With approximately 90% of all finished and bulk products traveling through maritime ports, it is a bit unnerving that a major US port network was breached. The US Coast Guard recently reported that a suspected foreign government-backed hackers breached a computer network at the Port of Houston, one of the largest ports on the US Gulf Coast. Early detection of the incident last month resulted in the cyber criminals stopping any disruption of shipping operations.
The incident at the Port of Houston is a stark example of the interest that foreign operators have in surveilling key US maritime ports. This incident comes as US authorities are trying to fortify critical infrastructure from such intrusions.
"If the compromise had not been detected, the attacker would have had unrestricted remote access to the [IT] network" by using stolen log-in credentials, reads the US Coast Guard Cyber Command's analysis of the report. "With this unrestricted access, the attacker would have had numerous options to deliver further effects that could impact port operations."
It is not clear who was behind the breach, which appears to be part of a broader espionage campaign. When asked about the incident at a US Senate hearing last week, US Cybersecurity and Infrastructure Security Agency Director said she believed a foreign government-backed hacking group was responsible. Attribution of cyberattacks "can always be complicated," she told the Senate Homeland Security and Governmental Affairs Committee. "At this point in time, I would have to get back with my colleagues, but I do think it is a nation-state actor. The campaign thus far is limited, but we're continued to work through it and I'm happy to keep you apprised," she told lawmakers.[1]
The Coast Guard's analysis did not mention a foreign government or the Port of Houston, but the Director identified the port as the targeted entity.
The cyber intrusion was part of a broader set of hacks targeting defense contractors, transportation firms and other organizations that US agencies warned the public about last week. "We assess that the actors are state-sponsored and that their goal is likely to conduct espionage on behalf of a foreign government," a senior principal analyst at Mandiant Threat Intelligence past to media. "While the nature of the targets certainly aligns with historic Chinese [advanced persistent threat] activity, we have not attributed any of these attacks to Chinese espionage operators."
In the case of the Port of Houston, the unidentified hackers broke into a web server somewhere at the complex using a previously unidentified vulnerability in password management software at 2:38 p.m. UTC on 19 August, according to the Coast Guard report. The intruders then planted malicious code on the server, which allowed further access to the IT system.
Beginning about 90 minutes after the initial breach, the hackers stole all of the log-in credentials for a type of Microsoft software that organizations use to manage passwords and access to their networks, according to the report. Minutes later, cybersecurity staff at the port isolated the hacked server, "cutting off unauthorized access to the network," the advisory said.
A handful of security incidents in recent years have prompted US officials to focus more on maritime cybersecurity. The Coast Guard in 2019 issued a public alert after malicious software "degraded the functionality of the onboard computer system" of a ship bound for the Port of New York and New Jersey that February. While the ship's essential control systems weren't impacted, the Coast Guard found that the vessel lacked "effective cybersecurity measures."
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://www.wral.com/hackers-breached-computer-network-at-key-us-port-but-did-not-disrupt-operations/19891638/
Comments