USCG: Ransomware Attack Crippled Network, Access Control at Maritime Facility

A ransomware attack at a Maritime Transportation Security Act-regulated facility shut down operations for 30 hours, the Coast Guard said in a Marine Safety Information Bulletin issued last month.

The bulletin said Ryuk ransomware, which was the subject of a June advisory from the United Kingdom’s National Cyber Security Centre, may have entered the system through an email phishing campaign. The NCSC said in its original alert that Ryuk was first seen in August 2018 and was “responsible for multiple attacks globally” as a “persistent infection.”

“The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack,” the NCSC said. “But it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.”

The Coast Guard said that an employee at the unidentified facility clicked on the malicious email link, allowing “a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files.”

“The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems,” the bulletin continued. “These combined effects required the company to shut down the primary operations of the facility for over 30 hours while a cyber-incident response was conducted.”

Measures including up-to-date antivirus software, real-time intrusion detection, monitored host and server logging, network segmentation to prevent IT systems from accessing operational technology, file and software backups, and up-to-date IT/OT network diagrams “at a minimum” may have “prevented or limited the breach and decreased the time for recovery,” USCG said.

The bulletin recommended that facilities use the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Special Publication 800-82 to craft a risk management program, and warned that people in the maritime sector must take caution opening emails from unfamiliar senders.

“Additionally, facility owners and operators should continue to evaluate their cybersecurity defense measures to reduce the effect of a cyber-attack,” said USCG. “…The Coast Guard encourages companies and their facilities to remain vigilant in the identification and prompt reporting of suspicious cyber-related activities.”

CISA Confronts 2020’s Top Critical Infrastructure Threats

(Visited 422 times, 1 visits today)

Bridget Johnson is the Managing Editor for Homeland Security Today. A veteran journalist whose news articles and analyses have run in dozens of news outlets across the globe, Bridget first came to Washington to be online editor and a foreign policy writer at The Hill. Previously she was an editorial board member at the Rocky Mountain News and syndicated nation/world news columnist at the Los Angeles Daily News. Bridget is a senior fellow specializing in terrorism analysis at the Haym Salomon Center. She is a Senior Risk Analyst for Gate 15, a private investigator and a security consultant. She is an NPR on-air contributor and has contributed to USA Today, The Wall Street Journal, New York Observer, National Review Online, Politico, New York Daily News, The Jerusalem Post, The Hill, Washington Times, RealClearWorld and more, and has myriad television and radio credits including Al-Jazeera, BBC and SiriusXM.

Leave a Reply

Latest from Cybersecurity

Go to Top
X
X