Jump to content

US Maritime Facility Crippled by Ransomware Attack

Source:

Infosecurity Magazine

Marine Safety Information Bulletin

BBC

 

Summary:

In mid-December a US maritime facility was successfully attacked by a ransomware called "Ryuk." The facility was crippled "for over 30 hours" while efforts to regain control of the port's systems and network took place.

Quote

US maritime facilities have been on high alert over the Christmas break after the Coast Guard revealed details of a ransomware-related outage in late December.

The bulletin described a recent attack causing widespread operational disruption at a “Maritime Transportation Security Act (MTSA) regulated facility."

Forensic analysis is currently ongoing but the virus, identified as ‘Ryuk’ ransomware, may have entered the network of the MTSA facility via an email phishing campaign. Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files. The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems. The port facility’s operations were apparently disrupted for over 30 hours as a result of the attack. The Coast Guard urged maritime authorities to implement risk management programs according to best practices outlined in the NIST Cybersecurity Framework (CSF) and NIST Special Publication 800-82.

The following is the Coast Guard's suggestions for improving security:

Quote

At a minimum, the following measures may have prevented or limited the breach and decreased the time for recovery:

 Intrusion Detection and Intrusion Prevention Systems to monitor real-time network traffic

 Industry standard and up to date virus detection software

 Centralized and monitored host and server logging

 Network segmentation to prevent IT systems from accessing the Operational Technology (OT) environment

 Up-to-date IT/OT network diagrams

 Consistent backups of all critical files and software

The Coast Guard recommends facilities utilize the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST Special Publication 800-82 when implementing a Cyber Risk Management Program. The Coast Guard urges maritime stakeholders to verify the validity of the email sender prior to responding to or opening any unsolicited email messages. Additionally, facility owners and operators should continue to evaluate their cybersecurity defense measures to reduce the effect of a cyber-attack.

Here is an advisory and description of the Ryuk ransomware by the UK's National Cyber Security Center

 

My Thoughts:

I find it interesting how in 2019, and probably still in 2020, U.S. critical infrastructure (assuming this was either a government or commercial facility) is still easily susceptible to cyber attacks. Despite the adoption of the NIST Cybersecurity Framework by the U.S. government and the general popularization of cybersecurity awareness over the last few years, we still have boomers in significant positions opening emails and unleashing sophisticated ransomwares and more on critical networks.

Link to comment
Share on other sites

Link to post
Share on other sites

14 minutes ago, MatthewTheCollegeStudent said:

The following is the Coast Guard's suggestions for improving security:

fire the employee who runs a .exe from a random email....

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, MatthewTheCollegeStudent said:

I find it interesting how in 2019, and probably still in 2020, U.S. critical infrastructure (assuming this was either a government or commercial facility) is still easily susceptible to cyber attacks.

I would like to say that it's not easily susceptible as much as it is a law of averages, these systems are very complex, used by thousands of people many of whom are not trained IT professionals.   It basically comes down to make a better mouse trap and they'll make a better mouse.  Every time some smart cookie from MIT creates a hardened firewall with exceptionally hard defenses, some other digital terrorist will develop  a new way to get in. 

 

It is my expectation that we will still be seeing this sort of thing in much more advanced networks for decades to come.  In fact it wouldn't surprise me if the reason this sort of thing finally stops tends up being because  the entire world had such an increase in quality of life and access to wealth/technology that no one feels the need to control others or fight for more. 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, MatthewTheCollegeStudent said:

we still have boomers in significant positions opening emails and unleashing sophisticated ransomwares and more on critical networks.

Age has nothing to do with it. Despite what you may think people growing up today using technology are not any smarter or getting any smarter when using it. Having been working in education IT support my entire career young people today are woefully under educated in basic computer usage and good practice. The ability to use Instagram is a non transferable skill to any mitigating circumstances to do with this story or blindly opening emails and attachments, something younger people do more readily than older.

 

Idiocy and lack of education transcends ages.

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, MatthewTheCollegeStudent said:

We still have boomers Tech illiterate people in significant positions opening emails and unleashing sophisticated ransomwares and more on critical networks.

FTFY.

 

I think young people are more irresponsible when it comes to technology, they are so used to it that they become complacent. Think back to the last time you installed any piece of software, did you just click on every single "ok" button that appeared immediately, or did you actually look at what it was saying, and i dont mean the ToS.

 

i see this at work all the time, people (mostly young people) think they know what they are doing so they rush through it clicking on every affirming button.

🌲🌲🌲

 

 

 

◒ ◒ 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Arika S said:

i see this at work all the time, people (mostly young people) think they know what they are doing so they rush through it clicking on every affirming button.

8 IE toolbars later.....

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Rune said:

People are always the weak link. Don't click shit you shoudln't, people.

Well. We have improved slightly at least.

 

We have stopped putting USB thumb drives we find on our car in the parking lot into our goverment PCs......i hope

Link to comment
Share on other sites

Link to post
Share on other sites

How are people in the military falling for this?

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 9 5900X          Case: Antec P8     PSU: Corsair RM850x                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition

Link to comment
Share on other sites

Link to post
Share on other sites

8 hours ago, emosun said:

fire the employee who runs a .exe from a random email....

At my company we get occasional test phishing emails from our internal info security.

You are supposed to clock on a Phishing icon in the email system to report such a suspicious email.

If you do open it you get a warning and are logged.

If you do it again you have to retake the phishing training class, and I think your manager gets notified.

 

I think firing for a first offense  is a bit much.

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, GoldenLag said:

Well. We have improved slightly at least.

 

We have stopped putting USB thumb drives we find on our car in the parking lot into our goverment PCs......i hope

But if I find a thumb drive I don't want to risk infecting my own PC, so where else am I going to see whats on it?

?

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, Intrafinesse said:

I think firing for a first offense  is a bit much.

yeah well what if susan crippled a maritime facility for 30 hours

because I've seen people get fired for way simpler things than stopping a facility for 30 hours while destroying the computer system.

Link to comment
Share on other sites

Link to post
Share on other sites

One of the best recommendations from a technical standpoint is application whitelisting to prevent ransomware. dont allow users to run programs that you havnt explicitly allowed.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×