf’ was sent in order to attempt to replicate the way the legitimate service operates. Please note, this was not related to their communications or a vulnerability within Maersk, but rather an attempt by a threat actor to use their name to legitimise the phishing email being sent. It is an indication that threat actors will use the reputation and name of some of the well-known companies within marine and offshore.
The page was hosted on what is likely to be a legitimate website (a very similar site with a Columbian TLD exists which appears to advertise a Moroccan herbalist’s services) hosted in a cheap cloud provider’s network. It is difficult to establish exactly how the phishing page was uploaded onto the site, but it is likely that there is a vulnerability in the version of WordPress or plugins used on the site.
In this case, it was possible to obtain a copy of the code which was running on the phishing webpage as the attacker had left a zipped copy accessible on the server. It can be seen that when a user’s credentials are submitted to the site they are emailed to email@example.com where the attacker can either retrieve them or forward them on, and the user is redirected back to the login page with an error. Phishers have been using this technique for some time to ensure that when the site does get spotted and cleaned up it is not possible to retrieve any information on which credentials were collected.
We have found evidence that this phishing page has been repeatedly re-used since at least early 2018 which indicates that despite the apparent lack of sophistication of the phishing mechanism it is successful enough to warrant the effort of multiple campaigns.
The impact of a successful attack of this nature is that the perpetrator would be able to gain access to your accounts on the service they are targeting (in this case the Maersk document portal). They would then be able to access potentially sensitive information, or impersonate your company to carry out further attacks on others.
While credentials to services are obviously of value to attackers, more can be gained by establishing a foothold within the target’s network. We recently (Feb 2019) observed another maritime-themed campaign distributing the adwind/JRat remote access Trojan, a popular multi-platform malware program available for sale as a paid service. It gives its operators full control of the infected machine, and its capabilities include collecting keystrokes, stealing information from browsers, taking screenshots and extracting files.
This campaign was targeted at organisations providing logistical support to the maritime industry - for example, a Spanish company providing ship supplies and chandlery (including to government and naval vessels) and the middle-eastern division of a multi-national engineering company providing offshore and sub-sea equipment.
The initial email was sent from what appears to be a broadband connection in Romania which is exposing a web interface for a popular brand of CCTV camera to the internet. In this email, the malicious payload was attached directly as a compressed file which contains a malicious .jar file. After reverse-engineering the heavily-obfuscated java code, Nettitude researchers were able to reverse the encryption layers and extract the malicious code (server.jar) and its configuration.
Once run, it hides on the users’ machine, enumerates its windows firewall and AV state and achieves persistence by writing entries to the autorun section of the windows registry. It will then start communicating with the command and control server provided in config.json (5.206.225[.]115 in this case) using TLS, which allows the operator to obtain information from the machine and potentially deploy additional modules or code.
Clearly the impact of an attack of this type can be significantly more serious. Attackers with access to your network can start to access data stored on the infected machine and use it as a staging-point for further attacks on internal infrastructure, for example key systems such as Active Directory. In some cases, this access has then been used to deploy ransomware if the attacker is unable to get access to data or systems of interest.
Although phishing attacks like this have been ongoing for several years, their continued existence points to their continued effectiveness. Although in the examples seen above the emails were targeted at shore-based infrastructure, it is important to remember that any environment where emails are accessed (including on ship computers) is vulnerable to this kind of attack and could be used to gain a foothold within a ship’s infrastructure.
It is therefore critical that organisations implement protection against phishing threats, guarding both against credential theft and malicious attachments.
This could include:
- Training staff to identify and report suspicious emails.
- Security software on endpoints to help catch simple malicious payloads.
- Email scanning and filtering to help stop emails reaching users.
- Network controls to block access to malicious sites or known malware command and control servers.
2. Physical Infiltration
One of the earliest publicly reported security incidents affecting the maritime industry was disclosed by Europol in June 20131. They disrupted a drug smuggling operation where containers were intercepted at the Port of Antwerp, with over 1000kg of Cocaine and Heroin seized.
During the investigation, they discovered that the port and container terminal had been infiltrated using two mechanisms:
- Phishing emails with malicious attachments
- Physical implants in offices to capture passwords
Information on exactly how the key-loggers were installed was not publicly released, but photos released by Europol show physical implants hidden within a power strip. Alongside this is what appears to be a USB key-logger and mobile SIM card, which would allow stolen data to be sent over the mobile network to help avoid detection. Devices connected directly to computer workstations can allow typed key-presses to be read, while those on the network can intercept non-encrypted traffic between devices.
By using a combination of information gained from the network interception, and access to key systems, the smugglers were able to determine where containers were, and obtain the electronic release codes (ERC) required for their drivers to collect the container before the legitimate customer.
Europol continue to discover drugs and other contraband being smuggled through Europe’s ports, and similar reports have come from other continents2. As security is increased in reaction to discovered attacks, smugglers will continue to target different pieces of maritime infrastructure to try to get the information they need.
By strengthening physical security controls, the risk of this class of attack will be reduced. These controls should be assessed in relation to the requirements of the facility, but might include access cards, alarms and CCTV. Computer networks should restrict access only to trusted devices and be segmented to prevent access to sensitive systems from locations where that access is not required. For example, an office environment where staff and visitors may connect devices should not be able to connect directly to databases or servers. Additionally, security monitoring should include checks for unauthorised devices and rogue Wi-Fi access points.
Understanding the risks faced by your organisation and applying the appropriate risk treatment to ensure the impacts of attacks can be effectively mitigated is key. Almost all marine and offshore organisations currently operate reactively when an incident occurs and the costs, reputation and impacts could be significantly mitigated with some upfront considerations and preparations. Nettitude can provide a range of guidance, assurance services and help to both inform and help you prepare effectively for cyber events within your organisation. Please contact us for more information.
In addition, in order to learn more about the cyberthreats facing today’s marine and offshore organisations, please see our research report on the topic.