Ships Infected with Ransomware, USB Malware, Worms


Ships are the victims of cyber-security incidents more often than people think says Catalin Cimpanu for ZDNet. Industry groups publish cyber-security guidelines to address issues.

Cyber Security onboard Ships

A recent document released by the international shipping industry reveals that ships suffer from the same types of cyber-security issues as other IT systems.

The document is the third edition of the “Guidelines on Cyber Security onboard Ships,” an industry-approved guide put together by a conglomerate of 21 international shipping associations and industry groups.

What is in the document?

The document contains –rules and guidance for securing IT systems onboard vessels– it also comes with examples of what happens when proper procedure isn’t followed.

The examples mentioned are past cyber-security incidents that have happened on ships and ports, and which have not surfaced in the public eye before until now.

For example, the guidelines include the case of a mysterious virus infection of the Electronic Chart Display and Information System (ECDIS) that ships use for sailing.

What happened?

A new-build dry bulk ship was delayed from sailing for several days because its ECDIS was infected by a virus. The ship was designed for paperless navigation.

The failure of the ECDIS appeared to be a technical disruption and was not recognized as a cyber issue by the ship’s master and officers. The delay in sailing and costs in repairs totaled in the hundreds of thousands of dollars (US).

Ransomware impact

Ships were also impacted by ransomware, sometimes directly, while in other incidents the ransomware hit backend systems and servers used by ships already in their voyage at sea.

For example, in an incident detailed in the report, a shipowner reported not one, but two ransomware infections, both occurring due to partners, and not necessarily because of the ship’s crew.

What happened?

A shipowner reported that the company’s business networks were infected with ransomware, apparently from an email attachment. The source of the ransomware was from two unwitting ship agents, in separate ports, and on separate occasions. Ships were also affected but the damage was limited to the business networks, while navigation and ship operations were unaffected. In one case, the owner paid the ransom.

In another incident, the entry point for the ransomware wasn’t because of its interaction with shipping ports, but because they failed to set up proper (RDP) passwords.

A ransomware infection on the main application server of the ship caused complete disruption of the IT infrastructure. It encrypted every critical file on the server and as a result, sensitive data were lost. The root cause of the infection was poor password policy that allowed attackers to brute force remote management services successfully. The company’s IT department deactivated the undocumented user and enforced a strong password policy on the ship’s systems to remediate the incident.

Source of infections

Remotely-accessed accounts and systems weren’t the only sources of infections on ships. The report also puts a great deal of attention on USB thumb drives, usually used to update systems or transfer new documents into air-gapped networks.

The report includes details of two incidents where USB thumb drives have led to a cyber-security incident, delays, and financial damage.

Incident 1

The bunker surveyor of a dry bulk ship that just completed bunkering operations, boarded the ship and requested permission to access a computer in the engine control room to print documents for signature.

The surveyor inserted a USB drive into the computer and unwittingly introduced malware onto the ship’s administrative network. The malware went undetected until a cyber assessment was conducted on the ship later, and after the crew had reported a “computer issue” affecting the business networks.

This emphasises the need for procedures to prevent or restrict the use of USB devices onboard, including those belonging to visitors.

Incident 2

A ship was equipped with a power management system that could be connected to the internet for software updates and patching, remote diagnostics, data collection, and remote operation. The ship was built recently, but this system was not connected to the internet by design. The company’s IT department made the decision to visit the ship and performed vulnerability scans to determine if the system had evidence of infection and to determine if it was safe to connect. The team discovered a dormant worm that could have activated itself once the system was connected to the internet and this would have had severe consequences.


The incident emphasizes that even air gapped systems can be compromised and underlines the value of proactive cyber risk management. The shipowner advised the producer about the same and requested procedures on how to erase the worm and stated that the infection could potentially have been caused by the service technician’s USB devices into a running process, which executes a program into the memory.

This program was designed to communicate with its command and control server to receive its next set of instructions. It could even create files and folders.Cyber security professionals were asked to conduct forensic analysis and remediation. It was determined that all servers associated with the equipment were infected and that the virus had been in the system undiscovered for 875 days. Scanning tools removed the virus.

An analysis proved that the service provider was indeed the source and that the worm had introduced the malware into the ship’s system via a USB flash drive during a software installation and also proved that this worm operated in the system memory and actively called out to the internet from the server. Since the worm was loaded into memory, it affected the performance of the server and systems connected to the internet.

IT mishaps

The guidelines also warned against IT screw-ups, which, while not technically cyber-security incidents, usually cause the same effects. Just like every IT department in every company anywhere around the world, ships have had their string of facepalm-worthy IT mishaps and system crashes.

What happened?

A ship with an integrated navigation bridge suffered a failure of nearly all navigation systems at sea, in a high traffic area and reduced visibility. The ship had to navigate by one radar and backup paper charts for two days before arriving in port for repairs. The cause of the failure of all ECDIS computers was determined to be attributed to the outdated operating systems.

During the previous port call, a producer technical representative performed a navigation software update on the ship’s navigation computers. However, the outdated operating systems were incapable of running the software and crashed. The ship was required to remain in port until new ECDIS computers could be installed, classification surveyors could attend, and a near-miss notification had been issued as required by the company.

The costs of the delays were extensive and incurred by the shipowner. This incident emphasizes that not all computer failures are a result of a deliberate attack and that outdated software is prone to failure.

Negligence is the cause

The fact that ships are vulnerable to hacking and malware infections isn’t anything new. Ships have been a disaster waiting to happen for years, because ship makers have had an obsession with putting all of a vessel’s systems online.

In some cases, ships feature proper security controls, but in most, ship systems are often left exposed online where they are indexed by search engines like Shodan or Censys.

Many of these ship-designed IT systems either use default credentials or feature backdoor accounts, putting the ship, cargo, and passengers in harm’s way due to sheer negligence.

NotPetya ransomware

The shipping industry got its cyber-security wake up call last year when Maersk, the biggest cargo shipping company in the world, was infected with the NotPetya ransomware. The incident incurred costs of over $300 million, and during the recovery process, the company’s IT staff had to reinstall over 4,000 servers and 45,000 PCs before being able to safely resume operations.

The updated guidelines released last week are a direct consequence of the shipping industry seeing how NotPetya, and a cyber-security incident in general, can cripple a company’s operations.

These guidelines are meant for securing IT systems located on ships, but they’re supposed to work with similar security controls deployed in ports and a shipping company’s own internal IT network.

A copy of this guideline is available from Guidelines on cyber security onboard ships

Did you subscribe for our daily newsletter?

It’s Free! Click here to Subscribe!

Source: ZDNet


This site uses Akismet to reduce spam. Learn how your comment data is processed.