By Joel Snape, Senior Threat Researcher at Nettitude
October is Cyber Security Awareness Month, which is a great opportunity for companies and individuals to review and improve their cyber security processes and knowledge. At Nettitude, we will be releasing a new blog post every week of Cyber Security Awareness Month on our latest cyber security research, as well as our insights on the latest industry news and trends. We hope you’ll find them helpful, and as always please contact us with any questions.
There is widespread recognition that the maritime industry is becoming increasingly vulnerable to cyberthreats as increased automation and new forms of connectivity are deployed to drive operational efficiencies. Although most cyberattacks can be prevented through basic security controls, more advanced attempts often slip through undetected, and the time from vulnerability identification to exploit tool creation is continually reducing.
Through Nettitude and Lloyd’s Register’s combined research initiatives, we have conducted extensive threat modelling activities fuelled by the analysis of historic maritime cyber security incidents. In this blog series, we will look at eight increasingly common attack vectors that are being observed across the sector, this time looking at GPS Jamming, Ransomware, and APT40. If you haven’t already, please take a look at our first blog post and second blog post in this series, which cover phishing, physical infiltration of ship equipment, Piracy, ECDIS Malware, and VDR Tampering. And for full details on these common attack vectors, please see our full research report on the topic.
- GPS Jamming and Spoofing
In 2016, the US Coastguard issued a warning of GPS jamming encountered by multiple vessels when departing from a non-US port, with ships losing GPS capability and having to rely on radar, magnetic compasses and terrestrial navigation. Such events, while not frequent, have been seen repeatedly over the last few years. For example, in March 2018 the US Maritime Administration issued an alert for the eastern Mediterranean stating that multiple vessels and one aircraft had reported GPS disruption while crossing a portion of the Mediterranean between Cyprus and Egypt. The US Coast Guard navigation centre maintains a public record of reported GPS issues, and events in that region can be seen continuing infrequently (although the potential for equipment malfunction is always possible). In 2016, reports of GPS jamming in the vicinity of the border with North Korea affected around 700 ships, and led to South Korea announcing it was to investigate the development of an alternative navigation system more resilient to this style of attack.
While GPS jamming is disruptive, spoofing GPS signals so a vessel appears to be in an incorrect location could be significantly more damaging as it is potentially much harder to detect. One of the first publicly reported examples of GPS spoofing was recorded in June 2017 by ships approaching the Russian port of Novorossiysk. Over several days, ship navigation equipment reported having a strong GPS fix, but at the location of the city’s airport. With advances in Software Defined Radio (SDR) equipment, spoofing GPS signals has become possible with relatively cheap hardware. Using a HackRF SDR which retails for around $300 and an open-source project gpd-sdr-sim it is possible to simulate GPS baseband signal data streams and broadcast them to nearby receivers. This has been demonstrated by several different groups, with goals ranging from bypassing UAV exclusion zones to cheating at Pokemon Go!
Ransomware incidents have affected all industries and sectors, from manufacturing to government, and have been incredibly lucrative for criminal groups. One notable group called ‘GandCrab’ was active from January 2018 before ‘retiring’ in June 2019, offering their ransomware as a ‘service’ for other criminals to purchase. Although it is impossible to verify their claims, they publicly stated that their ransomware had made over $2 billion in ransom payments, with the operators making $150 million per year. Given how lucrative ransomware campaigns can be, some groups have invested significant effort into deploying ransomware within an organisation, sometimes even compromising key systems such as Active Directory or privileged accounts and using that access to ‘push out’ their ransomware onto all computers in an enterprise. It is most likely therefore that the initial infection vector was via a malicious email which a user opened, although it is also possible that a vulnerable internet-exposed service such as remote desktop (RDP) or JBoss was exploited.
Common ransomware families such as samsam have been known to propagate across networks by exploiting vulnerable services within the network and so can have far-ranging impact. It’s key to ensure that users are aware of the threat, that operating systems and applications are kept up-to-date and that networks are segmented with adequate security controls to help limit the spread of an infection.
Many industry segments have been the focus of advanced, nation-state sponsored hacking groups (APTs), and the maritime industry is no exception. Originally referred to as ‘Leviathan’ or ‘Temp.Periscope’ and recently (Feb 2019) dubbed ‘APT40’, a group believed to be sponsored by the Chinese state has been targeting the engineering, transportation and defence industries where they have overlaps with maritime technologies. The earliest public reports from Proofpoint show a pattern of sending targeted phishing emails (‘spear phishing’) to a number of US shipbuilding companies and organisations with maritime links, which if successful would have resulted in backdoor software being installed on the target machine. The actor then used this access to move laterally within the organisation and use information gleaned (e.g. account credentials) to help them target other organisations. FireEye reports that they expect this group’s activities to continue in at least the near and medium term despite the recent public attention.
Understanding the risks faced by your organisation and applying the appropriate risk treatment to ensure the impacts of attacks can be effectively mitigated is key. Almost all marine and offshore organisations currently operate reactively when an incident occurs and the costs, reputation and impacts could be significantly mitigated with some upfront considerations and preparations. Nettitude can provide a range of guidance, assurance services and help to both inform and help you prepare effectively for cyber events within your organisation. Please contact us for more information.
In addition, in order to learn more about the cyberthreats facing today’s marine and offshore organisations, please see our full research report on the topic.