Briefly summarized: • Several European shipping companies, including Norwegian ones, have been subjected to cyber attacks using memory sticks with malware.• The attacks were first discovered in January when a USB stick with malicious software was connected to a computer on a Norwegian cargo vessel.• Experts believe the attacks are a coordinated espionage operation carried out by China-linked hacker group Mustang Panda.• Mustang Panda is known for conducting cyberespionage and has previously been linked to cyberattacks where the same Korplug malware has been used.• It is the first time it has been uncovered that a China-linked hacker group focuses on commercial shipping.• It is likely that not all shipping companies have detected or have reports of similar attempts. It can therefore be dark numbers. The summary is made by an AI service from OpenAI. The content is quality assured by news’s journalists before publication. The first warning came from a Norwegian freighter in January this year. A USB stick had been connected to a computer on board. The computer was centrally located on the ship’s bridge. The USB stick contained malicious software, suitable for extracting sensitive information from the shipping company. But after the memory stick was connected, the alarm went off at Eset, a company that offers digital security solutions to customers around the world. By the end of January, Eset had received two more notifications. Two new commemorative sticks, but this time on two Greek cargo vessels in Greece. The next cases were discovered in the Netherlands. First at the end of March, then at the end of April, and again at the beginning of May. New warnings then went out in Greece again, in mid-May and at the beginning of June this year, Eset says. Experts believe the cyber attacks are a coordinated espionage operation against European shipping companies, and link them to the China-linked hacker group Mustang Panda. The Port of Oslo is Norway’s largest container port and receives and forwards consumer goods to people in large parts of the country. For the first time, it has been revealed that cargo vessels in Norway have been targeted by hackers. The image is intended as an illustration. Photo: Astri Husø / news – Mustang Panda known for cyberespionage Alexandre Côté Cyr is a malware researcher at Eset. He says that they stopped all the attacks against their customers in Europe. But other vessels or companies may therefore have been exposed to the same thing, without it being discovered or made known. It is the first time evidence has emerged that a China-linked hacker group is targeting commercial shipping, according to Eset. – Mustang Panda is a group that usually carries out cyberespionage. There is therefore reason to assume that the aim was to gain access to confidential information, writes Côté Cyr. The researcher says that Mustang Panda has previously been linked to cyber attacks where the same method and the “spyware” Korplug have been used. Korplug is malware that has previously been associated with Chinese APT organizations and has been linked to attacks against institutions in a number of different countries. Since this had been seen in the past, the attacks could also be stopped. Alexandre Côté Cyr researches exactly this kind of malware and knows well the methods of those who are often behind it. He says Mustang Panda is a China-friendly hacker group known to target strategic industries. – This attack campaign against commercial sea transport is in accordance with such economic interests, writes Côté Cyr. He believes that companies in countries other than Norway, the Netherlands and Greece may also have been exposed to the same. – The countries we have seen attacked each have a large maritime industry. We only have data from our own customers, most of whom are in Europe. What secret information might they have been after? Greece has the world’s largest commercial shipping fleet, according to a report from UN trade and development from 2023, the Netherlands is also high up on that list. The picture shows the container terminal in the port of Piraeus. Photo: LOUISA GOULIAMAKI / AFP It is believed that vessels or company structures were the target – As we assess the case, the threat actor’s aim was to hit several vessels or company structures within the maritime sector, says head of department for maritime security at the Coastal Administration, Richard Utne. He says they are aware that there have been digital attacks against Norwegian-flagged vessels. He believes the threat actor probably had a desire for insight into the maritime sector in countries in Europe, and has therefore distributed memory sticks. – We can confirm that the group known as Mustang Panda is one of the threat actors we consider to pose a threat to the maritime sector. He refers, among other things, to Eset’s report, and also other security experts who have discussed the cyber attacks. Norway is considered the world’s fourth largest shipping nation. According to Utne, this could be a possible explanation for why Norway was attacked. Richard Lobb Utne is head of the department for maritime security in the Norwegian Coastal Administration. Photo: Privat He points out that the maritime sector in Norway is one of the most important and significant industries for the Norwegian economy. How things are going in shipping has a great influence on shipyards, equipment suppliers and others who depend on, for example, shipping or shipping. He believes this could be of great interest to foreign intelligence. – When critical goods or value chains are controlled by a small number of actors, the value and probability of supply disruptions and exploitation of market power increases. It can take a long time to establish alternative value chains, and existing dependencies will persist for several years. Such dependencies may be of interest to foreign intelligence. In other words, very different hacker groups may attempt to steal technology or trade secrets to support the goal of being a dominant global maritime power. The Norwegian vessels must normally report cyber attacks to the flag state, coastal state and are also encouraged to report to the police. news has asked the Police’s security service about the hacking attempts against Norwegian vessels. – The police’s security service is aware of the relationship and is kept informed about the case, senior advisor Eirik Veum writes to news. Richard Utne in the Norwegian Coastal Administration says that it is likely that not all companies are aware of what they have been exposed to. He also believes that it is likely that some shipping companies will choose to handle it internally, rather than report it to the police, for fear of loss of reputation. It can therefore also be dark numbers. But how did the memory sticks get on board? – May have spread commemorative sticks at a maritime event Since they received warnings about cyber attacks on vessels in Norway, then in Greece and the Netherlands, Eset has detected attacks against vessels in other parts of the world as well, writes Côté Cyr to news. In Singapore and in the United Arab Emirates. Both countries are in the top 20 in the world when it comes to having the largest fleet. The Norwegian Coastal Administration and the Norwegian Maritime Directorate collaborate with the Norwegian company Norma Cyber, to get support to deal with such and similar incidents. It was created by Norwegian shipping companies and offers cyber security services to its members. Norma Cyber’s general manager, Lars Benjamin Vold, confirms that they have assisted with advice and technical analysis when two Norwegian shipping companies received malware in their computer systems via a memory stick. However, these are two other cases than those reported by Eset. The method has also involved a memory stick here. Lars Benjamin Vold, Norma Cyber. Photo: Norma Cyber/Marthe Brendefur One was against a Norwegian vessel operating in Asia, and against a Norwegian maritime enterprise’s land-based infrastructure in Asia. – We have carried out an analysis of the malware and compared technical indicators with information in our databases, which are linked to China by recognized security analysts. – How could this have gotten on board? – It is uncertain, but here it is important to remember that this type of malware has a certain self-spreading component. If a machine becomes infected, the malware will automatically be transferred to other USB devices connected to this machine. Therefore, for example, a USB stick that a technician from a service provider brings on board can be infected from a previous mission without being aware of it. Not even Eset, who first discovered the memory sticks, can say with certainty how they got on board the ships. Alexandre Côté Cyr believes it is unlikely that the threat actor gained direct physical access to all the vessels, but there are two theories. One is that Mustang Panda has distributed compromised USB sticks at an event or at a place where people from the maritime industry meet The other is that a USB worm may have spread at an event where people from the maritime industry meet. – In both cases, the USB stick would have been brought on board by someone with legitimate access to the ship, but without the person who brought the stick on board knowing that he or she was carrying a USB that contained malware, writes Côté Cyr. news has asked the Chinese embassy in Oslo about the cyber attacks on vessels. In an e-mail to news, the press office writes that China is also a victim of cyber attacks, and is happy to cooperate with Norway and all other countries to deal with such threats. – At the same time, we also reject all accusations and smear campaigns that use cyber security as an excuse to serve political purposes. We hope Norway can be on guard against this type of disinformation which will only fuel more rumors and unnecessary panic, writes the embassy. Published 09/07/2024, at 18.48
ttn-69
China-linked hacker group Mustang Panda suspected – news Troms and Finnmark
