The Port of Lisbon in Portugal is attacked by LockBit ransomware.
Put yourself in this manager’s shoes: It’s Christmas Day. You’re in the middle of the extended family meal of roast turkey with all the fixings. Suddenly, you’re interrupted by an urgent call from your seaport duty officer.
She informs you that the website is down, and all the computer screens are showing an alert from a ransomware attacker extorting your port. Operations seem to be okay, but the ransomware alert is threatening.
This is essentially the scenario faced by the Port of Lisbon on Dec. 25 last year. The attacker, LockBit 3.0, claims to have stolen the port’s audit results, port budget details, contracts, cargo information, ship’s crew details, financial reports, ship logs, customer personally identifiable information (PII), port documents, email, etc.
The files ransomed by LockBit 3.0 are not accessible by the Port of Lisbon. Instead, LockBit 3.0 has set a ransom of $1,499,999 USD and said that if the ransom was not paid, all the data would be released publicly on Jan. 18, 2023, at 04:11 GMT.
According to a report on BleepingComputer.com, LockBit 3.0 is offering to sell the port’s data for the same amount of money to anyone wishing to access the files immediately and exclusively.
As of late January, the Port of Lisbon’s website was not accessible and LockBit 3.0 has supposedly published samples of stolen data to prove their threat.
U.S. Seaport Comparison
The Port of Lisbon is the busiest seaport in Portugal. It is visited by more than 3,500 vessels annually and handles 13.2 million tons of cargo and 555,000 20-foot-equivalent units (TEUs) for containers.
The Port of Lisbon’s container volume is roughly comparable to the Port of Philadelphia and tonnage comparable to the ports in Longview, Wash., Detroit and Memphis.
Essentially, Lisbon is not a trivial port. It’s not equivalent to larger U.S. ports like Los Angeles, Long Beach or New York-New Jersey, but its shutdown could affect an entire country. Imagine the impact if the Port of Los Angeles was in the same cyber predicament as Lisbon.
About Ransomware and Phishing
Ransomware is malware that threatens to publish or block access to data and computer systems until a ransom is paid. Unfortunately, the maritime industry has undergone multiple ransomware attacks including port facilities in Belgium, Germany, the Netherlands—and Portugal.
According to CNBC, German firm Hellmann Worldwide Logistics said its operations were impacted by a phishing attack in December 2021. The company, which offers air freight, sea freight, road, rail and contract logistics services, was forced to stop taking new bookings for several days. This meant a loss of revenue and possibly a negative impact on its reputation.
One of the most prevalent ways ransomware is delivered and implemented at a seaport is via a technique called “phishing.”
Phishing is a type of cybercrime involving deceiving individuals into providing sensitive information—such as passwords or financial information—by disguising the criminal’s communications as legitimate. Seaports, like other organizations, are vulnerable to phishing attacks, since they handle sensitive information including cargo and logistics data and rely heavily on digital systems for operations and communications.
According to the U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA), phishing is a form of social engineering in which a cyber threat actor (aka “bad guy”) poses as a trustworthy colleague, acquaintance, or organization to lure a victim into providing secret or sensitive information in the form of an email, text message (SMS phishing), or even a telephone call (voice phishing).
Phishing can be very difficult to identify and detect since the attackers use sophisticated methods and techniques to make their communications look and sound legitimate.
Seaports and Phishing
One major risk associated with phishing for seaports is the potential for criminals to gain access to sensitive cargo and logistics information which could be used to disrupt operations or steal valuable cargo.
Additionally, criminals may use this information to engage in other forms of cybercrime such as fraud.
One example of this challenge occurred in 2013, when cybercriminals used phishing and malware attacks to hack systems at the Port of Antwerp and manipulate the movement of containers so they could conceal and move drug shipments.
Once the hackers were inside the port’s digital systems, they changed the location and the delivery times of containers that had drugs in them. The criminals then sent their own drivers to pick up drug-loaded shipping containers before the legitimate hauler could collect them (CNBC, 6/27/22).
Another risk is the possibility of an attacker using phishing to gain access to seaport computer networks. This unauthorized access could allow the attackers to gain control of critical systems and cause significant disruption to operations. This could potentially lead to major cargo handling delays, costly downtime for cargo shipments, as well as damage to the seaport’s reputation and its stakeholders.
In July, the BBC reported the number of monthly cyberattacks targeting the Port of Los Angeles—around 40 million. The threats are believed to come mainly from Europe and Russia, with the aim to disrupt the U.S. economy, according to the port’s executive director, Gene Seroka. Of note, the Port of Los Angeles has invested substantially to develop one of the world’s first Seaport Cyber Resilience Centers.
If criminals manage to gain access to employee login credentials, they can move laterally within a network by exploiting the trust employees have in the IT and operational technology (OT) systems. Again, this could allow access to sensitive data and/or disrupt port operations.
At the seaport worker level, phishing attacks can target employees using the seaport IT and OT systems to steal personal information, which could lead to identity theft, financial fraud, etc.
One iteration of phishing is called “spear phishing.” Here, the phishing is more targeted to an individual or department.
For instance, a specific email could be targeted to lure the port administrator to click on a malicious link. This could be done with an attractive subject line or even a personally directed query in the email or text message.
Alternatively, the phishing email could come from the false front of a technology vendor, directed to the IT administrator, to reset an account.
Protection from a Phishing Attack
The CISA has published an infographic entitled “Actions to Help Prevent Being Hooked in a Phishing Attack,” which provides a summary of how cyber criminals execute successful attacks. The infographic offers metrics comparing the likelihood of certain types of “phishing bait” being clicked by unsuspecting individuals. CISA recommends stakeholders use this information to help educate their workforce on how to spot and avoid phishing attacks.
The infographic can be viewed at https://bit.ly/3iDTaT4.
Some tips to avoid phishing include the following:
- Don’t click on links or email attachments in unsolicited emails or text messages.
- Be suspicious of any email or message asking for personal information such as login credentials or credit card numbers.
- Verify the authenticity of any email or message by contacting the sender directly (perhaps by phone or text message), or by visiting their website directly instead of the links provided in the email.
- Use anti-phishing software or browser extensions.
- Keep software, browsers and operating systems up-to-date to protect your organization from known phishing vulnerabilities.
- Educate yourself and employees about phishing attempts and cybersecurity best practices.
- Teach employees to recognize common indicators of phishing, such as suspicious sender email addresses, generic greetings, spoofed hyperlinks, spelling or layout errors and suspicious attachments.
- Train employees on what to do when they receive a phishing email — regardless of whether they fell for it.
- Have your IT department include an alert on all email received from outside your organization thus highlighting the risk of links and attachments.
- Restrict administrative password sharing and re-use and remove non-essential elevated privileges from users to reduce opportunities for improper access.
How Should Ports React?
In November, Secretary of the U.S. Department of Homeland Security Alejandro Mayorkas said that the most significant threat to U.S. seaports are cyberattacks. Therefore, DHS, CISA, the Coast Guard, and other government agencies are taking actions to better protect seaports at the cyber level.
Their instructions including training for staff, contractors and vendors on phishing and ransomware threats and attacks. That includes such topics and emphasis as protecting and managing passwords; recognizing fake or suspect emails; identifying social engineering attacks via computers, voice mail or text messaging, and spotting fake or fraudulent websites and URLs.
Also, have a well-practiced cyber incident response team in place to quickly respond if it looks like your system has succumbed to a phishing attack due to someone on your network.
According to the CISA, all ransomware incidents in the U.S. like the one in Lisbon are federal crimes and should be reported to law enforcement to help bring these criminals to justice. Ransomware events can be reported to the FBI or Secret Service.
As an additional resource, CISA is dedicated to helping all organizations prevent cyber intrusions, including phishing attacks and ransomware. You can request technical assistance or provide information to be used to protect other possible victims at https://us-cert.cisa.gov/forms/report.
Maritime Security Questions Wanted
If you have any cyber or physical security topics you would like to see addressed in future cybersecurity columns in Pacific Maritime, or if you have any feedback on past columns, please send your thoughts and ideas to Ernie Hayden at enhayden1321@gmail.com. Thanks! P.S.—No phishing attacks allowed!
Ernie Hayden, MIPM CISSP GICSP (Gold) PSP, is an industrial control systems cyber and physical security subject matter expert. He has extensive experience in industrial controls security, the power utility industry, critical infrastructure protection/information security, cybercrime and cyberwarfare. His email is enhayden1321@gmail.com.