Resilience360 quantifies imacts of ocean carrier cyberattacks

Recent cyber-attacks on ocean carriers have proven quite disruptive. Denmark’s Maersk Line incurred estimated damages of USD 300 million (EUR 253.81 million) due to the global ransomware attack it suffered in 2017. The latest attack on CMA CGM means that all the Big 4 shipping lines, including MSC and COSCO, have suffered recent disruptive cyber events. On October 1, the International Maritime Organization (IMO) also announced a cyber-attack against its IT systems, leading to disruptions in its public website and internal systems.

“Companies shipping by sea should remain vigilant of cyber intrusions that target shipping lines,” said Daniel Boccio, Supply Chain Risk Analyst, Resilience360. “Supply chain managers and IT professionals should collaborate on identifying the potential vulnerabilities and threats to their supply chains and should implement measures to increase resiliency and minimize the impact of such threats.”

On September 28, French container transportation and shipping company CMA CGM announced that it fell victim to a cyber-attack on its peripheral servers. The company has over 480 vessels, operating 200 shipping routes between 420 ports in 150 different countries. The attack led to limited IT availability across the group, sans CEVA Logistics, due to the company halting external access to applications to prevent the spread of the malware. The company later announced that it also suspects a data breach and the nature and the volume of the affected information.

Based on an assessment of the attack on the company’s China offices, preliminary assessments conclude that the attack is the work of the Ragnar Locker ransomware. In operation since December 2019, this ransomware acts in a typical manner of the Cyber Kill Chain, performing reconnaissance and exfiltrating sensitive information to be returned in exchange for ransom payment. The ransomware can be identified with an MD5 hash of 6171000983CF3896D167E0D8AA9B94BA, which serves as the primary indicator of compromise (IoC) for the threat. It is delivered as an unsigned MSI package and is known to attack Windows systems via VirtualBox.

The ransomware’s peripheral device discovery feature allows it to spread rapidly to removable and mapped network drives, explaining CMA CGM’s decision to temporarily disable external features. Notably, the ransomware has a unicode string comparison function that, when activated, prevents the ransomware from executing on computers using languages from the former Soviet Union, such as Belorussian, Azerbaijani, Ukrainian, Moldovan, Georgia, Armenian, Turkmen, Russian, Kyrgyz, Kazakh, Uzbek, and Tajik. Ragnar Locker was last seen attacking the EDP energy company in April 2020.

Given the ransomware’s peripheral device discovery feature, the company suspended its booking system to protect its customers. The suspension disrupted operations as employees lost access to internal e-mails and applications necessary to perform daily operations, with limited options for customer communications by phone. The company suspended access to electronic bookings through its websites and announced that all cargo booked before September 27 was secure; however, later bookings were yet to be processed. The company also requested customers to either call local offices or make bookings through an external booking system.

Company services at Chinese offices in Shanghai, Guangzhou, and Shenzhen were reportedly disrupted, with container terminal managers stating that cargo loading operations were likely to be affected, but ultimately were not. Fortunately, sources at Hong Kong Port stated that CMA CGM maintained normal operations at both the container terminal and on its vessels. On September 30, the company announced that operations were gradually returning to normal, with improvements to bookings and documentation processing times as back-offices reconnect to the network. Moreover, the company assured customers that maritime and port activities are fully operational, with alternative and temporary processes available for bookings.

Ragnar Locker not only targets entities of considerable logistics and industrial importance, such as EDP and CMA CGM, but also exploits VirtualBox. This is indicative of a greater threat posed to companies employing virtualization, and to an extent, remote services. Such a threat is even more notable with the considerable quantity of remote workers this year due to the COVID-19 pandemic.

While technological recovery is quick, residual business disruptions are likely, especially regarding time-sensitive shipments.