USCG: Cyberattack Penetrated Cargo Facility's Operating Controls


Published Jan 1, 2020 2:05 PM by The Maritime Executive

In a marine safety bulletin issued in December, the U.S. Coast Guard warned the maritime community to harden defenses against phishing and cyberattacks after a new outbreak of encryption ransomware at a maritime facility. 

In the bulletin, the USCG disclosed a recent virus attack at an unnamed Maritime Transportation Security Act (MTSA)-regulated facility. As the U.S. implementation of the ISPS code, the MTSA covers a wide range of maritime facilities, including barge fleeting areas, commercial ports and terminals. (The attack has been widely misreported as a malware infection at a U.S. Coast Guard base.)

Forensic analysis is still under way, but the virus, identified as “Ryuk” ransomware, may have entered the network of the MTSA facility via an email phishing campaign. Once the embedded malicious link in the phishing email was clicked by an employee, the ransomware allowed the attacker to access the facility's business (enterprise) network files and encrypt them, preventing access to critical information.

Further - and more troubling - the virus burrowed into the facility's industrial control systems, which monitor and control cargo transfer. On the control system network, the virus encrypted files critical to process operations. 

In total, impacts to the facility's operator included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems and loss of critical process control monitoring systems. These combined effects required the company to shut down the primary operations of the facility for over 30 hours for a cyber-incident response.

According to the Coast Guard, several measures may have prevented or limited the breach and decreased the time needed for recovery:

- Intrusion detection and prevention systems to monitor real-time network traffic
- Industry-standard, up-to-date virus detection software
- Centralized and monitored host and server logging
- Network segmentation to prevent IT systems from accessing the Operational Technology (OT) environment
- Up-to-date IT/OT network diagrams
- Consistent backups of all critical files and software 
- Verifying the validity of the email sender prior to responding to or opening unsolicited email messages.
- Implementing U.S. Cybersecurity and Infrastructure Security Agency (CISA) best practices

Global reach

According to the UK's National Cyber Security Centre (NCSC), the Ryuk malware was first seen in August 2018 and has been used in multiple attacks globally. Ryuk is a targeted ransomware where demands are set according to the victim’s perceived ability to pay. The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and maximizing the impact of the attack.

According to NCSC, when a Ryuk infection occurs, the attacker uses additional post-exploitation software tools to enable illegal activity within the target network. These additional tools facilitate credential harvesting, remotely monitoring the victim’s workstation and carrying out lateral movement to other machines within a network. 

"Access to compromised machines can be sold to other criminal operators at any stage in this process, either as a facilitated deployment, or through the sale of credentials for the compromised network," NCSC warned.