Lone Hellevik, Senior Security Adviser of Gard P&I Club highlights that cybersecurity is vital to the maritime industry, and yet vulnerabilities are increasingly being exploited by criminals. In this article, we share two examples of recent cyberattacks against Gard, as well as our key recommendations to prevent losses.
Successful cyber-attacks can have serious consequences, such as operational disruptions, data leakage and financial losses. It is therefore important to raise awareness and improve security measures among maritime stakeholders, including crew members, operators, and service providers. With that in mind, we share our experience with two recent cyber-attacks aimed at Gard’s operations.
The most common threats
Ransomware campaigns affecting the maritime sector are a high threat. They are typically carried out using a “trojan horse” disguised as a legitimate file, which the user is tricked into opening.
Phishing by email continues to be the most common means of attack, although phishing via SMS, phone, social media and even Microsoft Teams also occurs.
And whatever the method – they can be profitable: According to the American analysis company Chainalysis, cybercriminals earned more than USD 1 billionlast year through ransomware extortion.
Recent Gard examples
In Gard, like most digital companies, we experience an almost constant inflow of cyberattack attempts, and we have also seen an increase over the past few years. The following gives a summary of one of our most recent examples:
-
False emails: In an existing email thread between Gard and other parties regarding a case, fraudulent email addresses were added to the communication. These addresses were created to look like legitimate addresses that were already in the existing email thread.
-
Real names: Real employee and company names were used in the fraudulent emails, both as senders and added in copy.
-
Changes in payment details. In one of the fraudulent emails, bank account changes were requested. This was a red flag, alerting the employee to dig deeper and the fraud was detected.
Ransomware on Teams
-
In another case, Gard experienced an attempted ransomware attack on Teams (a method which was used also against several other companies last year, according to Cybernews). In brief, this is the method that was used against Gard:
-
Using a well-known person: First, several employees received a Teams chat invitation from what looked like a company manager, but in reality was a cyber attacker.
-
Triggering emotions: The content in the Teams chat was designed to trigger personal concern. The topic was “organizational changes”, and part of the message read: “In an attached file you can see if you keep your job”.
-
Fishing for clicks: By reaching out to many employees at the same time, the attacker increased the possibility for success. One single person opening the file could have been enough to potentially affect all employees. It could have led to malware that encrypted files and spread to other laptops.
Cybersecurity incidents like these show the importance of both awareness and security maturity in the solutions and the incident handling. Unfortunately, parts of the maritime industry have suffered from immature levels of security and lack of user awareness among staff. We have seen several incidents where a high-risk website has been visited, or the business infrastructure has been misused for personal purposes. To avoid costly incidents, our advice is to improve cybersecurity training and awareness with clearer procedures and guidance for online behaviour.
Our recommendations
Below are our cybersecurity recommendations for onboard behaviour:
-
It is safer to visit an official website instead of clicking on a link in emails or scanning QR codes
-
Check links by hovering over the link. You can see the real web address in your browser’s bottom left corner. If the address looks suspicious, do not click.
-
Use a passphrase to create strong and unique passwords with upper and lowercase letters, numbers and symbols or spaces
-
Use several authentication factors (like facial, fingerprint or an authenticator app) if possible
-
Separate between business and personal email use
-
Do not connect unauthorized personal equipment to networks on ships or other business locations
In Gard, our staff are trained to be security “STARs” (acronym for Stop, Think, Ask, React):
-
Stop – Resist acting on impulse, especially if something in an email or other channel triggers emotions, is urgent or unusual.
-
Think – Think before clicking or doing anything. Is this a message I expected to receive? Is this a person I know? Take time to reflect if the message makes sense to you or not.
-
Ask – If in doubt, get a second opinion from a colleague, security, or your manager. Sometimes, just sharing your issue can help you think clearer.
-
React – Notify security or your manager if something is suspicious, unusual or if you have been tricked.
Above article has been initially published in Gard P&I Club’s website and is reproduced here with authors’ kind permission.
The views presented are only those of the authors and do not necessarily reflect those of SAFETY4SEA and are for information sharing and discussion purposes only.