American maritime assets targeted by Chinese malware

American maritime assets are being targeted by Volt Typhoon, a Chinese state-sponsored snooping operation, tech giant Microsoft warned today.

Microsoft said it has uncovered “stealthy and targeted malicious activity” focused on post-compromise credential access and network system discovery aimed at critical infrastructure organisations in the US. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering.

According to Microsoft, Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organisations in Guam and elsewhere in the US. In this campaign, the affected organisations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

“Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible,” Microsoft stated in an update on its site, going on to explain how the perpetrators rely almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to collect data, including credentials from local and network systems, put the data into an archive file to stage it for exfiltration, and then use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control channel over proxy to further stay under the radar.

Microsoft is advising to mitigate the risk of compromised valid accounts by enforcing strong multi-factor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. Passwordless sign-in, password expiration rules, as well as deactivating unused accounts.

With hysteria growing by the day about the threat posed by a more strident China, American politicians have been spooked of late about reports that port cranes manufactured in China could be fitted with spy devices, something experts have latterly tried to play down.

Shipping is well aware of the threat posed by state-backed malware.

A major cyber security report penned published by Thetius, CyberOwl and HFW last November, detailed many recent cyber incidents including how the Stena Impero tanker’s GPS was spoofed to force it to cross into Iranian waters unintentionally in 2019 with the ship and its crew then held for months.

The equipment required for basic GPS attacks costs less than $100, the report warned while adding that with the resources of a nation-state, “a sophisticated spoof on an entire region or sea is not just a possibility, it is a reality”.

Getting to take over a ship’s controls is also remarkably easy with data from CyberOwl showing 54% of the ships it monitors have between 40 and 180 connected devices onboard. This includes expected devices such as business workstations, PCs, printers, and company phones. Most alarming is that on many vessels monitored by the company, systems that were thought to be isolated, such as cargo computers and engine monitoring systems, were found to be connected to the onboard business IT network somehow.

Over 60% of computers monitored by CyberOwl have various unofficial or crew-installed software, and 30% of computers make frequent use of the local administrator account giving the user full rights to the machine.

Other key takeaways from the 43-page report include news that in February last year CyberOwl discovered nation-state malware on systems onboard seven separate vessels belonging to a large liner fleet. The malware belonged to the PlugX family, which is designed to provide the attacker remote access to the affected system, followed by full admin control of the machine without permission or authorisation. This includes the ability to manipulate files, execute commands, and spread locally. The particular malware variant was first discovered in 2020 and linked to political espionage on foreign nations.

Last month’s Maritime CEO Forum in Singapore included a one-hour workshop sponsored by Inmarsat giving delegates a masterclass into all they need to have prepared to be cyber secure.

Gert-Jan Panken, vice president of sales at Inmarsat, said the industry needs to acknowledge that with increased connectivity come increased risks.

“The risk is there, the threat is there, and the examples that the attacks have been happening are there as well, so we can’t ignore this and we need to act on it,” remarked Panken.

He also pointed out the importance of having an up-to-date and standardised IT infrastructure, with a lot of systems onboard still using Windows XP, and even illegal copies of software.

Be aware, and then act, Panken suggested: “Upgrade IT systems, make sure your plans when the cyber incident is occurring are in place so that you come prepared when something is happening.”