A ransomware attack at a Maritime Transportation Security Act-regulated facility shut down operations for 30 hours, the Coast Guard said in a Marine Safety Information Bulletin issued last month.
The bulletin said Ryuk ransomware, which was the subject of a June advisory from the United Kingdom’s National Cyber Security Centre, may have entered the system through an email phishing campaign. The NCSC said in its original alert that Ryuk was first seen in August 2018 and was “responsible for multiple attacks globally” as a “persistent infection.”
“The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack,” the NCSC said. “But it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.”
The Coast Guard said that an employee at the unidentified facility clicked on the malicious email link, allowing “a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files.”
“The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems,” the bulletin continued. “These combined effects required the company to shut down the primary operations of the facility for over 30 hours while a cyber-incident response was conducted.”
Measures including up-to-date antivirus software, real-time intrusion detection, monitored host and server logging, network segmentation to prevent IT systems from accessing operational technology, file and software backups, and up-to-date IT/OT network diagrams “at a minimum” may have “prevented or limited the breach and decreased the time for recovery,” USCG said.
The bulletin recommended that facilities use the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Special Publication 800-82 to craft a risk management program, and warned that people in the maritime sector must take caution opening emails from unfamiliar senders.
“Additionally, facility owners and operators should continue to evaluate their cybersecurity defense measures to reduce the effect of a cyber-attack,” said USCG. “…The Coast Guard encourages companies and their facilities to remain vigilant in the identification and prompt reporting of suspicious cyber-related activities.”