Norwegian Cruise Line Hit !!

Norwegian cruise company Hurtigruten sustained a cyberattack on 14 December 2020 and several critical network systems were affected, the company said in a statement. Hurtigruten, which operates ferries along the Norwegian coast as well as cruises in the Arctic and Antarctic in normal times, said it did not expect the attack to lead to a "material financial effect.”[1]

"This is a serious attack. Hurtigruten's global IT infrastructure appears to be affected," the company's head of IT, said in a statement, adding that the company had implemented "comprehensive measures" to limit the damage from the attack.

The Hurtigruten’s cruise ships have been placed in a holding pattern, yet the company continues to maintain its coastal service of transporting passengers and goods. Since the COvid-19 pandemic, their services have been limited by travel restrictions, but Hurtigruten recently announced that it had signed an agreement with the Norwegian government to increase capacity on the coastal route. During the first quarter, the company has agreed to maintain operations with a total of five ships. Starting in October 2020, Hurtigruten had limited the coastal service to just two ships focusing on the northern ports between the cities of Bodo and Kirkenes. Many Norwegian coastal communities, who critically depend on these ships, were only going to have a ship arriving every five to seven days down for the traditional daily service. Was this a motivation for a cyber-attack?

Hurtigruten has now unfortunately joined the dubious ranks of many of the other major maritime shipping companies that have suffered a cyberattack. Cruise ships are basically floating hotels, where numerous personal identifying information data points are available if a cyber-attack is successful. Carnival Corporation reported a breach on its servers exposing consumer data while shipping giant CMA CGM also suffered a crippling attack at the end of September. Initially, CMA CGM thought it had been able to limit the attack to peripheral servers. Its online bookings and other key functions were offline for two weeks, resulting in customers reporting chaos as the line struggled to restore and harden the systems. Maersk was a victim, as well as a handful of international ports. The UN International Maritime Organization (IMO) was also briefly taken offline by malware.[2]

There have been a sharp increase in the reports of maritime attacks with some estimates putting the cost at over $2 trillion in 2019. According to industry professionals, there has been a 300 percent increase in cyberattacks since the beginning of the Covid-19 pandemic and the shipping industry has not been spared. Our analysts are also seeing an uptick of transportation supply chain intrusion attempts to move laterally into shippers and shipping companies.

Red Sky Alliance has been tracking maritime cyber criminals for the past 3 years. Throughout our research we have learned through our colleagues and clients that the installation, updating and monitoring of firewalls, employing cyber security practices and providing proper employee training are keys to success, yet unfortunately at times - not enough. Our current CTAC and RedXray tools provide a valuable look into the underground, where these indicators of compromise are sued to create our weekly Vessel Impersonation and Maritime Watchlist reports. These reports not only provided indicators used to blacklist malware, but show the attack tactics and techniques targeting the transportation supply chain.

In our most recent 14 December 2020 report, analysts observed two vessel names in the Subject Lines: M/V PVT Sea Lion, M/V Maersk Kleven, and M/T Saranga and a malicious subject line of, “Freight Statement Of Outstanding As Of 12_07_2020” used this week. This email leverages a few techniques to get the targeted users to open the malicious attachments.

The sender of the malicious email appears to have been sent from “Dante.Parker@msc.com”. Open-source data does not show anyone with that name or email address working for this shipping company, so it is likely that this email address is spoofed. It should be noted that msc.com is owned by Mediterranean Shipping Company (MSC) which was the victim of a cyber-attack earlier this year. Attackers often impersonate large companies such as Maersk, CMA CGM, MSC, and others to raise the level of trust that victims have when opening malicious email attachments/links. This ‘trust’ is them leveraged and provide a cyber intrusion point for bad actors.

The target of the malicious email in this case is an employee at PC Pursuit. This company (which dissolved in 2018) protected digital assets by preventing people from logging into computers unless they were physically in the building. Specifically, the attackers were targeting the founder of the company. It is unclear if the founder is still using this email address since the company has closed and pcpursuit.com is not an active website at this time. Regardless, this is an example of a tactic to try and get into a peripheral supply chain.

Our information can help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.

Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949