Blog: Maritime Cyber Security

Maersk wasn’t hacked

Ken Munro 03 Apr 2018

What? Of course they were hacked. Right? That $300M loss that Maersk attributed to the incident, covered excitedly by every media outlet? However, it wasn’t a hack.

Maersk was collateral damage.

Just like the Wannacry ransomware incident against the NHS. It wasn’t a hack, it wasn’t an attack, it was collateral damage.

The Maersk hack wasn’t even ransomware – it was a crypter. That’s malware that just trashes data by encrypting it, unlike ransomware that should decrypt if one pays the ransom.

So if losses on this scale can be incurred by accident, what scale of loss could we see in the event of a genuine, targeted attack against a shipping line?

The Maersk incident

Plenty has been said in the press about the incident already, but here’s a summary:

It is believed that Russian state actors targeted a popular Ukrainian accounting package called ‘M.E.Doc’. The software update process had been compromised, providing a back door on to numerous users of the software package.

Motivations are unclear, but the dispute in the Crimean peninsula is one likely candidate.

The malware used, among several, an exploit known as ETERNALBLUE, which was patched by Microsoft on 14th March 2017.

Hence, networks where the patches had been applied should have been secure. However, it also used password stealing techniques, allowing it to move between computers on the network where passwords were re-used.

Disguised as ransomware, it’s actually not. It just encrypts the data with no way to recover it.

So, ‘notpetya’ as it became known made for an amazing weapon for one state to cripple accounting systems and IT networks of another.

Except it did more

Owing to the password-stealing features, it propagated far beyond Ukrainian systems.

Multinationals with operations in the Ukraine used the software. Their networks were connected globally, so notpetya propagated far further than it was likely intended.

A very similar effect was seen with the Stuxnet attack in 2010 – the malware was intended to attack Iranian nuclear centrifuges, but owing to unanticipated propagation, it hit elevator systems, production lines and industrial controllers around the world.

Again, the same happened with WannaCry: this was true ransomware, but propagated in to NHS networks, possibly through doctors surgeries. These shouldn’t have been connected to the public internet…

It will happen to you

Years ago, organisations would tell me that ‘no-one would be interested in hacking us, we’re not a bank’.

Fortunately, that view has largely changed in many businesses.

That’s good news, as it’s not about whether a hacker is interested any more. Malware gets out of hand and trashes businesses, irrespective of what they do.

It will happen to you.

Maritime cyber security advice for shipping lines

Keeping systems patched up to date is critical, though this may not have completely prevented notpetya

Password re-use between systems on a network is a no-no: malware can steal passwords from computers and ‘spray’ them at others on the network. Local system passwords and user account (domain) passwords must be strong and unique

Crew and wider staff education is a must, as the initial way in to the network is often a phish by email

A great start would be to review ISO27001 and start following its guidance