For several years, security experts have warned that outdated technological systems could lead to increased risks to shipping vessels. In recent months, the warnings have grown louder. Most computer based shipping technologies, developed in the 1990s, were initially designed as isolated systems. Over time, the industry has moved increasingly online. The change has opened the industry to more threats from outside actors. As technology and users become more sophisticated, the shipping industry has struggled to keep up to speed with the latest changes, leaving older systems vulnerable to targeting.
Two key risks are the hacking or spoofing of marine traffic. Hacking refers to the unauthorized access to data in a system. A hacker could gain entry into the internal systems of a company and access private information, such as cargo documents, or the personal details of crew members aboard a vessel. A hacker could also install malware into the system, allowing them access to sensitive material such as e-mail transmissions. In the past year, hackers have changed the banking information on email invoices going to shipping companies, redirecting millions of dollars before the issue was identified. In June, the NotPetya ransomware-attack targeted several large businesses, including shipping giant Maersk. The virus wormed through the company’s global network, forcing a stoppage at 76 port terminals globally, and costing the company nearly $300 million.
Spoofing, on the other hand, is a process of falsifying the origin or location of something in order to mislead a user. In terms of the shipping industry, it can be used to alter the coordinates of a vessel, or make the vessel simply disappear from tracking systems. Spoofing attempts are often spotted quickly, however sophisticated actors continue to construct ways to outsmart the systems, causing spoofing to remain a point of concern.
Aboard a vessel, security issues can be amplified. For example, the AIS system uses satellites and marine radar to pinpoint the location of a vessel. This information, often publicly available, can be used to track the location of vessels around the globe, and can be used by pirates as a sort of “shopping list”. Using spoofing, a malevolent actor can theoretically alter the location of a vessel, causing a ship to redirect its course into unknown waters. With hacking, they can access a cargo list, obtain the information about the content of specific crates, and if they successfully board a vessel, they target only the crates with goods they find valuable.
While there are numerous entry points for a hacker to target, aboard a vessel, perhaps the weakest point is maritime satellite communication (satcom) system. Satcom boxes are nearly always connected to the internet, and often do not have updated technology. They are often poorly secured, and can easily allow access to “protected” data and entry into a company’s larger systems.
Governments and corporations have long struggled to keep up with the changes in technology. Because of the rapid rate of sophistication, legacy systems often do not have the features or capacity to protect shipping companies from such attacks. Awareness is growing as cyber-security becomes a more prominent global concern. Experts have called for changes in the industry, including secure firmware, password complexity, penetration testing, and other preventative measures to ensure that vessels, cargo, and crew remain safe.
The International Chamber of Shipping has recently launched guidelines designed to help ship owners protect themselves from hackers. More information can be found here: http://www.ics-shipping.org/docs/default-source/resources/safety-security-and-operations/guidelines-on-cyber-security-onboard-ships.pdf?sfvrsn=16
A conflict which has lasted over five years; dismounted the infrastructures of a country set the entire surviving population to seek asylum in neighbors’ states: the Syrian civil-war. The perfect stage to allow terrorists and extremists to enforce their plans and gain territories. Syria is not the only battlefield of this unbalanced amorphous and revised war on terror. North Iraq, Southeastern Turkey and on a broader spectrum the whole of Europe remains a potential target. A conflict where superpowers as the US and Russia played a major role leading to a ceasefire and alleged peace talks in Ginevra; a conflict where actors, structures and outcomes are yet to be fully unveiled.
This conflict is another historical landmark for many foreign policies; it reshaped the approach to terrorism and justice; showed the world a climate of desperation and fear; cruelty and loss of lives have filled the daily newspapers. Europe has worked on resolving the collateral effect of migrations and has faced attacks within its capitals; other players have tried to eradicate ISIS. No winners; only an apparent and fragile ceasefire.
From any “problem solving” point of view the first step of the analysis is to acknowledge the problem; identify the causes beginning by minimizing the effects. Who is ISIS?
Before describing the organization we should consider the so widely used term “Terrorism”. Historically the term refers to the unlawful use of violence towards civilian’s targets in a desperate attempt to enforce political goals. The rise of ISIS, the Islamic State of Iraq and Syria or Islamic State of Iraq and al-Sham began in 2004 as al Qaeda in Iraq (AQI). It was initially an ally of Osama bin Laden’s al Qaeda and both were radical anti-Western militant groups devoted to establishing an independent Islamic state in the region. AQI was weakened in Iraq in 2007 as a result of what is known as the Sunni Awakening, when a large alliance of Iraqi Sunni tribes, supported by the US, fought against the jihadist group. AQI saw an opportunity to regain its power and expand its ranks in the Syrian conflict that started in 2011, moving into Syria from Iraq. By 2013, al-Baghdadi had spread his group’s influence back into Iraq and changed the group’s name to ISIS. It disowned the group in early 2014 proving to be more brutal and more effective at controlling seized territories.
While ISIL has not been able to seize ground in the past several months, that hasn’t precluded them from conducting terrorist attacks, and it hasn’t precluded them from conducting operations that are more akin to guerrilla operations than the conventional operations that we saw when they were seizing territory. The organization understood the value of pushing out content, specifically videos of atrocities, into the world. Therefore, they could recruit very brutal young men to come and join their struggle. As the organization evolved, it made media very central to its ideology and strategy. ISIS had harnessed the power of the “information arena” to propagate its ideology, recruit, move money and coordinate activities. The question arise naturally: “What can be done?”
A top Pentagon official reported that the US is hitting ISIS with “cyber bombs” as part of its new arsenal of tactics being deployed against the terrorist group. The cyber effort is focused primarily on ISIS terrorists in Syria and that the goal is to overload their network so that they cannot function. An attack of this magnitude can interrupt the group’s ability to command and control forces. Similar principle was applied over the power and water disruptions in the middle of a two-week truce between government forces and certain militant groups. Disruption of critical infrastructure was used in order to gain an advantage over the group. Moreover the Islamic State is clearly frightened by the outflow of refugees. A lot of media have been created excoriating those who flee from these territories. By taking advantage of those refugees a powerful tool could be created in order to tell their stories to the world.
The humanitarian issues, the fallout, the civil war, the core issues have not been addressed yet. So far the military intervention and the coalition of multiple air strikes, carried out by Russia and US, have diminished the capabilities of the group; however there is so much more to do and the future remains uncertain. It is highly likely that ISIS will not cease to exist in the near-medium term; their strategy, tactics and objectives are likely to remain unaffected. The struggle in the region and the level of threat to Europe are still primary concerns and subjects of ongoing discussions.
Hacking is has been a rising trend within the PRC since the Internet entered the country in 1994 and on November 8th 2012 the Chinese president officially announced, “China will speed up full military IT applications”. China alone accounts for the largest national population of Internet users—some 300 million, nearly one-fifth of the global number. Ever since the 90’s, creation of a lot of hacking groups: The Green Corps, The Hong Kong Blonds and the most famous recent one: the Red Honker Union They created an important hacking culture in China. Some evidences link civilian hackers to the government and the States’ creation of a cyber army. Since 1998, according to Timothy Thomas of the U.S Foreign Military Studies Office, the Chinese army has even recruited civilians into its ‘net militia units’ (Militia Information Technology Battalions), the most famous being the unit 61398.
The State cyber army: unit 61398
As everything on the Internet, it is always difficult to prove the origin of a cyber attack. Nevertheless, the company Mandiant has investigated since 2004 the cyber capacity of China, especially through the unit 61398 considered as a part of the Communist Party of China under the Central Military Commission in the GSD 3rd department (2nd Bureau). Since 2006, a rising number of cyber attacks are believed to have come from this unit and most of them targeted the U.S.
The four most important sectors attacked are: Information Technology, Transportation, High-Tech Electronics and Financial Services. China seems to base its cyber warfare on a method often referred as “Acupuncture warfare”: based on attacking critical IT nodes or pressure points, this method capitalizes on optimizing effects on adversary vulnerabilities and follows the principle of acupuncture practiced for medicine—identifying points that serve as “a tunnel, or access route, to the deeper circulatory channels within”. One application of this theory would be finding the key choke points or supply chain vulnerabilities for an enemy military deployments and influencing them by attacking the supporting civilian infrastructure.
Intents and motivation of the cyber attacks
The first reason for China’s cyber offensive is to gain increased military knowledge through cyber espionage: China also has an interest in accelerating its military development since it is still behind the West, especially the U.S. who often has the lead for new military technology. Different cyber attacks can be quoted as examples, the most famous being the “Titain Rain” in 2007: a massive cyber attack against United States defence contractor computer networks (10 to 20 terabytes including Lockheed Martin and NASA) believed to come from China. Furthermore, numerous attackers originating in China have been accused of infiltrating government computers of numerous countries: the United States, Britain, France, Germany, South Korea, and Taiwan.
A second motivation is to make economic gains by stealing technological process. China’s general technological level is also behind that of the United States, which gives it an increased incentive for industrial espionage in order to achieve economic advantage. Numerous attacks believed to come from China supported this theory: the theft of data from U.S. network security company RSA Security in 2011. Moreover, in December 2007, the director-general of the British Security Service (MI5) informed 300 major UK companies that they were under constant attack from “Chinese state organisations”.
One of the last reasons for China to use cyber offensive is to deter other States by infiltrating their critical infrastructure. It puts the other States on notice that any technological edge it believes it enjoys will not be functional in a conflict with China. It also reminds China’s restive domestic audience that unfettered technological advancement alone does not bring security. Deterrence and possible military actions for this reason could be launching probes to identify vulnerabilities that could be exploited in armed conflict. Two main examples of this reason is Operation Aurora in 2009 where the U.S company Google’s source code has been stolen along with the attack of Denial of service on the White House website in 1999 after the U.S attacked the Chinese Embassy.
The characteristics of cyber warfare
- Anonymous: China has an interest in avoiding exposure to political and military pressure from the West and the United States. Chinese embassy representative Geng Shuang maintains that the allegations against China are groundless, stating: “The Chinese government prohibits online criminal offenses of all forms, including cyber attacks, and has done what it can to combat such activities in accordance with Chinese law.” The Chinese Defense Ministry in January 2013 stated, “It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.” Here lies a paradox with one of China’s reason for cyber offensive: anonymity prevent from any possible deterrence: China has to find the equilibrium between anonymous to avoid exposure and famous to create deterrence.
- Cheap: cyber weapons are cheap to build and to use.
- Diverse: cyber weapons can target multiple types of system.
- Timeframe: cyber weapons can act quickly and against multiple targets at the same time.
- Flexible: unlike nukes, a virus or any type of cyber weapon can be used multiple times.
China’s offensive cyber: information warfare
Fitting in the Sun Tzu’s spirit of the need of information, China focus on cyber capabilities as part of its strategy of national asymmetric warfare. The Chinese military and their civilian oversees have hit upon a military strategy that aims all at once to close the gap between U.S. and Chinese technological-military prowess. Hence, China considers the cyber domain to be a battle arena.
An “extremely powerful” cyberattack claimed by supporters of Islamic State of Iraq and il Sham (ISIS) has left French broadcaster TV5Monde working to regain control of its 11 news channels and websites for three hours. The attack occurred around 10 pm local time. Hackers took down the television channels and posted material on the broadcaster’s Facebook and Twitter feeds. The station’s network director, Yves Bigot, said operations were “severely damaged.” The station’s programming and Facebook page are now back up, but its website remains under maintenance.
The hackers posted documents on the TV5Monde Facebook page which they claim are the identity cards of relatives of French soldiers involved in anti-Islamic State operations. The hackers also posted threats against the troops. France is part of the international coalition fighting against ISIS insurgents.
TV5Monde, which broadcasts around the world, is working with police and national security to determine how their security was breached. It is not yet known how the group accessed station operations, but it appears to have been conducted by the “Islamic State Hacking Division.” The hackers referred to themselves as the “CyberCaliphate” on TV5Monde’s Facebook page, which also took credit for the recent hacking of US military servers.
The station has restored broadcast of one signal across all of their channels, however they cannot “send out pre-recorded broadcasts nor restart the production of our news shows,” according to Bigot. He added that it could take days for broadcasts to return to normal, adding that the attack must have required “weeks” of planning. The station is broadcast in nations around the world, including the US, Canada and Britain.
A day before the attack on TV5Monde, the US Federal Bureau of Investigation (FBI) warned that attackers claiming to be sympathetic to the extremist group ISIS are targeting websites that have vulnerable WordPress plugins.
WordPress is a website hosting system which also has a community third-party developers who have created some 37,000 plugins. Occasionally, security vulnerabilities in one of the plugins can put a large number of websites at risk by allowing hackers to gain unauthorized access, inject scripts, or install malware on the affected sites. The attackers have reportedly hit news organizations, religious institutions, and commercial and government websites. The hackers have defaced websites that share some of the common WordPress plugins with vulnerabilities that are easily exploited, the FBI said.
The FBI advisory states, “Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.” The attackers have voiced support for ISIS; they are likely conducting attacks in order to gain notoriety.
On Tuesday, the security company Sucuri issued an advisory for a flaw it found in the WP-Super-Cache plugin. The plugin is utilised by up to a million WordPress sites. The vulnerability in the plugin could allow an attacker to add a new administrator to a site, or create a “backdoor” using WordPress’s theme edition tools.
The same day as the FBI warning was issued, The homepage of AustismIreland.ie showed a photograph of a soldier with their face covered, alongside the words “ISLAMIC STATE HACKERS”
“Hacked By Moroccanwolf and ABdellah elmaghribi ~ Moroccan Attacker ~ I love IS”.
The image remained on the site for six hours before it was removed. CEO of Irish Autism Action, Kevin Whelan, confirmed that the hack “appears to have happened to a number of sites” and was not directed at the charity in particular. It is likely that the hackers scanned several websites to identify vulnerable sites, and conducted hacks at random. The Dublin Rape Crisis Centre were also part of a worldwide hack affecting users of a vulnerable WordPress plugin.
Internet around the world has been slowed down in what security experts are calling the biggest Distributed Denial of Service (DDoS) attacks in Internet history. Five national cyber-police-forces are investigating the attacks.
The attacks originally targeted Spamhaus, a European, non-profit anti-spam organisation. Spamhaus blacklists what it considers sources of email spam, and sells those blacklists to Internet Service Providers (ISPs). Last week, Spamhaus blacklisted controversial Dutch web hosting company, Cyberbunker, which claims willingness to host website with the exception of child pornography or terrorism-related material.
Following the blacklisting, the attacks began as waves of large but typical DDoS assaults. Spamhaus has alleged that Cyberbunker is behind the attack. Cyberbunker has not directly taken responsibility for the attacks; however Sven Olaf Kamphuis, spokesman for Cyberbunker, said that Spamhaus was abusing its position, and should not be allowed to decide “what goes and does not go on the internet”.
How the Attacks Happened:
The attackers used Distributed Denial of Service (DDoS), which floods the target with large amounts of traffic, rendering it unreachable. Picture a door with thousands of people standing on outside of it. Everyone is trying to enter, and no one can get out. This is the equivalent of a DDoS attack.
In most common DDoS attacks, hackers use thousands of “zombie” computers to send traffic to a particular site, with the intention of overloading it. These computers have often been infected with malware (most often received through spam email), which gives a hacker control of the machine, unbeknownst to its owner. Hackers can amass large networks of these infected computers, called “botnets”, and use them to conduct attacks.
Once the attacks began, Spamhaus immediately hired a security firm, CloudFlare, which enacted systems to prevent the DDoS from making a large impact. The attackers then changed tactics and targeted network providers of CloudFlare. To do this, they exploited a fault in the Domain Name System (DNS). The DNS converts a web address into a numeric IP address. A DNS resolver finds the connection from the IP address to the server, which then delivers content to a user’s computer. If a network is set up incorrectly, an open resolver can become an easily exploited vulnerability.
In this case, the hackers identified 25 million vulnerable DNS servers worldwide which could be used for attack, and instructed those vulnerable servers to forward an initial attack. Thus the attack, which was initiated at a single location, was amplified millions of times by exploited DNS servers around the world.
Global Impact and Prevention
Because the Internet relies on DNS to work, a large scale, DNS amplified DDoS attack can have consequences beyond the scope of the attack. Part of the internet infrastructure which connects all the servers on the internet was getting overloaded. This would result in delays or unresponsiveness to completely unrelated websites that share the same lines that Spamhaus is using.
Some Internet Service Providers have been working to implement technologies which prevent hackers from spoofing victims’ IP addresses. But the process is slow. Network administrators need to close all open DNS resolvers running on their network.
If a company operates a network, they should visit openresolverproject.org, and type in the IP addresses of their network. This will show if there is an open resolver on their network. If there is, it is more than likely to be used by criminals to launch attacks such as these.