Last week, the MPS-ISAO held a cybersecurity intelligence themed webinar, “Lurking Offshore: Active Cyber Threats Targeting Ports & Maritime”, with our partner, Wapack Labs. It’s a fascinating story about a financially motivated adversary using spear-phish to target Ports.I’m sure you are thinking, “Another scary cyber story… Why should I care?”By studying the data associated with this actor – how, when, why, and who, the case for Maritime and Port organizations working together to protect themselves from cyber adversaries is made. Cybersecurity silos need to be shattered - now.
Understanding the adversary.
Because Wapack has been tracking this adversary for some time, we have learned a lot by studying the intel.
First, this adversary is successful. Our intel team sees an almost 100% success rate with a low detection rate (< 5%) through traditional security technology and vendor sourced data. During the first six months of 2017, over 1,000 U.S. and European victims have been observed.
It’s a cost-effective, organized business operation. The malware being used only costs about $30 per month, and the adversary has developed a business model with specialized skills. Also, there is high reuse between victims. So, if one Port is compromised, there is a good possibility that other Ports will be targeted using the same spear-phish email.
And, this adversary is persistent. They improve odds of success by including supply chain partners in the scope of an attack. In one instance where a Port was the intended victim, ten suppliers to this Port were targeted at the same time and with the same spear-phish email being used across all organizations. The targeted suppliers were diverse too. They included organizations who performed:
- Construction Consortium
- Logistics Services
- Oil & Gas Services
- Consulting Services
- Marine Transport
- IT Services Provider
- Multi-Modal Transport
- Oil & Gas Engineering Services
Turning the tide.
In 2015, The Obama administration issued two important pieces of Cybersecurity legislation. A Presidential Executive Order (EO) was issued in February 2015 to promote private sector cybersecurity information sharing. Section 2 of this EO states, “strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs).” A few months later, the Cybersecurity Information Sharing Act of 2015 (CISA) was signed into law to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats.” CISA provides information sharing legal protections to organizations who participate in an ISAO.
These two pieces of legislation led to the formation of the Maritime and Port Security ISAO, and its parent organization – the International Association of Certified ISAOs (IACI), to promote cyber resilience.
If someone could tell you where the sharks were, wouldn’t you want to know?
The MPS-ISAO, headquartered at the Global Situational Awareness Center (GSAC) at NASA/Kennedy Space Center, is a non-profit private sector-led organization working in collaboration with government to advance Port and Maritime cyber resilience. The core mission to enable and sustain a safe, secure and resilient Maritime and Port Critical Infrastructure through security situational intelligence, bi-directional information sharing, coordinated response, and best practice adoption supported by role-based education.
Port and Maritime organizations who subscribe to the MPS-ISAO’s cyber intelligence service have the advantage of early threat awareness provided via industry-specific, cross-sector, and global cyber intelligence along with countermeasure solutions. They participate in a Maritime and Port community composed of stakeholders from across the industry sector who are interested in working together to achieve cyber resilience.
Going back to the Lurking Offshore Case Study, we know that this adversary targets multiple victims within a Port’s supply chain using the same malicious email, and then reuses the email across another 8-10 Port victims. When the email is shared into the MPS-ISAO Community, early threat awareness enables organizations to put protective measures in place.
So, a single share can protect many.
And, the business case for working together was never stronger.
Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.