Cybersecurity is vital to the maritime industry, and yet vulnerabilities are increasingly being exploited by criminals. Below are two examples of recent cyberattacks against Gard, as well as our key recommendations to prevent losses.
Successful cyber-attacks can have serious consequences, such as operational disruptions, data leakage and financial losses. It is therefore important to raise awareness and improve security measures among maritime stakeholders, including crew members, operators, and service providers. With that in mind, we share our experience with two recent cyber-attacks aimed at Gard’s operations.[1]
The most common threats - Ransomware campaigns affecting the maritime sector are a high threat. They are typically carried out using a “trojan horse” disguised as a legitimate file, which the user is tricked into opening.
Phishing by email continues to be the most common means of attack, although phishing via SMS, phone, social media and even Microsoft Teams also occurs. And whatever the method, they can be profitable: According to the American analysis company Chainalysis, cybercriminals earned more than USD 1 billion last year through ransomware extortion.
Recent Gard examples[2] - In Gard, like most digital companies, we experience an almost constant inflow of cyberattack attempts, and we have also seen an increase over the past few years. The following gives a summary of one of our most recent examples:
- False emails: In an existing email thread between Gard and other parties regarding a case, fraudulent email addresses were added to the communication. These addresses were created to look like legitimate addresses that were already in the existing email thread.
- Real names: Real employee and company names were used in the fraudulent emails, both as senders and added in copy.
- Changes in payment details. In one of the fraudulent emails, bank account changes were requested. This was a red flag, alerting the employee to dig deeper and the fraud was detected.
Ransomware on Teams: In another case, Gard experienced an attempted ransomware attack on Teams (a method which was used also against several other companies last year, according to Cybernews). In brief, this is the method that was used against Gard:
- Using a well-known person: First, several employees received a Teams chat invitation from what looked like a company manager, but in reality was a cyber attacker.
- Triggering emotions: The content in the Teams chat was designed to trigger personal concern. The topic was “organizational changes”, and part of the message read: “In an attached file you can see if you keep your job”.
- Fishing for clicks: By reaching out to many employees at the same time, the attacker increased the possibility for success. One single person opening the file could have been enough to potentially affect all employees. It could have led to malware that encrypted files and spread to other laptops.
Cybersecurity incidents like these show the importance of both awareness and security maturity in the solutions and the incident handling. Unfortunately, parts of the maritime industry have suffered from immature levels of security and lack of user awareness among staff. We have seen several incidents where a high-risk website has been visited, or the business infrastructure has been misused for personal purposes. To avoid costly incidents, our advice is to improve cybersecurity training and awareness with clearer procedures and guidance for online behaviour.
Our recommendations - Below are our cybersecurity recommendations for onboard behavior:
- It is safer to visit an official website instead of clicking on a link in emails or scanning QR codes
- Check links by hovering over the link. You can see the real web address in your browser’s bottom left corner. If the address looks suspicious, do not click.
- Use a passphrase to create strong and unique passwords with upper and lowercase letters, numbers and symbols or spaces
- Use several authentication factors (like facial, fingerprint or an authenticator app) if possible
- Separate between business and personal email use
- Do not connect unauthorized personal equipment to networks on ships or other business locations
- In Gard, our staff are trained to be security “STARs” (acronym for Stop, Think, Ask, React):
- Stop – Resist acting on impulse, especially if something in an email or other channel triggers emotions, is urgent or unusual.
- Think – Think before clicking or doing anything. Is this a message I expected to receive? Is this a person I know? Take time to reflect if the message makes sense to you or not.
- Ask – If in doubt, get a second opinion from a colleague, security, or your manager. Sometimes, just sharing your issue can help you think clearer.
- React – Notify security or your manager if something is suspicious, unusual or if you have been tricked.
- Red Sky Alliance: https://redskyalliance.com/maritime
Source: Gard, https://www.gard.no/articles/cyberattacks-on-the-rise-key-recommendations/
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.hellenicshippingnews.com/cyberattacks-on-the-rise-key-recommendations/
[2] https://www.hellenicshippingnews.com/category/shipping-news/marine-insurance-pi-club-news/
Comments