Image: Dimitry Anikin
With today’s news that French shipping giant CMA CGM has been hit by a ransomware attack, this now means that all of the four biggest maritime shipping companies in the world have been hit by cyber-attacks in the past four years, since 2017.
Previous incidents included:
- APM-Maersk – taken down for weeks by the NotPetya ransomware/wiper in 2017.
- Mediterranean Shipping Company – hit in April 2020 by an unnamed malware strain that brought down its data center for days.
- COSCO – brought down for weeks by ransomware in July 2018.
On top of these, we also have CMA CGM, which today took down its worldwide shipping container booking system after its Chinese branches in Shanghai, Shenzhen, and Guangzhou were hit by the Ragnar Locker ransomware.
This marks for a unique case study, as there is no other industry sector where the Big Four have suffered major cyber-attacks one after the other like this.
But while all these incidents are different, they show a preferential targeting of the maritime shipping industry.
“I’m not so sure it’s that they’re any more or less vulnerable than other industries,” said Ken Munro, a security researcher at Pen Test Partners, a UK cyber-security company that conducts penetration testing for the maritime sector.
“It’s that they are brutally exposed to the impact of ransomware.
“After Maersk was hit by the NotPetya crytper, I believe criminals realized the opportunity to bring a critical industry down, so payment of a ransom was perhaps more likely than other industries,” Munro said.
It’s not the ships! It’s the shore-based networks
Over the past year, incidents where malware landed on ships have intensified. This included sightings of ransomware, USB malware, and worms; all spotted aboard a ship’s IT systems.
Maritime industry groups have responded to these increasing reports of malware aboard ships by publishing two sets of IT security guidelines to address maritime security aboard ocean-bound vessels.
But Munro points out that it’s not the ships that are usually getting attacked in the major incidents.
Sure, malware may land on a ship’s internal IT network once in a while, but the incidents where malware gangs have done the most damage were the attacks that targeted shore-based systems that sit in offices, business offices, and data centers.
These are the systems that manage personnel, receive emails, manage ships, and are used to book container transports. There is nothing particularly different from these systems compared to any other IT systems sitting inside other industry verticals.
“That said, if you can’t book a container, there’s no point in having the ship,” Munro added.
For all intents and purposes, it appears that despite efforts to protect ships from external hacking, the maritime industry has failed to treat its shore-based systems with the same level of attention.
While the rare ship hacking incidents are the ones that usually grab headlines, it’s the attacks on a shipping company’s shore-based systems that are more common these days, and especially the attacks on their container booking applications.
These systems have often been hacked by sea pirate groups looking for ship manifests, container ID numbers, and ship sea routes so they can organize attacks, board ships, and steal containers transporting high-value goods like electronics and jewelry [1, 2, 3, 4].
These waves of “cyber pirates,” as these groups have been often named, along with the recent attacks on the Big Four shipping giants, are a clear sign that the shipping industry needs to stop prioritizing the less likely ship hacking scenarios and focus more on its shore-based systems, at least, for the time being.