Shipping companies transiting to cloud services could be under increased risk from malicious cyber threats after Microsoft’s defences were rattled by two sophisticated attacks
Two separate criminal players, suspected to be state-funded, have compromised SolarWinds Orion network monitoring platform in the past week, according to reports. At least one attack penetrated Microsoft’s cyber security, compromising its Azure cloud and Active Directory online tools.
There are risks to all clients of SolarWinds Orion, Microsoft Azure and Active Directory, said a Kent, UK-based IT and cyber security expert who wished to remain anonymous.
He told Riviera Maritime Media that any companies using cloud services were vulnerable to these hacks. “These seem to be sophisticated attacks driven by state-backed players,” the expert, who has fought previous cyber attacks and helped develop subsequent security for regional government networks and servers, said.
“Any companies using cloud services need to be wary,” he said. “Shipping companies could see their security breached by these hackers.”
He recommended companies review their security and update their defences to block Solarigate and Supernova. But he warned shipping companies should plan for security penetrations.
“When companies are considering the risk of an attack, they should not think it would be 30%, 50%, 70% probable,” he said. “They should expect it will be 100% certain their security will be breached.”
The IT expert continued, “When looking at the risk malicious email links will be clicked by staff, if there are only a few people in an organisation, then this could be a 30%-50% risk. But if there are hundreds of people, then it is another 100% certainty.”
More shipowners and managers are transferring their operations, business and management to remote or cloud services.
The attacks on Microsoft were initiated when hackers used backdoors to infiltrate SolarWinds’s monitoring platform and enter Microsoft’s domain.
In a statement, Microsoft confirmed it found what it called “malicious binaries” (malware) on its systems from the first attack, dubbed Sunburst or Solarigate.
According to Reuters and Wall Street Journal reports, other victims of coordinated cyber attacks are Cisco Systems, VMware, Intel, Nvidia, Belkin International and Deloitte Consulting.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed,” Microsoft said in a statement. “We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
On 13 December, Microsoft alerted customers to the presence of these malicious binaries, with recommendations to isolate and investigate devices.
There are further reports of Microsoft cloud services being used by hackers to extend their attacks. US Cybersecurity and Infrastructure Agency warned there was evidence of “additional access vectors” beyond SolarWinds’ Orion platform.
On 16 December, Microsoft Defender Antivirus started blocking known malicious SolarWinds binaries. “This will quarantine the binary even if the process is running,” said Microsoft.
“We also realise this is a server product running in customer environments, so it may not be simple to remove the product from service. Nevertheless, Microsoft continues to recommend that customers isolate and investigate these devices.”
Following the first attack, Microsoft has discovered a second attack on SolarWinds’ network monitoring platform. SolarWinds Orion was breached for a second time by malware known as Supernova, which Microsoft believes was from a different threat actor to the Solarigate attack, a conclusion reached by Microsoft’s research team when it investigated the initial malware intrusion.
“The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product, but has been determined to be likely unrelated to this compromise and used by a different threat actor,” said Microsoft.
This malware is a small backdoor, a DLL file, which could enable remote code execution via SolarWinds’ web application server. Unlike the Solarigate breach, “this malicious DLL does not have a digital signature, which suggests this may be unrelated to the supply chain compromise,” said Microsoft.
In November, container line Mediterranean Shipping Co (MSC) said it was investing in a Microsoft cloud communications platform to manage its operations and streamline IT management in 155 countries.
In July, Qatari maritime and logistics provider Milaha partnered with Microsoft to continue its digital transformation, while simultaneously expanding Qatar’s supply chain connectivity.
More maritime-optimised fleet management programs use Microsoft’s Power BI software and other products at a base level.
With the influx of more VSAT services and high throughput satellites, Microsoft Azure cloud services will become widely available for ships at sea. In September, SES became Microsoft’s new multi-orbit satellite connectivity partner as part of the Azure Orbital drive.
Shipowners are already in the firing line and have had to repair servers and IT systems following successful attacks.
In December, Norwegian cruise and ferry operator Hurtigruten was recovering from a comprehensive ransomware virus data attack. This forced the company to close down its servers and online booking services. Its websites were out of action, but back in operation by 18 December.
This ransomware attack was the latest in a growing series of defence breaches at shipping companies and IMO’s headquarters in 2020. Other victims were Carnival Corp, CMA CGM and MSC.
Shipping companies need to react to the growing threats and should be ready for implementation of IMO’s amendments to the ISM Code to include cyber risk management into ship safety management systems, which will be enforced from 1 January 2020.
Use this link to view Microsoft report on recent cyber security issues with Solarigate on 18 December and this link for Microsoft’s advice to incident responders.
Riviera Maritime Media will continue the maritime cyber security discussions in 2021 through webinars and virtual conferences - use this link to gain a better understanding and to register for upcoming events
© 2023 Riviera Maritime Media Ltd.