Ships infected with ransomware, USB malware, worms

12/12/2018 – By Catalin Cimpanu for Zero Day

Ships are the victims of cyber-security incidents more often than people think. Industry groups publish cyber-security guidelines to address issues.

Ships suffer from the same types of cyber-security issues as other IT systems, a recent document released by the international shipping industry reveals.

The document is the third edition of the “Guidelines on Cyber Security onboard Ships,” an industry-approved guide put together by a conglomerate of 21 international shipping associations and industry groups.

While the document contains what you’d expect to contain –rules and guidance for securing IT systems onboard vessels– it also comes with examples of what happens when proper procedure isn’t followed.

These examples are past cyber-security incidents that have happened on ships and ports, and which have not surfaced in the public eye before until now.

For example, the guidelines include the case of a mysterious virus infection of the Electronic Chart Display and Information System (ECDIS) that ships use for sailing.

A new-build dry bulk ship was delayed from sailing for several days because its ECDIS was infected by a virus. The ship was designed for paperless navigation and was not carrying paper charts. The failure of the ECDIS appeared to be a technical disruption and was not recognized as a cyber issue by the ship’s master and officers. A producer technician was required to visit the ship and, after spending a significant time in troubleshooting, discovered that both ECDIS networks were infected with a virus. The virus was quarantined and the ECDIS computers were restored. The source and means of infection in this case are unknown. The delay in sailing and costs in repairs totaled in the hundreds of thousands of dollars (US)

But this isn’t the only malware-related incident that affected a ship, according to the aforementioned document.

Ships were also impacted by ransomware, sometimes directly, while in other incidents the ransomware hit backend systems and servers used by ships already in their voyage at sea.

For example, in an incident detailed in the report, a shipowner reported not one, but two ransomware infections, both occurring due to partners, and not necessarily because of the ship’s crew.

A shipowner reported that the company’s business networks were infected with ransomware, apparently from an email attachment. The source of the ransomware was from two unwitting ship agents, in separate ports, and on separate occasions. Ships were also affected but the damage was limited to the business networks, while navigation and ship operations were unaffected. In one case, the owner paid the ransom.

But this wasn’t the only incident. In another, the entry point for the ransomware wasn’t because of its interaction with shipping ports, but because they failed to set up proper (RDP) passwords.

A ransomware infection on the main application server of the ship caused complete disruption of the IT infrastructure. The ransomware encrypted every critical file on the server and as a result, sensitive data were lost, and applications needed for ship’s administrative operations were unusable. The incident was reoccurring even after complete restoration of the application server. The root cause of the infection was poor password policy that allowed attackers to brute force remote management services successfully. The company’s IT department deactivated the undocumented user and enforced a strong password policy on the ship’s systems to remediate the incident.

However, remotely-accessed accounts and systems weren’t the only sources of infections on ships. The report also puts a great deal of attention on USB thumb drives, usually used to update systems or transfer new documents into air-gapped networks.

The report includes details of two incidents where USB thumb drives have led to a cyber-security incident, delays, and financial damage.

1) A dry bulk ship in port had just completed bunkering operations. The bunker surveyor boarded the ship and requested permission to access a computer in the engine control room to print documents for signature. The surveyor inserted a USB drive into the computer and unwittingly introduced malware onto the ship’s administrative network. The malware went undetected until a cyber assessment was conducted on the ship later, and after the crew had reported a “computer issue” affecting the business networks. This emphasises the need for procedures to prevent or restrict the use of USB devices onboard, including those belonging to visitors.

2) A ship was equipped with a power management system that could be connected to the internet for software updates and patching, remote diagnostics, data collection, and remote operation. The ship was built recently, but this system was not connected to the internet by design. The company’s IT department made the decision to visit the ship and performed vulnerability scans to determine if the system had evidence of infection and to determine if it was safe to connect. The team discovered a dormant worm that could have activated itself once the system was connected to the internet and this would have had severe consequences. The incident emphasizes that even air gapped systems can be compromised and underlines the value of proactive cyber risk management. The shipowner advised the producer about the discovery and requested procedures on how to erase the worm. The shipowner stated that before the discovery, a service technician had been aboard the ship. It was believed that the infection could potentially have been caused by the technician. The worm spread via USB devices into a running process, which executes a program into the memory. This program was designed to communicate with its command and control server to receive its next set of instructions. It could even create files and folders. The company asked cyber security professionals to conduct forensic analysis and remediation. It was determined that all servers associated with the equipment were infected and that the virus had been in the system undiscovered for 875 days. Scanning tools removed the virus. An analysis proved that the service provider was indeed the source and that the worm had introduced the malware into the ship’s system via a USB flash drive during a software installation. Analysis also proved that this worm operated in the system memory and actively called out to the internet from the server. Since the worm was loaded into memory, it could affect the performance of the server and systems connected to the internet.

But the guidelines also warned against IT screw-ups, which, while not technically cyber-security incidents, usually cause the same effects. Just like every IT department in every company anywhere around the world, ships have had their string of facepalm-worthy IT mishaps and system crashes.

1) A ship with an integrated navigation bridge suffered a failure of nearly all navigation systems at sea, in a high traffic area and reduced visibility. The ship had to navigate by one radar and backup paper charts for two days before arriving in port for repairs. The cause of the failure of all ECDIS computers was determined to be attributed to the outdated operating systems. During the previous port call, a producer technical representative performed a navigation software update on the ship’s navigation computers. However, the outdated operating systems were incapable of running the software and crashed. The ship was required to remain in port until new ECDIS computers could be installed, classification surveyors could attend, and a near-miss notification had been issued as required by the company. The costs of the delays were extensive and incurred by the shipowner. This incident emphasizes that not all computer failures are a result of a deliberate attack and that outdated software is prone to failure.

2) A ship was under the conduct of a pilot when the ECDIS and voyage performance computers crashed. A pilot was on the bridge. The computer failures briefly created a distraction to the watch officers; however, the pilot and the master worked together to focus the bridge team on safe navigation by visual means and radar. When the computers were rebooted, it was apparent that the operating systems were outdated and unsupported. The master reported that these computer problems were frequent (referred to the issues as “gremlins”) and that repeated requests for servicing from the shipowner had been ignored. It is a clear case of how simple servicing and attention to the ship by management can prevent mishaps.

The fact that ships are vulnerable to hacking and malware infections isn’t anything new. Ships have been a disaster waiting to happen for years, because ship makers have had an obsession with putting all of a vessel’s systems online.

In some cases, ships feature proper security controls, but in most, ship systems are often left exposed online where they are indexed by search engines like Shodan or Censys.

Many of these ship-designed IT systems either use default credentials or feature backdoor accounts, putting the ship, cargo, and passengers in harm’s way due to sheer negligence.

The shipping industry got its cyber-security wake up call last year when Maersk, the biggest cargo shipping company in the world, was infected with the NotPetya ransomware. The incident incurred costs of over $300 million, and during the recovery process, the company’s IT staff had to reinstall over 4,000 servers and 45,000 PCs before being able to safely resume operations.

The updated guidelines released last week are a direct consequence of the shipping industry seeing how NotPetya, and a cyber-security incident in general, can cripple a company’s operations.

These guidelines are meant for securing IT systems located on ships, but they’re supposed to work with similar security controls deployed in ports and a shipping company’s own internal IT network.

Article was originally published at https://www.zdnet.com/article/ships-infected-with-ransomware-usb-malware-worms/