Cyberattack lands ship in hot water

Less than two months after warning of cybersecurity problems on ships, the US Coast Guard has revealed that a large international vessel has suffered a cyberattack.

On Monday 8 July 2019 the Coast Guard issued a Marine Safety Alert reporting a successful malware attack on a vessel back in February.

The alert describes the affected craft as a ‘deep draft’ vessel. The draft is the distance between the surface and the water and its lowest point, so it was a big ship, and it was on an international voyage. It experienced a “significant cyberincident” on its way to the Port of New York and New Jersey.

The crew avoided losing complete control of the ship, but it should be a wake-up call. The report explained the findings of the cybersecurity team that investigated the incident:

The team concluded that although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted. Nevertheless, the interagency response found that the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities.

The Coast Guard hasn’t revealed the exact nature of the attack, but the crew knew about the security risk to the ship’s network before the attack happened, the report said. “Most” crew members didn’t use the network for personal business like checking email or making online purchases, it said (it only takes one, though).

The crew did use the network for official business like updating electronic charts and managing cargo data, and members would routinely plug USB drives into the ship’s systems without scanning them for malware, the report added.

The announcement follows a Marine Safety Information Bulletin in May 2019, which warned of cyberadversaries targeting commercial vessels. They were spoofing official email addresses from the Port State Control (PSC) authorities to try and snoop on arrival schedules. They were also trying to inject malicious software into onboard computer systems.

Researchers have found problems with vessel cybersecurity in the past. Penetration testing firm Pen Test Partners used default passwords on satellite communication systems to tamper with their Electronic Chart Display (Ecdis) systems, which provides electronic navigation charts. He could use that to seemingly change ship positions and sizes, he warned, triggering navigation system alerts.

The International Maritime Organization only issued guidelines on cyber risk management in 2016.

Some crooks target maritime companies without going after the ships themselves. Gold Galleon, a hacking crew believed to be operating from Nigeria, was spotted carrying out business email compromise (BEC) attacks on shipping companies last year.