Search

Cyber Privateers: Ransomware, APTs, & Botnets in the Maritime Industry Threat Landscape

By Brandon Rudisel

Key Takeaways

  • The maritime industry includes a wide variety of services with the main focus being on commercial and mercantile activities. According to the Maritime Industry Foundation, maritime transport consists of approximately 90% of worldwide trade. Successful cyberattacks would therefore affect a variety of industries supported by the maritime field - agricultural industry, the fuel and energy fields, manufactured goods, ores, and metals, along with various other service industries and companies.

  • The maritime industry’s cyber threat landscape is one of the most complex and multilayered threat ecosystems, however, it can be broken up into four main domains:

  • Ransomware

  • Advanced Persistent Threat (APT) intrusions

  • Criminal Network Intrusions / Data Breaches

  • Botnet Threats & RDP Compromises

  • The most important threat posed by ransomware groups to the maritime industry are the supply-chain attacks. Shipments are a key point in the logistical supply chains - hence, an attack can block the whole chain. Such a crucial impact on multiple entities may motivate the threat actors to target maritime shipping companies with ransomware attacks. The victim will likely receive pressure from its partners on the supply chain and is thus more likely to pay the ransom.

  • AdvIntel has observed multiple individual threat actors conducting cyber operations against the maritime industry. Most of these actors are network intruders. Similar to ransomware groups, these intruders may aim for third-party tracks or supply-chain attacks. Maritime shipping routes operate within a complex network - entering one point can enable lateral movement through hundreds of companies.

Introduction


The maritime industry includes a wide variety of services with the main focus being on commercial and mercantile activities. According to the Maritime Industry Foundation, maritime transport consists of approximately 90% of worldwide trade. The United Nations’ International Maritime Organization’s 2019 statistics stated the value for the world’s merchandise exports consisted of $19.5 trillion USD. These statistics highlight the financial and political value the maritime industry has for countries and businesses around the globe.


One of the global leaders in the insurance brokerage and risk management field recently conducted a survey with leading maritime stakeholders regarding the top issues facing the industry. These stakeholders stated one of the top issues facing the maritime industry over the next 10 years would be cyberattacks and data theft. They believe cyberattacks and data theft will cause a moderate to major impact for this industry moving forward.


Successful cyberattacks and the theft of data from the maritime industry would affect a variety of industries supported by the maritime field. Some of the affected industries would be the agricultural industry, the fuel, and energy fields, manufactured goods, ores, and metals, along with various other service industries and companies.


Background for the Digital High Seas


According to the Merriam-Webster Dictionary, privateers are individuals or ships licensed by governments to conduct attacks against enemy shipping, while pirates are individuals or groups who take items illegally on the high seas. Modern-day threat actors who target the maritime industry follow the same pattern but utilize different tools. Instead of swords and guns, these threat actors utilized ransomware and botnets on the digital high seas. APT groups from China, Russia, and Iran would be the equivalent of modern-day privateers who conduct cyberattacks targeting countries and businesses with the goal of disrupting the economy, causing national security issues, and stealing intellectual property.


DarkWeb breach specialists are modern-day cyber pirates who are similarly dangerous as state-affiliated hackers or ransomware groups. These breach specialists are threat actors with the capability to infiltrate corporate and government networks, but who lack the ability to take advantage of their breaches. AdvIntel has detected threat actors on the DarkWeb auctioning and selling maritime industry network access. These cybercriminals sell the stolen data to lesser-known criminals, syndicates, and nation-states. The varying levels of clients increase the unpredictability and enhance the level of danger for the industry.


Botnet infections are a constant threat in the cyber world. Cutting-edge APTs and Ransomware Teams actively cooperate with botnet operators to send payload and conduct in-depth attacks. Botnet loaders drop malware into networks and begin small scale intrusions. Threat actors can notice and exploit these intrusions if they are not patched. An exploited botnet breach can turn ugly, as a botnet compromise on one company computer can soon infiltrate the entire network. In the maritime industry, this can have catastrophic consequences.


Investigative Analysis Introduction


AdvIntel constantly monitors and analyzes gathered information from the DarkWeb. AdvIntel analysts currently focus on four main pillars in the cybercriminal landscape. These four pillars consist of ransomware, botnets, individual hackers, and APT groups. As the maritime industry increasingly moves towards automation and advanced technologies, it will increase the potential intrusion points for threat actors from one of these four pillars to gain access to their systems.

DarkWeb Activity from 2018-2020 (Image Source: AdvIntel's Andariel Platform - DarkWeb Collection)

Ransomware Analysis


AdvIntel analysts currently assess Ryuk, and REvil as being the most dangerous ransomware threat actors in operation today. In addition to these two groups, Maze affiliates who transferred to Egregor and other syndicates remain a major threat.


Maze Affiliates


Former Maze top-affiliates have proven experience with ransomware attacks against the maritime industry. They combine scalable automated distribution and infection advancement with targeted attacks against a specific entity requiring a long-term presence in the victim’s environment. In July 2020, Maze hit a major Norwegian offshore and onshore industrial machinery company.

Maze’s “Shame” Website used to blackmail victims (Image Source: AdvIntel's Andariel Platform - DarkWeb Collection)

Maze leaked the maritime group’s documents in the DarkWeb to force the victim to pay. The information quickly spread and was reported across the underground community


Ryuk


Ryuk ransomware operators perform sophisticated reconnaissance operations and rely on underground crime liaisons that enable them to observe infected networks and identify critical systems belonging to the attended victims. This enables the threat actors to make targeted financial demands according to their perception of the affected organization's ability to pay. Emotet is commonly observed distributing TrickBot trojan and then during a Ryuk attack. These partnerships enable Ryuk to perform large-scale offensive operations, which are especially crucial when it comes to large networks of the maritime industry. For instance, a Ryuk ransomware breach from a phishing email in late December 2019 shut down a U.S. Coast Guard facility for 30 hours.


Ryuk was deployed within the facility via a phishing email. The employee executed the payload which leads to ransomware blocking the network and encrypting crucial data. Most importantly, Ryuk was able to impact the ISCs (industrial control systems) that monitor cargo transfers.

Ryuk news article discussed on the DarkWeb (Image Source: AdvIntel's Andariel Platform - DarkWeb Collection)


REvil


REvil is a ransomware group that operates as part of a decentralized network intrusion-focused criminal syndicate. This threat actor group has proven particularly receptive to Citrix and remote desktop protocol (RDP) exploits. REvil is currently focusing on high-profile, high-reward attacks against critical industries, which aligns with the maritime industry.


AdvIntel has not identified direct attacks from REvil against the industry, however, these attacks may likely happen in the future.


AdvIntel analysts assess with a high level of confidence that just like Ryuk REvil is one of the most sophisticated ransomware groups. Considering that recent REvil attacks were aiming at gaining notoriety and fame, this group may likely resort to a “loud” attack - such as the one which aims at maritime shipments.


The most important threat posed by these groups to the maritime industry are the supply-chain attacks. (Read more on ransomware and supply-chain attacks in our blog). Shipments are a key point in the logistical supply chains - hence, an attack can block the whole chain. Such a crucial impact on multiple entities may motivate the threat actors to target maritime shipping companies with ransomware attacks. The victim will likely receive pressure from its partners on the supply chain and is thus more likely to pay the ransom.


Botnets


AdvIntel has detected multiple indications of compromise, infections, and signs of botnet activity directed against in the maritime industry this year. The selective interest of operators was identified by AdvIntel’s analysis of selective infections for companies in the maritime industry. These companies differ by their geographic location that includes the United States, Philippines, Middle East, and Singapore. They also differ by specialization: maritime insurances, carriers and logistics, direct shipments, and maritime education centers and academies. Specifically, AdvIntel identified infections of one of the largest China and multinational ocean container shipping companies as well as Egypt’s essential maritime support and product delivery provider.

Botnet operators, affiliates, or interested parties’ activity on the DarkWeb From 2019-Present (Image Source: AdvIntel's Andariel Platform - DarkWeb Collection)


AdvIntel has been specifically focused on botnets that are aimed at illicit financial profits or are designed to serve as a loader for other types of malware, and/or are connected to ransomware groups. These botnets are posing the highest threats to the maritime industry as they can lead to massive supply chain attacks, discussed above.


Botnet infections are sometimes used by advanced threat actors. The capacity to both use, monitor, and exploit botnet compromises is something with which threat actors like North Korea’s Lazarus work. These botnet breaches each represent the capacity to inflict major damage on global trade. Even if one is not in the maritime industry, they likely rely on the movement of goods the maritime industry provides.

AdvIntel analysts assess with a high level of confidence botnets will continue to be utilized in attacks. Botnets like TrickBot allow networks to be breached en masse, allowing threat actors to insert ransomware or other forms of malware.


Individual Threat Actors


AdvIntel has observed multiple individual threat actors conducting cyber operations against the maritime industry. Most of these actors are network intruders. Similar to ransomware groups, these intruders may aim for third-party tracks or supply-chain attacks. Maritime shipping routes operate within a complex network - entering one point can enable lateral movement through hundreds of companies.

Observed threat actors going by aliases include:


“Achilles”: English-speaking threat actor, likely connected to Iranian security apparatus, responsible for maritime network compromise in 2018. In October 2018, Achilles offered access to data from a defense shipbuilder on l33t and KickAss forums. Additional evidence provided by Achilles suggests that the information was stolen from an Australian shipbuilder Austal. According to the Australian media, The Australian Cyber Security Centre (ACSC) attributed the breach of information to an Iranian-based hacker attack.


“TMT”: Russian-speaking threat actor specializing in network instructions. -TMT- reportedly targets corporate networks to offer access to ransomware spreading groups. The actor offers to upload crypto lockers and other payloads into the breached networks to monetize the access via ransom demands. -TMT- is reportedly cooperating with the “truniger” ransomware collective offering to upload their crypto locker into the compromised environment. In August 2019, -TMT- has offered access to the international maritime logistics services provider for 5,000 USD.


“Strain” (alias obfuscated): Russian-speaking threat actor offering their services on DarkWeb. In Fall 2020 the actor offered access to an entity identified only as a large shipbuilding company on the underground forum. The identified details of this company were as follows:

  • $12.5 billion USD in revenue

  • Roughly 33,000 employees

“Ayn” (alias obfuscated): Russian-speaking threat actor offering corporate accesses in DarkWeb. In September 2020, they ended an auction that had been active since August, in an attempt to sell access to a major insurance company specializing in protection and indemnity insurance (more commonly known as P&I insurance) based in the United Kingdom at a price of $3,000 USD.

Observed individual threat actor’s forum profile as they attempt to sell alleged access on the DarkWeb (Image Source: AdvIntel's Andariel Platform - DarkWeb Collection)


Individual - non-affiliated threat actors can pose a moderate-to-high level of threat to the maritime industry. The non-affiliation with a ransomware group or state-sponsored group can limit the potential damage against maritime industry organizations that are breached. This limitation is the result of threat actors relying on their individual knowledge and skill, while if they were a member of a cybercriminal group or APT the knowledge gap could be filled by others. While potentially having limited knowledge may reduce the risk from individual threat actors, it can make it harder for businesses and governments operating in the maritime field to protect against individual threat actors because there is not as much available data for them to counter potentially unique TTPs.


At the same time, these actors can build skill and credibility and end up working as affiliates for a ransomware group or an APT.


APTs


The increasing tension between the United States, China, Russia, and Iran in the maritime environment is likely to cause disruption for the maritime industry. As COVID-19 and other political issues continue to reshape global trade and relations, maritime trade will only become a more strategic target. APTs will play a crucial role in determining how the political and economic environments shift and change for the maritime industry in the coming years.


The geopolitical tension between these countries will likely result in a mixture of conventional military forces and APT sponsored groups taking actions. This tension is currently evident in the South China Seas. China has made territorial claims over this vast region, causing conflicts with multiple countries in this area. This territory has a large number of natural resources, along with approximately one-third of all maritime trade, worth $5.3 trillion USD, transiting through this area. The United States has taken action by increasing their freedom of navigation operations through this region with their navy. This increased activity has caused tension between China and the United States. AdvIntel assesses with moderate levels of confidence state-sponsored or supported APT groups will conduct operations against businesses and organizations associated with the host nations, resulting in the maritime industry being negatively affected due to its strategic importance.


Conclusion


The maritime industry is a vast and interlocking field, where if one area is negatively affected, it is likely to negatively influence other areas. While cybercriminals have largely left the maritime industry alone over the years, that has started to change over the last few years. Due to the nature of the industry, which has resulted in a wide variety of ship systems, no universal code for ships and ports, unhardened legacy equipment still in use, along with the previously poor cooperation between the authorities and the industry has resulted in the maritime industry is highly vulnerable to cyberattacks.


AdvIntel assesses with moderate-to-high levels of confidence threat actors will increasingly target the maritime industry for financial and political gain. This increase is the result of heightened geopolitical tension and the maritime industry falling behind other industries that have started to implement cybersecurity defenses to protect themselves against ransomware and other cyber threats.


Advanced Intelligence is an elite threat prevention firm. We provide our customers with tailored support and access to the proprietary industry-leading “Andariel” Platform to achieve unmatched visibility into botnet breaches, underground and DarkWeb economy and mitigate any existing or emerging threats.

Brandon Rudisell researches cyber threats with Advanced Intelligence LLC, along with a U.S. Navy veteran who conducted missions across the spectrums of expeditionary warfare, joint warfare, and major combat operations. He has extensive experience as an Intelligence Analyst covering a variety of threats and different areas of operation. Brandon recently graduated with his M.S. in Criminal Justice Advanced Counterterrorism and he became interested in cybersecurity while in school.


Know Your Adversary & Disrupt Cybercrime Threats

 

© 2020 Advanced Intelligence, LLC.
New York City, NY. All rights reserved.

For media inquiries, please contact us at info@advintel.tech

Reach out and we will set up a platform demo right away
  • Белый LinkedIn Иконка
  • Белый Twitter Иконка