Arkoon+Netasq

10/15/2021 | Press release | Distributed by Public on 10/15/2021 01:02

Cybermarétique: a short history of cyberattacks against ports

Maritime cybersecurity has become a major and global issue. The numbers speak for themselves: while maritime transport alone accounts for nearly 90% of world trade, the major seaports suffered an average of 10 to 12 cyberattacks per day in 2017 (according to the Union des Ports de France). This trend only continues to grow, since the number of cyberattacks in maritime transport increased 400% in 2020, according to the firm Naval Dome. Are the ports in troubled waters? Let's take a quick look back at the most notable known cyberattacks of the past 10 years.

Antwerp, June 2011: malware infiltrates port system

In 2013, the port of Antwerp discovered that a drug cartel had hijacked its container management system. In fact, the port's computer network had been spied on since June 2011, when the network was reportedly infiltrated by malware, specifically a keylogger (which allowed the hackers to record the keystrokes used by the loading / unloading operators, and thereby obtain usernames and passwords).

The port of Antwerp eventually re-secured its system by investing nearly €200,000 to set up countermeasures, including a new password management system (to provide access to containers) and new communication channels between port operators and customer services.

Rotterdam, June 2017: collateral damage from a large-scale contagion

On 30 June 2017, the port of Rotterdam became infected with Petrwrap, a modified version of the NotPetya ransomware. In particular, two container terminals operated by APMT, a subsidiary of the Møller-Maersk group, saw their activities completely paralysed. The port of Rotterdam is one of the ports that has invested the most in completely automating its operational processes (as part of a Smart Port strategy, which incorporates the Internet of Things and artificial intelligence), which makes it all the more reliant on the stability of its IT services.

In response, the Municipality of Rotterdam, the police and the port authorities jointly appointed a Port Cyber Resilience Officer to improve the port's cyber-resilience, educate stakeholders on cybersecurity issues, improve organisational training and ensure better risk control.

Long Beach, 2018: the start of a series of international attacks

One year after the Rotterdam hack, a series of cyberattacks disrupted the activities of several international ports. The port of Long Beach in the United States was the first to be hit, specifically a terminal belonging to the China Ocean Shipping Company (COSCO), which saw its information system contaminated by what appeared to be ransomware.

Barcelona, 2018: internal IT systems contaminated

On 20 September 2018, the port of Barcelona was the next to be hit. Little information has since seeped out, but it appears that the internal IT systems were attacked, which affected loading/unloading processes. The operators, however, sought to reassure everyone by stressing that maritime activity was unaffected, as ships were able to circulate and enter the port.

San Diego, 2018: a highly sophisticated cyberattack

A week later, the port of San Diego was also disrupted by a "highly sophisticated" cyberattack, according to The San Diego Union-Tribune, with no further information on the technique used. Port authorities confirmed this was a ransomware attack that severely limited the capabilities of their employees, which would have "temporary impacts on service to the public, especially in the areas of park permits, public records requests and business services".

Vancouver, 2018: a (new) brute force attack

And to cap off a turbulent year, the port of Vancouver suffered a brute force attack in October, a few months after another attack of the same type. According to the French website cybermaretique.fr, nearly 225,000 user accounts were probed that day, though no further information was given on the consequences of this DDoS attack. By comparison, local port authorities admitted that they are probed this way every day, but never for more than 6,000 accounts at a time.

Marseilles, March 2020: the hits keep coming

In March 2020, the port of Marseilles was the next to get hit with ransomware: Mespinoza/Pysa. In this case, maritime infrastructures were not directly targeted, but were incidentally affected due to their interconnection with information systems in Aix-Marseille-Provence, which was the main target of the attack. The effects were reportedly greatly reduced thanks to joint action from the CISOs of the various organisations affected.

This incident was publicly documented by the French ANSSI, which participated in the risk analysis and helped develop the countermeasures in place today. One notable fact: while carrying out this audit, ANSSI reportedly located several viral files at the targeted IT departments, which showed that other malicious software had infiltrated over the previous months or years. In each case, the intrusion techniques used were reportedly "not very advanced".

Shahid Rajaee, May 2020: a cyberattack amidst geopolitical conflict

In May 2020, the port of Shahid Rajaee, Iran, saw all of its operational processes almost completely interrupted. Internal sources told journalists from the Washington Post that the "computers that regulate the flow of vessels, trucks and goods all crashed at once, creating massive backups on waterways and roads leading to the facility."

While the modus operandi was unknown, US dignitaries alluded to a cyberwar between Iran and Israel. This cyberattack was presumably a response to an attack on Israel's water network.

Langsten, June 2020: the price of success

In June 2020, a shipyard in Langsten, Norway, owned by the company Vard, was the victim of a ransomware attack. While the company never disclosed the exact consequences and technical details of the attack, its spokesperson admitted that operations have since been sluggish. In addition to the ransomware encryption, the company also admitted to a database breach, without providing further details on the amount or the importance of the data stolen.

This attack came just as Vard was going through a successful organisational restructuring following its takeover by the Italian manufacturer Fincantieri, with a flood of international orders coming in.

Kennewick, November 2020: size isn't everything

In November 2020, the port of Kennewick was hit with ransomware, which completely locked access to its servers. The incident was a big surprise for this small inland port, located on the Columbia River in Washington State, since its strategic scope is much smaller than the major commercial seaports. But size doesn't stop cyber criminals from attacking these targets - which are often less well defended - in the hope of receiving significant returns on their investment.

It took nearly a week for port authorities to regain control over their data by rebuilding their information system using backups. Kennewick port and city authorities speculated that the inadvertent opening of a corrupted attachment was the starting point for the attack.

South Africa, July 2021: a case of cyber-force majeure

In July 2021, four major ports in South Africa (Cape Town, Ngqura, Port Elizabeth and Durban) were paralysed following a massive attack on the Transnet National Port Authority, the country's main freight manager. The official press release (reported in Reuters) characterised the attack as a case of "force majeure" that made its computer system unusable, similar to the effects of a ransomware attack.

This attack came just as Transnet and the national authorities were embarking on an ambitious, ultra-secure Smart Port programme, with the city of Durban as the pilot.

Houston, August 2021: hackers exploit a software flaw

According to an official statement, the port of Houston recently resisted an attack exploiting a critical flaw in a password management solution. Identified as CVE-2021-40539, this software flaw (with a CVSS score of 9.8 out of 10) easily allows hackers to implant web shells in an organisation's information system to facilitate various actions, from extracting critical data to installing malware.

Port authorities say that the cyber defences in place and the facility's security plan (which must be submitted under the Maritime Transportation Security Act (MTSA) in the United States) allowed them to counter the threat.

This list is non-exhaustive.

Link to the Naval Dome report on the increase in cyberattacks in maritime transport
Link to the 2017 report of the 7th Assises du Port du Futur and the figure on the 10 to 12 cyberattacks per day estimated by the Union des Ports de France (UPF)