Cyber hackers continue to hone in on the shipping industry, considered a vulnerable and highly lucrative target, as demonstrated by the 400% increase in attempted cyber hacks on maritime companies between February and June 20201 , reports Lexology.
Cyber risks
Ransomware attackers are reported to have made at least USD 350 million worth of cryptocurrency in 20202, a steep rise from under USD 50 million in 2018. With these numbers in mind, maritime sector participants, from the smaller shipping outfit to the largest players would be well advised to think about their potential exposure to cyber-risk as well as the steps they should be taking to mitigate the risk of a cyber security incident such as a ransomware attack.
A ransomware attack, a malicious software programme installed remotely to block a user’s access to its computer systems or data with the intent of extorting a ransom payment in exchange for access, typically strikes unexpectedly. A shipping business locked out of its IT systems would have difficulty communicating with its clients, suppliers, shipping agents, port authorities, and be unable to retrieve data, shipping documents, contact details.
‘Double extortion’
Although malware has been found aboard ship’s IT systems, the majority of cyber-attacks have been perpetrated on shore-based systems, business offices and data centres from which ships, clients and personnel are managed and the logistics of transport organised.
A ransomware attack not only encrypts a business’ IT system, crippling it operationally, but it is also often accompanied by a threat to publish sensitive information publicly or to the highest bidder on the dark web. The implications of this “double extortion” could be potentially damaging, even catastrophic. The cruise line sector, which holds large amounts of customer data, is particularly vulnerable.
Hurtigruten, a Norwegian cruise line operator recently hit by a ransomware attack would have had to consider this threat and the possibility that the potential release of customer details could also raise serious data protection issues. We will be examining the subject of data protection more closely in our next update.
Financial and Reputational Considerations
The financial impact for a shipping business could be severe. Aside from the losses associated with the disruption of the maritime operations and the prospective ransom payment itself, there are the increasingly expensive costs of responding to the incident and the business interruption resulting from the disruption to the business.
Add to this the expense of handling potential complaints from clients/customers, the costs of engaging and responding to regulators or government authorities and any ensuing third party litigation from individuals whose personal information was impacted in the incident, as well as the cost of any possible regulatory fines, and the amount continues to build up considerably.
This is before factoring in a potential drop in company share value, investment and funding from a loss of confidence. By way of example, Maersk estimated the cost of the 2017 NotPetya attack to be somewhere between USD 250 million and USD 300 million.3
The reputational damage is also likely to translate in the loss of current and potential business opportunities, and may lead to the long-term loss of customers keen to avoid dealing with a maritime business seen as vulnerable, particularly if the breach was perceived as avoidable.
General considerations
Following any digital disruption, a maritime company’s first instinct will be to try to urgently restore its systems and resume operational control. It will also seek to prevent any threat of external data disclosure. The first thing to consider should be whether, aside from potentially paying the ransom, there are alternative viable options for performing a recovery of the systems/data. If so, these should be explored in parallel with promptly identifying and re-securing the system and associated vulnerabilities to prevent repeated attacks.
Where the threat actor alleges to have obtained data illicitly, it is important for the shipping company to validate this information. Have the hackers genuinely infiltrated the systems and obtained a copy of this data or are they making false assertions and/or relying on information collected externally from open sources?
In the process of engaging in discussions and negotiations with the threat actor, has it been possible to establish an attacker profile? This exercise will be helpful in gauging the perpetrators’ intentions and identifying the most appropriate negotiating techniques. Some hackers have developed a reputation for being “reliable” negotiators whilst others may be unpredictable and unreliable.
Unlocking paralyzed systems
With regard to the threat actor, has information revealing of its identity been gathered? Critical indicators include the email addresses used to communicate, the cryptocurrency address provided, any unique identifiers, and any relevant information cross-checked with recognised sanctions lists.
It is also paramount to ensure that the IT systems that were compromised are contained and secure not only to prevent a spread of the ransomware, where possible, but to prevent a further attack by the threat actor.
Other important points to consider: have the law enforcement authorities been alerted of the criminal event and the ransom demand? Have the various reporting obligations under sanctions, anti-money laundering, terrorism and other legislation been identified and fulfilled? Have the company’s insurers (if available) been notified in accordance with the cyber insurance policy? Has the legality and lawfulness of any prospective ransom payment been established?
Legal considerations
Prior to making a ransom payment, to avoid facing fines or any other penalties, a maritime business needs to ensure full compliance with the national and international laws and regulations that a company engaged in international trade may be subject to. To take the national laws of the UK as an example, a shipping company based in the UK would need to consider the question of whether a ransom payment would fall under the Proceeds of Crime Act 2002 (POCA). POCA applies to offences committed by individuals or companies in the UK.4
Section 328 of POCA makes it an offence for a person to enter into an arrangement they know or suspect facilitates the use of criminal property by another person. Consent for the payment may be required from SOCA (the Serious Organised Crime Agency) but this is determined on a case-by-case basis.
Under Section 15(3)(b) of the Terrorism Act 2000, a person commits an offence if they know or have “reasonable cause to suspect that it will or may be used for the purposes of terrorism.” A shipowner or charterer is unlikely to know or suspect whether an anonymous perpetrator will use the ransom towards terrorist activities, and it will fall on them to satisfy themselves, through due diligence, that there is no reasonable cause to suspect that the money may be used for these purposes.
Sanctions
Sanctions also need to be considered so that a shipping company does not fall foul of applicable sanctions regimes.
EU/UK Sanctions
EU sanctions apply to EU nationals and companies, and to all business done in the EU including activities on a vessel under an EU member state’s jurisdiction. Under this regime, EU persons and entities are forbidden from making funds available to those listed on the European Sanctions List for Cybercriminals established in May 2019 and includes entities such as WannaCry, NotPetya and Operation Cloud Hopper. Ransom payments following cyber-attacks have been subject to increased EU scrutiny and ship owners, charterers, or agents subject to ransom payments should take care not to expose themselves to civil and criminal liability by making funds available to those featuring on the EU list of sanctioned entities.
The UK sanctions regime replaced the current EU sanctions regime at 11pm on 31 December 2020, when the Sanctions and Anti-Money Laundering Act 2018 entered fully into force. Although similar, the new UK sanctions regime is not identical. It applies to all UK persons anywhere, to persons within the UK and to anyone conducting activities in the UK with regard to those activities. A global ship manager with a presence in the UK and/or a major charterer/trader based in London would fall under this regime.
A shipowner could be committing an offence by making funds available directly or indirectly to a designated person on the Office of Financial Sanctions Implementation (OFSI) list of sanctioned individuals and entities, unless it could show that it did not know or have reasonable cause to suspect that funds would be made available, directly or indirectly, to such a designated person.
US Sanctions
Ransom payments are not a criminal offence in the US, though care must be taken not to violate the US sanctions regime. In general, OFAC (Office of Foreign Assets Control) administers and enforces economic trade sanctions for the US government. Such sanctions specifically prohibit US persons from making payments to individuals and entities on the SDN List (Specifically Designated National and Blocked Persons List).
This prohibition includes ransom payments, for the release of a ship’s crew or for illicit cyber demands or events. OFAC operates, with some exceptions, a strict liability regime – meaning that, although a party may unknowingly breach sanctions provisions, the risk of sanctions enforcement still applies. However, some mitigating circumstances may be considered.
On 1 October 2020, OFAC published its most recent advisory in response to increased malicious cyber-attacks on US connected systems during the pandemic. The advisory alerts companies of the potential sanctions risks for facilitating ransomware payments to sanctioned entities, and sets out the factors considered when determining an enforcement response to an apparent violation.
As ransomware events have been increasing in recent years, this advisory should be considered in tandem with the advisory on ransomware issued on 1 October 2020 by FinCEN (The Financial Crimes Enforcement Network), a US government bureau tasked with tracking financial transactions for the purpose of combating financial crimes.
Red flag indicators
The FinCEN Advisory provided potential financial red flag indicators of ransomware-related illicit activity. Some of these red flags include: (1) malicious cyber activity evident in system log files, network traffic, or file information, (2) when opening a new account or during other interactions with the financial institution, a customer provides information that a payment is in response to a ransomware incident, (3) a customer’s Convertible Virtual Currency (“CVC”) address appears on open sources, or commercial or government analyses have linked those addresses to ransomware strains, payments or related activity, (4) a transaction occurs between an organization from a high risk sector and digital forensics and incident response (“DFIR”) companies and cyber insurance companies (“CICs”), and (5) a customer initiates multiple rapid trades between multiple CVCs, with no apparent related purpose.
A non-US person may also be exposed to the US sanctions regime through facilitation of a ransom payment or a ransomware payment or event, meaning if a non-US person causes a US person to violate the sanctions regime, for example by involving a US employee with an SDN-related dealing or wire a USD payment (which usually clear through US banks), that non-US person could be liable for a sanctions violation. A shipping business considering a ransom payment should thus review its US connections: does the business use US Dollars? Are US citizens on its management team? Are any offices/branches located in the US?
In addition to the primary sanctions discussed above, secondary sanctions also apply to non-US persons even without a US nexus. These sanctions focus on economic sectors of the sanctioned country – for example, the shipping sector or the oil and gas sector. In June 2020, the US State Department sanctioned the Iranian shipping line IRISL; anyone doing business with IRISL risks sanctions which could include restrictions accessing the US financial system or the US market. A shipowner should closely verify prospective charterers are not sanctioned to avoid the risk of secondary sanctions, in connection with ransom payments or otherwise.
For up to date sanctions developments, please visit our Sanctions Hub.
Enforcement
A shipping company caught in a cyber-attack may find itself in the unenviable position of either facing the consequences of violating the law and/or sanctions regulations should they pay the ransom or suffering the consequences of not complying with the perpetrator’s demands. This may result in systems continuing to be inaccessible, their destruction and/or the public dissemination of sensitive information involving clients, employees, commercial partners, with the collateral risk of litigation from the aggrieved parties.
The risk is high. More than $50 million worth of cryptocurrency that victims paid out to ransomware addresses in 2020 have been identified as carrying sanctions risk, nearly all of which was composed of payments to two ransomware strains, Doppelpaymer and WastedLocker5.
Nevertheless, shipping companies should be aware of the severe penalties that could ensue from breaching sanctions regulations in order to protect their commercial interests. The fall out could be significant as illustrated by the following examples of enforcement actions taken by the US Department of the Treasury.
On 15 March 2021, OFAC announced a settlement of USD 216,464 with UniControl, Inc.6 for its role in exporting 21 shipments of its goods (boiler controls and other instrumentation) from the United States to two European companies with knowledge or reason to know that the goods were intended specifically for supply, transshipment, or reexportation to Iran. UniControl failed to take appropriate steps in response to multiple warning signs it encountered when engaging in business with its European trade partners.
On 18 February 2021, OFAC entered into settlement with BitPay, Inc7 for the sum of USD 507,375 based upon its alleged processing of USD 129,000 worth of digital payment transactions “on behalf of individuals who, based on IP addresses and information available in invoices, were located in sanctioned jurisdictions”
These examples highlight the importance of conducting robust due diligence to avoid sanctions violations prior to any decision being made regarding ransom payments.
Being prepared
Ransomware is becoming increasingly sophisticated. Attacks are likely to continue rising in the maritime sector aided by greater vulnerability following the move toward remote working triggered by the pandemic.
The legal and regulatory landscape will continue to evolve as will the list of international sanctions. However, those engaged in the maritime industry must remain vigilant. We cannot discount the possibility that ransomware attacks could be undertaken in parallel with other malicious activities such as hacks of port logistics systems for the purpose of stealing valuable cargo for transportation to a destination of choice.
Hackers could deploy measures in tandem to interfere with a vessel or port equipment leading to physical damage, i.e. remotely shutting off pumps or cooling systems. At the more extreme end of the scale, the development of autonomous vessels opens up the possibility of remote access to a vessel’s controls that could see it hijacked, involved in a collision or even used as a weapon. It will be essential for maritime industry players to keep abreast of developments and potential new risks.
Sivas Jaluzi | These pleated blinds are not only stylish but also incredibly practical. Venster Systems has truly exceeded our expectations!
Webapplicatie laten maken Gelderland | Deze blog heeft me echt geholpen om meer te weten te komen over MAFA en hun toewijding aan uitmuntendheid in webdesign en softwareontwikkeling.
Sineklerle başa çıkmak artık çok daha kolay! Venster Systems’in plise sineklikleri bu konuda büyük bir kolaylık sağlıyor. | Plise Perde Modelleri Sakarya
Webapplicatie laten maken Nijmegen | MAFA’s passie voor webdesign en softwareontwikkeling is duidelijk te zien in hun werk. Ik kijk ernaar uit om met hen samen te werken aan mijn volgende project.
Evimdeki dekorasyonu tamamlayacak perdeler için Venster Systems’in jaluzi çözümleri harika bir seçenek. | Zip Perde Zonguldak
Çatalca Z Havlu | Eminoğlu Packaging’s diverse packaging options meet our needs perfectly. We always find the right solution.
Tufanbeyli / Adana Toptan Tekstil | RENE Wholesale Textile and Clothing Solutions’ commitment to customer satisfaction always impresses me. Their products are top-notch, and so is their customer service.
Wat is Optische Muis? | Ich bin immer beeindruckt von der Qualität und Konsistenz von MAFA’s Arbeit im Bereich Webdesign und Softwareentwicklung. Sie liefern immer hervorragende Ergebnisse.
How to do Pegan Diet? | Great read! I love the way you articulate your thoughts.
Sancaktepe Berjer Yıkama | PENTA’nın sunduğu çözümler, işletmelerin hijyen standartlarını artırmak için mükemmel bir seçenek gibi görünüyor. Kesinlikle tavsiye ederim!
Linkbuilding Venlo | Deze blog heeft me echt geholpen meer te begrijpen over de waarde die ze creëren in webdesign en softwareontwikkeling. Ik ben onder de indruk van hun werk.
Online Web Sitesi Tasarımı | MAFA’nın içerikleri, web tasarımı ve yazılım dünyasındaki karmaşık konuları anlamama yardımcı oluyor. Bu değerli bilgileri bizimle paylaştığınız için teşekkür ederim.
Ulus Mahallesi, Gebze Koltuk Yıkama | PENTA’nın çözümleri hakkında bu kadar olumlu şeyler duymak gerçekten etkileyici. İşletmeme nasıl fayda sağlayabileceklerini daha iyi anladım. Teşekkürler!
History of Bhutan | Your blog is a beacon of hope in a world filled with uncertainty. Thank you for shining your light.
Asarcık Jakuzi Modelleri | Atlas Jakuzi’nin ürünleriyle evimde kendime özel bir alan yaratmak mümkün. Bu yazı, bu konuda çok değerli bilgiler içeriyor.
The author’s expertise and attention to detail were truly impressive. I felt truly informed after reading this. | toptan giyim Selendi, Manisa