For several years, security experts have warned that outdated technological systems could lead to increased risks to shipping vessels. In recent months, the warnings have grown louder. Most computer based shipping technologies, developed in the 1990s, were initially designed as isolated systems. Over time, the industry has moved increasingly online. The change has opened the industry to more threats from outside actors. As technology and users become more sophisticated, the shipping industry has struggled to keep up to speed with the latest changes, leaving older systems vulnerable to targeting.
Two key risks are the hacking or spoofing of marine traffic. Hacking refers to the unauthorized access to data in a system. A hacker could gain entry into the internal systems of a company and access private information, such as cargo documents, or the personal details of crew members aboard a vessel. A hacker could also install malware into the system, allowing them access to sensitive material such as e-mail transmissions. In the past year, hackers have changed the banking information on email invoices going to shipping companies, redirecting millions of dollars before the issue was identified. In June, the NotPetya ransomware-attack targeted several large businesses, including shipping giant Maersk. The virus wormed through the company’s global network, forcing a stoppage at 76 port terminals globally, and costing the company nearly $300 million.
Spoofing, on the other hand, is a process of falsifying the origin or location of something in order to mislead a user. In terms of the shipping industry, it can be used to alter the coordinates of a vessel, or make the vessel simply disappear from tracking systems. Spoofing attempts are often spotted quickly, however sophisticated actors continue to construct ways to outsmart the systems, causing spoofing to remain a point of concern.
Aboard a vessel, security issues can be amplified. For example, the AIS system uses satellites and marine radar to pinpoint the location of a vessel. This information, often publicly available, can be used to track the location of vessels around the globe, and can be used by pirates as a sort of “shopping list”. Using spoofing, a malevolent actor can theoretically alter the location of a vessel, causing a ship to redirect its course into unknown waters. With hacking, they can access a cargo list, obtain the information about the content of specific crates, and if they successfully board a vessel, they target only the crates with goods they find valuable.
While there are numerous entry points for a hacker to target, aboard a vessel, perhaps the weakest point is maritime satellite communication (satcom) system. Satcom boxes are nearly always connected to the internet, and often do not have updated technology. They are often poorly secured, and can easily allow access to “protected” data and entry into a company’s larger systems.
Governments and corporations have long struggled to keep up with the changes in technology. Because of the rapid rate of sophistication, legacy systems often do not have the features or capacity to protect shipping companies from such attacks. Awareness is growing as cyber-security becomes a more prominent global concern. Experts have called for changes in the industry, including secure firmware, password complexity, penetration testing, and other preventative measures to ensure that vessels, cargo, and crew remain safe.
The International Chamber of Shipping has recently launched guidelines designed to help ship owners protect themselves from hackers. More information can be found here: http://www.ics-shipping.org/docs/default-source/resources/safety-security-and-operations/guidelines-on-cyber-security-onboard-ships.pdf?sfvrsn=16
13 January – US Central Command’s (CENTCOM) official Twitter feed and the YouTube page were hacked on Monday. CENTCOM uses its Twitter feed post regular updates on the coalition airstrikes against Islamic State in Iraq and Syria. The social media accounts were compromised for approximately 30 minutes, after which CENTCOM regained control and suspended the accounts. The feeds were resumed hours later.
The hackers left a series of threatening messages, the longest of which stated: “In the name of Allah, the Most Gracious, the Most Merciful, the CyberCaliphate under the auspices of ISIS continues its CyberJihad. While the US and its satellites kill our brothers in Syria, Iraq and Afghanistan we broke into your networks and personal devices and know everything about you,” the message reads. “You’ll see no mercy infidels. ISIS is already here, we are in your PCs, in each military base. We won’t stop! We know everything about you, your wives and children. U.S. soldiers! We’re watching you!”
The messages also stated, “ISIS is already here, we are in your PCs, in each military base.” They added that that they had affected CENTCOM’s computers, and warned, “AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS. CyberCaliphate.”
In the short time the hackers had control of the Twitter feed, they proceeded to tweet a roster of military personnel names and contact information, and then released what they claimed to be “confidential data” obtained from mobile devices. The US Army confirmed that some of the documents were from password protected sites. However, other documents appear to have been publicly available on the Pentagon website. The majority of the documents are dated 2005, with the most recent being 2008. Two other tweets called “China Scenario” and “North Korea Scenario” delivered files which appeared to displayed US surveillance or war scenarios for China and North Korea. The data within those files include PowerPoint slides that appear to have been taken from military presentations, including one entitled: Army Force Management Model. It is possible that some of the password protected information released by the group was also available publicly. CENTCOM is investigating any potential security breaches.
The missive has caused many to believe that the hackers are members or affiliates of ISIS, the terrorist organisation that has swept through Iraq and Syria over the past year. However, certain indicators suggest that the hack may have come from a person or persons who claimed to be ISIS but are not operating within the organisation. For example, the term “ISIS” itself is most commonly used in the West. The group itself changed their name to “Islamic State” (Dawla il Islamiya) in June of 2014. Further, the organisation has focused predominantly on the gain of territory and natural resources; if found to be the work of ISIS, this cyber-attack would be their first. Finally, the released documents featuring far Asian countries is not in line with the Middle Eastern focus of ISIS. It is likely that the hackers are supporters of the group but not officially affiliated with ISIS. Twitter has identified and deleted an account using the handle of CyberCaliphate, a term that appeared in some of the missives that were posted.
A report released on 19 February indicated that hackers from a unit of China’s People’s Liberation Army (PLA) had amassed hundreds of terabytes of stolen data from over twenty nations as far back as 2006.
The report, released by American security company Mandiant, was the result of six years of investigations. The team tracked individual members of the Chinese hacker group to a high-rise building in residential Shanghai. The location is home to Unit 61398 of the People’s Liberation Army. The report claims that among other information, the unit has obtained technology blueprints, negotiating strategies, and manufacturing companies from 141 companes, 115 of which are in the United States. Among the diverse set of targets was a large defence contractor, and a company that helps utilities to run North American pipelines and power grids.
The most prolific of these actors, in terms of quantity of information stolen, is a group known as APT1 (ATP stands for Advanced Persistent Threat). The Mandiant report indicates that APT1 is staffed by hundreds or thousands of English-proficient speakers with advanced computer security and networking skills. They have hacked into 141 companies, remaining in their networks for an average of 365 days (with the longest lasting 1,764 days), and have targeted companies across twenty industries which were identified by China as strategically important under its Five Year Plan for economic growth.
The Chinese government has denied and condemned the Mandiant report, calling it “unprofessional”. Chinese foreign ministry spokesman Hong Lei stated, “Hacking attacks are transnational and anonymous. Determining their origins are extremely difficult. We don’t know how the evidence in this so-called report can be tenable.”
Mr. Hong further added that China opposes hacking, and believes the nation itself is a victim of cyber attacks. Yet the report, which is lauded in the West for its unprecedented level of detail, indicates that not only are the activities based in China, but that the Chinese government is aware of them.
Hackers in Chinese Culture
While the Chinese government may not know the full extent of Chinese hackers, they are aware that hacking is a prevalent part of Chinese tech-society. There are three types of hacker attacks emanating from China: economic espionage, cyber warfare, and attacks by “hacktivists” with a socio-political agenda. The latter of these, Chinese “Red Hackers” perceive themselves as Internet patriots. They number in the thousands, have nationalistic politics, and exist in a culture where hacking, particularly against the West, is “fashionable”. A 2005 Shanghai Academy of Social Sciences survey found that hackers equated with rock stars. Forty-three percent of elementary-school students “adore” China’s hackers and nearly a third aspire to join them. Within the culture, there are hacker magazines, clubs and online stories. Unlike Western hackers, who tend more anti-government, Chinese hackers are more involved with politics. “Nationalism is hip,” claims a man identified as “the Godfather of hackers”, “and hackers — who spearhead nationalist campaigns with just a laptop and an Internet connection — are figures to revere.”
Of China’s thousands of “Red Hackers”, many may not be acting on direct behalf of their government, but the net effect is the same. The Chinese government does not have a direct connection to all hacker groups, nor do they prosecute hackers for attacks outside of their borders. In instances where hackers work to the benefit of China, this lack of supervision is perceived as tacit approval, particularly as the Chinese distinction between the private and public domain is very small.
Refinement of Phishing
To companies in the West, the particularly increasing difficulty is in identifying the actual hack. The primary tactic used to enter a system is “phishing”, a process by which seemingly innocent messages include links or attachments which dump spyware on recipients’ computers. Initially, these emails were easy to spot, due to poor language use, or obviously malicious attachments, such as “.exe” or “.rar” files. However, Chinese hackers have polished their strategy, using polished English and more convincing attachments, such as links for RSVPs to events, or PDFs which must be opened to obtain the information.
ATP1 has effectively created webmail accounts using real names which are familiar to the recipient, such as a colleague, vendor, or client. The phishing attempts are customised with use subject lines and content relevant to the target, making it more difficult to identify when a security system had been compromised.
The most effective tool against this polished technology is a return to old mediums. Companies are urged to contact a sender face-to-face or via telephone to confirm the attachment’s safety. Even sending an email asking if an attachment is safe is risky, as the malicious sender can simply respond that it is legitimate.
Hacking and the Chinese Economy: What it could mean
Analysts believe that the pattern is likely to continue because it is affordable. Frank Smyth, founder of Global Journalist Security, says, “No one should be surprised, because it doesn’t take that much infrastructure. If you have a team of people in a room, you can create a lot of havoc. That’s much cheaper than building a tank or a jet fighter.”
China’s rapid growth and aging population has caused their reliance on foreign food and energy to increase dramatically. These leadership fears may serve as an impetus to justify an industrial espionage campaign. However these actions may serve to hinder economic progress. The acquisition of foreign technology may handicap Chinese development, according to James Lewis of the Center for Strategic and International Studies. “There is a puzzling lack of faith in China’s own strengths. Beijing has concluded that now is not yet the moment to tame the decades-old effort to pilfer technology.”
Hacking on this scale also signals a reluctance to play by the rules in the in the international market. China’s new leader, Xi Jinping has vocally suggested that the nation embrace reform and work within the rules of international law. The failure to acknowledge of the contents of the Mandiant report are a missed opportunity; the denial, and boomerang accusation that it is China which has been victimised, may generate a loss of trust in both the Chinese government and business relations in the nation.