Ransomware in the Maritime Industry
By Erik Thomas
May 24, 2021Editor's note: This article was modified on 30 May, 2021 to fix the cited references.
In the modern era of interconnectedness and globalization, the global economy and trade have become more important than ever. Most goods traded or sold on the global markets are moved through ports around the world via ships. In 2020, the maritime and shipping industry saw a sharp incline in malware attacks against companies and regulators, with two of the world's four biggest shipping companies being the victims of malware attacks within one month of each other. This industry is particularly vulnerable to malware type cyberattacks as they are reliant on “just in time” logistics to manage their wide geographical distribution locations. One of the 2020 victims, the French shipping giant CMA CGM, was left unable to perform basic business processes following a September malware attack that required it to resort to 19th century methods to track cargo and respond to customers' inquiries . The attackers were intent on stealing proprietary data from CMA CGM and their customers, demanding ransom for its return under threat to sell the data on the dark web if the company did not pay. The cybersecurity community has seen a rise in ransomware attacks targeting maritime and other just in time industries that are heavily data dependent due to wide geographical distribution, and the 2020 attack on CMA CGM shows why these attacks are becoming more popular and potent.
Malware Attack on CMA CGM
French shipping and logistics company CMA CGM, currently the fourth largest shipping company in the world with over 500 transportation vessels, became the victim of a malware attack on September 28, 2020 . The international shipping company first disclosed the incident in a tweet sent from the company account saying external access to their network was unavailable and their IT team was working to resolve the incident. That tweet was later followed by another tweet, approximately five hours later, stating that the company was dealing with the impacts of a cyberattack against peripheral servers, and external access to networks had been intentionally restricted to prevent the spread of the malware . The attack originated in CMA CGM’s Asia-Pacific subsidiaries, namely Cheng Lie Navigation Co. and a regional Australian National Line shipping office, with some offices in China also affected .
CMA CGM has put out very little information regarding details of the attack, however, workers close to the situation told the Wall Street Journal that the company was coping with an encrypting malware and had been contacted by parties claiming credit for the attack . The hacker reportedly directed CMA CGM via email to make contact within two days in order to “get a very special price” for the decryption key . According to the message sent to CMA CGM by the hacker, the ransomware program used in the attack was Ragnar Locker, which was used in a similar attack against a Portuguese energy company . Ragnar Locker targets vulnerabilities within Windows Remote Desktop Protocol (RDP) to get access to and move within networks . CMA CGM IT operators struggled to recover the network from the attack for two weeks before their networks were returned to full operational status, and even then it reported that data was stolen from the company as part of the attack .
This attack against CMA CGM was the fourth malware attack against a shipping industry giant in the past three years, with all four of the world's largest shipping companies falling victim to a ransomware attack. APM-Maersk fell victim to the NotPetya malware in 2017, COSCO was shut down for a week in 2018 due to a cyberattack, and Mediterranean Shipping Company had their data center go offline for days due to a malware attack in April of 2020 . Additionally, Australian shipping company Toll Group fell victim to ransomware attacks in February and May of 2020, with data stolen from the May attack posted on the dark web . Even regulatory bodies in shipping are being attacked: the International Maritime Organization (IMO), a body of the UN, fell victim to a “serious” malware attack just two days after the attack on CMA CGM, in September of 2020 . These attacks, while not known to be related to each other, show an increased trend in the use of ransomware as a form of cyberattack, particularly against big-ticket targets and the maritime industry.
Increased Use of Ransomware on Maritime Shipping Targets
The cybersecurity community has seen an increase in the use of ransomware as a form of malware attack favored by cybercriminals. In addition, cybersecurity professionals are starting to see more and more signs of ransomware-as-a-service type organizations offered on the dark web . The demand for ransomware has skyrocketed, and the ransoms associated with it have followed that trend. Data theft and extortion for monetization has become a huge money maker in the cybercriminal community, explaining, in part, why the cybersecurity community has seen the rise in ransomware cases . The 2019 Cost of Cybercrime report states malware attacks against organizations are the most expensive type of attack, and the total cost of recovery from an average attack increased by 11% in 2019 over 2018, while the average cost of recovery from ransomware attacks increased by 21% during the same time frame . Those costs only continued to increase in 2020, with every sector falling victim to malware and ransomware attacks throughout the year. The attack on CMA CGM is just one in an ever-increasing trend of data theft for money schemes.
In 2020, due to the Covid-19 pandemic, there was a spike in the number of malware attacks, particularly ransomware attacks, against companies. This increase is sparked by a surge of people searching for information on the virus and attackers taking advantage of the situation to create fake URLs and send malicious emails. Interpol reports during a four-month period in 2020, “some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs,” all related to COVID-19 and the coronavirus, were discovered by an Interpol investigation . Additionally, as companies moved to remote working with hastily put together networks, there has been a spike in the number of ransomware cases, with Interpol estimating a 36% increase in the number of ransomware cases starting in April of 2020 . As companies and governments have moved to a more virtual format, they have become easier victims and targets for cybercriminals, and the maritime shipping industry is no outlier.
The attacks on the shipping industry in 2020, and CMA CGM in particular, were made possible, in part, because of the move to remote teleworking and the not-so-well protected networks put together for that reason, similar to the recent cyberattacks on hospital and healthcare networks hastily expanded due to the pandemic. In the case of CMA CGM, the attack started in the networks of their smaller Asia-Pacific subsidiaries but was cut off before it could spread into the larger network . Smaller companies associated with big conglomerates, like CMA CGM, are often weak links in the cybersecurity chain of the company because they often do not focus limited resources on cybersecurity and may mistakenly judge that their smaller size makes them a less attractive target. Cybercriminals use that weak link to get a foothold into the company’s networks before spreading to infect more computers. It only takes one computer to become infected before a whole network can be taken down, as was illustrated during the NotPetya outbreak and its effects on APM-Maersk. Fortunately for CMA CGM, they were able to stop the spread as soon as the virus was detected. However, using one foothold to try to take over the whole network is akin to how NotPetya operated. The attacker in the CMA CGM hack was able to use that weak link, a network set up in a smaller subsidiary for teleworking due to COVID-19, to take down the network of the larger company. This follows the trends found throughout the cybersecurity community.
Maritime Shipping as an Attractive Target
Cybercriminals and ransomware-as-a-service type attackers are hunting to get the biggest payout possible . The industries being targeted by Ransomware attackers are trending toward those with bigger and more powerful companies who can’t afford to lose their data or need said data to operate, even on a basic level. Targeting companies that are ultra-dependent on their data real-time, and through whom attackers can gain access to data of thousands of corporate customers, is a strategy to extort larger payments, quicker. Ocean shipping companies operate on exceedingly small margins in fierce competition for customers who can easily re-route cargo though other carriers. Any breach in faith with those customers can be devastating and the ransom demanded by cybercriminals’ pales in comparison. Similarly, targeting hospitals with a malware attack, as we have seen a trend of in 2020, can potentially yield bigger payouts faster than targeting a grocery store. The hospital needs its data, whether it be patient files or networks needed to run equipment in order to function. While it may be inconvenient for a grocery store to lose its network and data, it can still function at a basic level without it. Hospitals, however, cannot and without their data lives are at stake, rendering them more willing to pay for a decryption key. While there are no lives at stake in the maritime shipping industry, these companies cannot function without their data, making them an attractive target for malware hackers.
The maritime shipping industry is a just in time industry that supplies thousands of just in time industries. Shipping clients demand supply chain transparency so they can plan their own production and distribution processes. Without their data and networks, the shipping industry is brought to its knees, and the cascading impacts can literally go viral very quickly. As was observed as part of the consequences of NotPetya, without their data the shipping companies cannot keep track of their orders, book new shipments, communicate with their ports or drivers, or even know what is in their containers. Ken Munro, an employee at the UK based cybersecurity company Pen Test Partners, which specializes in conducting penetration tests for the maritime industry, told ZDNet "after Maersk was hit by NotPetya, I believe criminals realized the opportunity to bring a critical industry down, so payment of a ransom was perhaps more likely than other industries" . This would explain why all four of the world's biggest maritime shipping companies have been the victim of a malware attack since NotPetya, and the attack on CMA CGM is a prime example of that. As a consequence of their 2020 attack, CMA CGM was forced to shut down their operations for a day, causing massive delays and costing them and their customers millions of dollars . The immediate need of their data to function within a just in time supply chain environment in which the maritime shipping industry operates makes them a very appealing, get rich quick target for hackers.
While the maritime shipping industry is not necessarily more susceptible to cyberattacks, such as malware and ransomware, they are more directly and brutally impacted by these attacks. The cybersecurity community has seen a rise in the use of ransomware and data theft for money, with attackers hunting bigger game, and a bigger payout, all the time. The maritime shipping industry, including companies like CMA CGM, are a prime target given the supply chain environment they operate within. The attack on CMA CGM follows the growing trend in the use of ransomware, particularly the trend present in the COVID-19 cyberspace and calls attention to the gaps in cybersecurity the shipping industry needs to address. While the networks present on the ships are tightly controlled, the land-based operations are not. The land networks’ security must be addressed in order to reverse this trend of using ransomware against maritime shipping.
- Bissell, Kelly, and Larry Ponemon. “ Global Cost of CyberCrime.” Accenture Security, 2019, www.accenture.com/_acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf#zoom=50.
- Cimpanu, Catalin. “All Four of the World's Largest Shipping Companies Have Now Been Hit by Cyber-Attacks.” ZDNet, ZDNet, 28 Sept. 2020, www.zdnet.com/article/all-four-of-the-worlds-largest-shipping-companies-have-now-been-hit-by-cyber-attacks/.
- Crowdstrike 2020 Global Threats Report, Crowdstrike, 2020 go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
- “INTERPOL Report Shows Alarming Rate of Cyberattacks during COVID-19.” INTERPOL, 2020, www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19.
- Knowler, Greg. “CMA CGM Says Online Services Restored after Cyber Attack.” COVID-19: CMA CGM Says Online Services Restored after Cyber Attack, 12 Oct. 2020, www.joc.com/maritime-news/cma-cgm-says-online-services-restored-after-cyber-attack_20201012.html.
- McMillan, Robert, and Jenny Strasburg. “Mounting Ransomware Attacks Morph Into a Deadly Concern.” The Wall Street Journal, Dow Jones & Company, 30 Sept. 2020, www.wsj.com/articles/mounting-ransomware-attacks-morph-into-a-deadly-concern-11601483945.
- Osborne, Charlie. “Logistics Giant Toll Group Hit by Ransomware for the Second Time in Three Months.” ZDNet, ZDNet, 6 May 2020, www.zdnet.com/article/transport-logistics-firm-toll-group-hit-by-ransomware-for-the-second-time-in-three-months/.
- Paris, Costas. “Container Shipping Line CMA CGM Says Data Possibly Stolen in Cyberattack.” The Wall Street Journal, Dow Jones & Company, 30 Sept. 2020, www.wsj.com/articles/container-shipping-line-cma-cgm-says-data-possibly-stolen-in-cyberattack-11601477503.
- Paris, Costas. “Global Maritime Regulator Hit by Cyberattack.” The Wall Street Journal, Dow Jones & Company, 1 Oct. 2020, www.wsj.com/articles/global-maritime-regulator-hit-by-cyberattack-11601560294.
- Shen, Cichen, and James Baker. “CMA CGM Confirms Ransomware Attack.” Lloyd's List, 28 Sept. 2020, lloydslist.maritimeintelligence.informa.com/LL1134044/CMA-CGM-confirms-ransomware-attack.
- Stupp, Catherine. “European Maritime Companies Vulnerable to Cybersecurity Threats.” The Wall Street Journal, Dow Jones & Company, 27 Nov. 2019, www.wsj.com/articles/european-maritime-companies-vulnerable-to-cybersecurity-threats-11574850600.
About the Author
Erik Thomas is currently completing his Masters in Global Security with a concentration in Cyber at Arizona State University. A graduate of Lehigh University’s Department of Journalism, he first worked as a Staff Photographer at the New York Post. Erik now lives in Washington DC.