6542
Views

Chinese Spy Malware Found in European Shipping Companies' Systems

cyber
iStock

Published May 15, 2024 8:25 PM by The Maritime Executive

A prominent cybersecurity consultancy has spotted signs of Chinese hacking intrusions in the European cargo shipping industry, the latest in a series of discoveries of China-aligned threat groups infiltrating Western economic infrastructure and setting up a persistent presence. 

Slovakia-based ESET has detected loading software for a type of malware called Korplug in the systems of multiple shipping companies in Norway, Greece and the Netherlands. Some of the malware penetrations appeared to be aboard the cargo vessels themselves, not just in the office systems used by the shoreside staff. Some instances appeared to come from a USB drive, a well-known and much-discussed source of risk in shipping.  

Some of the malware used invalid software author authentication codes, copying legitimate signatures from reputable authors (including a prominent American cybersecurity company).

The Korplug malware platform is used only by the Chinese threat group Mustang Panda (also known as TA416, RedDelta, or PKPLUG). The samples that ESET identified have already been used in previous hacking campaigns, suggesting that Mustang Panda is reusing its software (and thereby making its operations easier to identify). 

Mustang Panda was first identified in 2017, and may have been operating before, according to consultancy Mitre. The group has historically targeted nonprofits, religious groups, governments and NGOs. Its usual areas of focus include targets in the U.S., Europe, Mongolia, Myanmar, Pakistan and Vietnam. Prominent targets include the Communist Party of Vietnam, the Shan State Army in Myanmar, and a Germany-based cultural NGO known as China Center. It is known for sophisticated phishing attacks using topical and target-relevant subject matter to lure in the victim. Past activities include illicit data extraction; persistent intrusion and monitoring; exfiltrating user credentials; and careful anti-analysis and anti-detection techniques. 

Targeting commercial shipping is a departure from Mustang Panda's pattern, but may align with a broader trend. The U.S. government has repeatedly warned that Chinese threat actors are attempting to infiltrate and set up a presence inside of cyber infrastructure in the West, possibly for the purpose of inflicting damage or creating leverage in the event of a future conflict. U.S. officials have sounded the alarm about possible vulnerabilities in Chinese state enterprise-built ship-to-shore cranes, which dominate the global market. The American Association of Port Authorities has called media coverage of port crane vulnerabilities “alarmist,” and “sensationalized,” while also calling for a legislative effort to restore the U.S.’s manufacturing capabilities for domestically-built cranes.