Search

Cyber Privateers: Ransomware, APTs, & Botnets in the Maritime Industry Threat Landscape

Updated: Oct 8

By Brandon Rudisel

Key Takeaways

  • The maritime industry includes a wide variety of services with the main focus being on commercial and mercantile activities. According to the Maritime Industry Foundation, maritime transport consists of approximately 90% of worldwide trade. Successful cyberattacks would therefore affect a variety of industries supported by the maritime field - agricultural industry, the fuel and energy fields, manufactured goods, ores, and metals, along with various other service industries and companies.

  • The maritime industry’s cyber threat landscape is one of the most complex and multilayered threat ecosystems, however, it can be broken up into four main domains:

  • Ransomware

  • Advanced Persistent Threat (APT) intrusions

  • Criminal Network Intrusions / Data Breaches

  • Botnet Threats & RDP Compromises

  • The most important threat posed by ransomware groups to the maritime industry are the supply-chain attacks. Shipments are a key point in the logistical supply chains - hence, an attack can block the whole chain. Such a crucial impact on multiple entities may motivate the threat actors to target maritime shipping companies with ransomware attacks. The victim will likely receive pressure from its partners on the supply chain and is thus more likely to pay the ransom.

  • AdvIntel has observed multiple individual threat actors conducting cyber operations against the maritime industry. Most of these actors are network intruders. Similar to ransomware groups, these intruders may aim for third-party tracks or supply-chain attacks. Maritime shipping routes operate within a complex network - entering one point can enable lateral movement through hundreds of companies.

Introduction


The maritime industry includes a wide variety of services with the main focus being on commercial and mercantile activities. According to the Maritime Industry Foundation, maritime transport consists of approximately 90% of worldwide trade. The United Nations’ International Maritime Organization’s 2019 statistics stated the value for the world’s merchandise exports consisted of $19.5 trillion USD. These statistics highlight the financial and political value the maritime industry has for countries and businesses around the globe.


One of the global leaders in the insurance brokerage and risk management field recently conducted a survey with leading maritime stakeholders regarding the top issues facing the industry. These stakeholders stated one of the top issues facing the maritime industry over the next 10 years would be cyberattacks and data theft. They believe cyberattacks and data theft will cause a moderate to major impact for this industry moving forward.


Successful cyberattacks and the theft of data from the maritime industry would affect a variety of industries supported by the maritime field. Some of the affected industries would be the agricultural industry, the fuel, and energy fields, manufactured goods, ores, and metals, along with various other service industries and companies.


Background for the Digital High Seas


According to the Merriam-Webster Dictionary, privateers are individuals or ships licensed by governments to conduct attacks against enemy shipping, while pirates are individuals or groups who take items illegally on the high seas. Modern-day threat actors who target the maritime industry follow the same pattern but utilize different tools. Instead of swords and guns, these threat actors utilized ransomware and botnets on the digital high seas. APT groups from China, Russia, and Iran would be the equivalent of modern-day privateers who conduct cyberattacks targeting countries and businesses with the goal of disrupting the economy, causing national security issues, and stealing intellectual property.


DarkWeb breach specialists are modern-day cyber pirates who are similarly dangerous as state-affiliated hackers or ransomware groups. These breach specialists are threat actors with the capability to infiltrate corporate and government networks, but who lack the ability to take advantage of their breaches. AdvIntel has detected threat actors on the DarkWeb auctioning and selling maritime industry network access. These cybercriminals sell the stolen data to lesser-known criminals, syndicates, and nation-states. The varying levels of clients increase the unpredictability and enhance the level of danger for the industry.


Botnet infections are a constant threat in the cyber world. Cutting-edge APTs and Ransomware Teams actively cooperate with botnet operators to send payload and conduct in-depth attacks. Botnet loaders drop malware into networks and begin small scale intrusions. Threat actors can notice and exploit these intrusions if they are not patched. An exploited botnet breach can turn ugly, as a botnet compromise on one company computer can soon infiltrate the entire network. In the maritime industry, this can have catastrophic consequences.


Investigative Analysis Introduction


AdvIntel constantly monitors and analyzes gathered information from the DarkWeb. AdvIntel analysts currently focus on four main pillars in the cybercriminal landscape. These four pillars consist of ransomware, botnets, individual hackers, and APT groups. As the maritime industry increasingly moves towards automation and advanced technologies, it will increase the potential intrusion points for threat actors from one of these four pillars to gain access to their systems.

DarkWeb Activity from 2018-2020 (Image Source: AdvIntel's Andariel Platform - DarkWeb Collection)

Ransomware Analysis


AdvIntel analysts currently assess Ryuk, and REvil as being the most dangerous ransomware threat actors in operation today. In addition to these two groups, Maze affiliates who transferred to Egregor and other syndicates remain a major threat.


Maze Affiliates


Former Maze top-affiliates have proven experience with ransomware attacks against the maritime industry. They combine scalable automated distribution and infection advancement with targeted attacks against a specific entity requiring a long-term presence in the victim’s environment. In July 2020, Maze hit a major Norwegian offshore and onshore industrial machinery company.

Maze’s “Shame” Website used to blackmail victims (Image Source: AdvIntel's Andariel Platform - DarkWeb Collection)

Maze leaked the maritime group’s documents in the DarkWeb to force the victim to pay. The information quickly spread and was reported across the underground community


Ryuk


Ryuk ransomware operators perform sophisticated reconnaissance operations and rely on underground crime liaisons that enable them to observe infected networks and identify critical systems belonging to the attended victims. This enables the threat actors to make targeted financial demands according to their perception of the affected organization's ability to pay. Emotet is commonly observed distributing TrickBot trojan and then during a Ryuk attack. These partnerships enable Ryuk to perform large-scale offensive operations, which are especially crucial when it comes to large networks of the maritime industry. For instance, a Ryuk ransomware breach from a phishing email in late December 2019 shut down a U.S. Coast Guard facility for 30 hours.


Ryuk was deployed within the facility via a phishing email. The employee executed the payload which leads to ransomware blocking the network and encrypting crucial data. Most importantly, Ryuk was able to impact the ISCs (industrial control systems) that monitor cargo transfers.

Ryuk news article discussed on the DarkWeb (Image Source: AdvIntel's Andariel Platform - DarkWeb Collection)


REvil


REvil is a ransomware group that operates as part of a decentralized network intrusion-focused criminal syndicate. This threat actor group has proven particularly receptive to Citrix and remote desktop protocol (RDP) exploits. REvil is currently focusing on high-profile, high-reward attacks against critical industries, which aligns with the maritime industry.


AdvIntel has not identified direct attacks from REvil against the industry, however, these attacks may likely happen in the future.


AdvIntel analysts assess with a high level of confidence that just like Ryuk REvil is one of the most sophisticated ransomware groups. Considering that recent REvil attacks were aiming at gaining notoriety and fame, this group may likely resort to a “loud” attack - such as the one which aims at maritime shipments.


The most important threat posed by these groups to the maritime industry are the supply-chain attacks. (Read more on ransomware and supply-chain attacks in our blog). Shipments are a key point in the logistical supply chains - hence, an attack can block the whole chain. Such a crucial impact on multiple entities may motivate the threat actors to target maritime shipping companies with ransomware attacks. The victim will likely receive pressure from its partners on the supply chain and is thus more likely to pay the ransom.


Botnets


AdvIntel has detected multiple indications of compromise, infections, and signs of botnet activity directed against in the maritime industry this year. The selective interest of operators was identified by AdvIntel’s analysis of selective infections for companies in the maritime industry. These companies differ by their geographic location that includes the United States, Philippines, Middle East, and Singapore. They also differ by specialization: maritime insurances, carriers and logistics, direct shipments, and maritime education centers and academies. Specifically, AdvIntel identified infections of one of the largest China and multinational ocean container shipping companies as well as Egypt’s essential maritime support and product delivery provider.

Botnet operators, affiliates, or interested parties’ activity on the DarkWeb From 2019-Present (Image Source: AdvIntel's Andariel Platform - DarkWeb Collection)


AdvIntel has been specifically focused on botnets that are aimed at illicit financial profits or are designed to serve as a loader for other types of malware, and/or are connected to ransomware groups. These botnets are posing the highest threats to the maritime industry as they can lead to massive supply chain attacks, discussed above.


Botnet infections are sometimes used by advanced threat actors. The capacity to both use, monitor, and exploit botnet compromises is something with which threat actors like North Korea’s Lazarus work. These botnet breaches each represent the capacity to inflict major damage on global trade. Even if one is not in the maritime industry, they likely rely on the movement of goods the maritime industry provides.

AdvIntel analysts assess with a high level of confidence botnets will continue to be utilized in attacks. Botnets like TrickBot allow networks to be breached en masse, allowing threat actors to insert ransomware or other forms of malware.


Individual Threat Actors


AdvIntel has observed multiple individual threat actors conducting cyber operations against the maritime industry. Most of these actors are network intruders. Similar to ransomware groups, these intruders may aim for third-party tracks or supply-chain attacks. Maritime shipping routes operate within a complex network - entering one point can enable lateral movement through hundreds of companies.

Observed threat actors going by aliases include:


“Achilles”: English-speaking threat actor, likely connected to Iranian security apparatus, responsible for maritime network compromise in 2018. In October 2018, Achilles offered access to data from a defense shipbuilder on l33t and KickAss forums. Additional evidence provided by Achilles suggests that the information was stolen from an Australian shipbuilder Austal. According to the Australian media, The Australian Cyber Security Centre (ACSC) attributed the breach of information to an Iranian-based hacker attack.


“TMT”: Russian-speaking threat actor specializing in network instructions. -TMT- reportedly targets corporate networks to offer access to ransomware spreading groups. The actor offers to upload crypto lockers and other payloads into the breached networks to monetize the access via ransom demands. -TMT- is reportedly cooperating with the “truniger” ransomware collective offering to upload their crypto locker into the compromised environment. In August 2019, -TMT- has offered access to the international maritime logistics services provider for 5,000 USD.


“Strain” (alias obfuscated): Russian-speaking threat actor offering their services on DarkWeb. In Fall 2020 the actor offered access to an entity identified only as a large shipbuilding company on the underground forum. The identified details of this company were as follows:

  • $12.5 billion USD in revenue

  • Roughly 33,000 employees

“Ayn” (alias obfuscated): Russian-speaking threat actor offering corporate accesses in DarkWeb. In September 2020, they ended an auction that had been active since August, in an attempt to sell access to a major insurance company specializing in protection and indemnity insurance (more commonly known as P&I insurance) based in the United Kingdom at a price of $3,000 USD.