UNDER ATTACK – A SPECIAL REPORT ON THE CYBER THREAT TO EUROPEAN PORTS
Ports and shipping companies are unwilling to report cyberattacks partly because they recognise the significant reputational risk involved in publicising security breaches and partly because port technology is far behind that of organised crime groups. Port companies have proved unable to identify bugs planted in their computer systems months or years before they are activated.
Until recently, drug traffickers like the Italian ‘Ndrangheta focused on corrupting port officials or planting low-ranking ‘soldiers’ in docks and harbours, such as the Gioia Tauro transshipment port in Italy’s Reggio Calabria, so they could load and unload containers with drugs. But such operations are often uncovered by authorities, and do not give criminal groups a high-level overview of port operations. Cyberattacks on poorly maintained computer systems, on the other hand, allow a much higher level of manipulation.
Shipping containers are particularly vulnerable to cocaine trafficking, and they often arrive in the E.U.’s biggest ports: Rotterdam, Antwerp, Hamburg and Valencia. Smugglers can hide their wares – often several hundred kilograms at a time – in containers which can then be accessed and unloaded, or even transported further amongst legal goods before criminals retrieve the drugs or contraband. Multimodal goods transport is therefore easily exploited by traffickers who infiltrate dockyards and loading bays to retrieve or deposit their trafficked packages.
Fresh food is often a target for traffickers, who believe customs officials will not seek to hold up perishable goods for long periods of time to search through them. Traffickers exploit the cultural links between the country of origin and the country of destination. Crime networks from Latin America and Lusophone Africa smuggle their shipments into marine containers heading to Spain and Portugal. Illicit goods from Guadeloupe and Martinique often find their way to France. Criminal groups struggle to monitor these long-haul shipments at every stage of the journey and technology, but spyware has opened up new opportunities to do so.
One highly damaging method of cybercrime is the installation of spyware on key computer systems at port companies. In 2013, police uncovered a vast drug trafficking operation at the Belgian port of Antwerp, one of Europe’s busiest container ports. As Europe’s key port of entry for South American fruit, it is also one of the major hubs for cocaine imports from the same region.
Dutch drug traffickers employed hackers to infiltrate the computers of two container terminals as well as a company at the port, allowing them to track selected containers and schedule unloading at a time and place of their choice. Drivers would then remove the illegal shipments – mostly cocaine – and move them out of the port undetected. This operation went wrong at least once: one unfortunate HGV driver who unknowingly picked up a shipment of cocaine was attacked by unknown assailants wielding assault rifles.
The scheme was also often highly successful. The gang combined the physical with the virtual, breaking into the offices of port companies and installing keyloggers, miniscule computers inside electrical power strips, and external hard drives on computers. This allowed them to steal login information and ultimately locate and track containers. Investigators on the case believe the cyberattack began in 2011, leaving a two-year window of operation. It is highly likely that this gang or other groups attempted the same feat at other major ports across Europe.
Using spyware, criminal syndicates can also take screen shots, record transactions and download documents that they could later use to blackmail shipping companies or sell to rivals.
Malware – malevolent software – is another major threat to European ports. In 2014, China-based hackers infected handheld inventory scanners used by logistics firms across the world with highly sophisticated malware. The malware was installed at the manufacturer’s factory as well as in a software update, and began attacking as soon as the scanners were connected to a wireless network.
First, it manipulated a Server Message Block protocol, which allows client applications in computers to read and write files, and to collect logistics data, such as the origin, destination, value, and contents of shipments, as well as financial and customer data. Then, the malware searched through the enterprise resource planning servers, by which companies manage and connect areas of business like purchasing, sales, finance and human resources. It specifically searched for the keyword ‘finance’. Whatever information the malware could collect was then sent back to a server in China.
The investigators who discovered the malware identified seven affected companies; six of them were in the shipping industry. The incident demonstrates the major risks involved with an increasing reliance on the Internet of Things (IoT) – devices such as scanners, sensors, appliances or security systems that are connected to online networks.
IoT brings many advantages to maritime shipping: it allows companies to monitor power usage and control systems in the engine rooms of their vessels, or to track shipments and routes and adjust them according to weather conditions or terminal availability. Still, the maritime industry has been slow to implement IoT, whereas road and rail freight have been quick to embrace the technology. As a result, shipping personnel are under-trained in the opportunities and challenges posed by IoT and software is only sporadically updated. Failure to properly secure IoT devices leaves shipping firms vulnerable to infiltration and exploitation by organised crime groups.
Ransomware, a type of malware that encrypts information held on systems, thus disabling them, and only releases it for a fee, is a growing threat to ports and shipping. The emergence of hard-to-trace cryptocurrencies such as Bitcoin have assisted criminal groups in this enterprise. Anonymous reports suggest that shipbuilders, shipping companies, road freight firms and ports have all been targeted by ransomware, and an attack could cripple any point on a supply chain. In the future, ransomware is likely to be used to disable ship navigation systems, with severe consequences: without GPS technology, a ship could run aground. Land-based operations could also be held to ransom, disrupting supply chains.
Given that more than 80 per cent of the world’s trade by volume is carried by ships, the potential financial damage incurred by such disruptions is enormous, and it is tempting to simply pay the ransom to release the data as soon as possible. The problem with paying is that there is no guarantee that crime groups have not already copied the information, opening a new world of criminal possibilities.
Most offshore cybercrime is a consequence of human error. Personnel can unintentionally download malware simply by clicking on a link in a well-written phishing email or website, or by plugging in a USB storage device. The best mitigation against cybercrime is education. Managers should brief personnel on the major risks of cybercrime and refresh them at peak times for cyberattacks: national holidays and the end of tax years. Companies can also implement more stringent information release procedures, for example, by tracking the GPS position of users as they access company servers.
All companies should have a clear contingency plan in the event of an attack. There should be a mechanism to track cyberattacks in all security software used. After an attack, firms should conduct a comprehensive security audit to ensure there are no remnants of malware still in the network.
Because cyberattacks are normally not disclosed to the public in the maritime world, it is difficult to track or predict trends. However, criminals are mastering technology far quicker than legitimate industries, and ports and logistics companies should ensure they are as protected.
About the author
Kirsten Williams is Political Risk Analyst, Europe & Russia at Allan & Associates, an international security risk management consultancy which provides political risk analysis and protective services to a wide range of clients operating in volatile environments throughout the world. Allan & Associates specialises in the avoidance and management of risks arising from crime, terrorism, political instability, social upheaval, hostile competitor activity, technological change, and health and safety concerns.