Ransomware attacks pose costly threat to US maritime community

Although the number of ransomware cases is still relatively small, the average cost of a systems breach is now about $5 million, suggesting the need for vigilance.
Although the number of ransomware cases is still relatively small, the average cost of a systems breach is now about $5 million, suggesting the need for vigilance.
Although the number of ransomware cases is still relatively small, the average cost of a systems breach is now about $5 million, suggesting the need for vigilance.

The U.S. Coast Guard is raising the alarm about ransomware attacks in the maritime industry as vessel operators increasingly rely on digital tools and interconnected devices across vast and sophisticated networks.

“A lot of times there’s that soft underbelly waiting for an attack,” Lt. Benjamin Greene of the U.S. Coast Guard Cyber Command told Professional Mariner.

According to Cyber Command’s latest report on cyberattacks, incidents of ransomware in maritime infrastructure increased by 80 percent from 2022 to 2023, from 10 to 18 incidents. It is now the most common kind of cyberattack investigated by the team, overtaking data breaches, where hackers gain access to sensitive information.

Coast Guard Cyber Command investigated 46 cyberattacks of all types in 2023, down from 59 in 2022. Data is not available for the first five months of 2024.

These numbers are small compared to the 800,000 cyberattacks investigated by the FBI each year. But Greene warned that an increase in ransomware attacks should cause alarm across the maritime community. The attacks can be devastating to a ship or other vessel, impacting functions like steering, security, logistics, power or engine control. “Those critical systems are the ones that are going to make the ship function, the ones that help put it into port,” he said.

Ransomware is a type of harmful computer software, or malware, that blocks access to critical data or systems. Typically, victims of ransomware attacks must pay a “ransom” to the perpetrators to regain control of their computer networks. These attacks are well documented across many large organizations, including corporations, school districts and hospital networks.

In the case of a ransomware attack, critical tasks such as navigation often can still be performed manually. But the value of lost time, diminished capabilities and attempts to recover networks or systems can add up. The average cost of a critical systems breach last year was $5 million, according to a Coast Guard Cyber Command report.

“If ships can’t come into port, it affects commerce, it effects the economy,” Lt. James Austin Read, also of the Coast Guard Cyber Command, told Professional Mariner. “It’s millions and millions of dollars a day.”

It is not known how often maritime victims of ransomware attacks make payments to resolve the breach. Companies affected by these attacks have incentives for staying quiet, including reputational damage and the obvious hazard of broadcasting their willingness to pay to cybercriminals. Greene said it is rare for a shipping company to pay the attacker.

But if ransomware attacks keep happening, someone must be profiting, Ulku Clark, director of the Center for Cyber Defense Education at the University of North Carolina Wilmington, told Professional Mariner. “The increase in ransomware attacks is an indicator of the fact that they are working. If they were not working, then the numbers would go down.”

Clark said some companies have begun rethinking their ransomware policies. Previously, they relied on the advice of industry experts and law enforcement to never pay. Now, a firm might assess “the impact of having to rebuild its infrastructure in terms of time, cost and customer impact.”

Money is not the only motive behind cyberattacks on maritime infrastructure. According to the Cyber Command report, Volt Typhoon, a cyber army associated with the People’s Republic of China, is believed to be targeting the networks related to critical American infrastructure, including those in the maritime sector. The information it gathers could be used to impede U.S. mobilization capabilities or harm the nation’s economy, Greene said.

The methods of entry for cyberattacks in the maritime world are not much different from the rest of society. Often, hackers use deception to trick people into downloading malware or, in some cases, providing sensitive information voluntarily — a process known as phishing. Phishing was reported in 66 percent of maritime industry cyberattacks.

The federal government is taking steps to push back against maritime cybercrime. In February, the Biden administration signed executive orders aimed at hardening the nation’s maritime infrastructure against cyberattacks. The Coast Guard also is engaged in rulemaking to establish minimum standards for cybersecurity.

Regulations are one way to push back against these threats. But everyday employees at maritime companies are effectively the “first line of defense,” according to Jarle Blomhoff, a maritime cybersecurity expert at the classification society DNV. Hackers know this and often send phony links and or email attachments to trick people into giving up information that can be used to infiltrate a network.

The same tactics used to steal people’s identities or bank account information can be used to gain access to a company’s networks, Blomhoff said.

In 50 percent of cases the Coast Guard tracked last year, cybercriminals used what is called valid information — actual usernames and passwords — to access a network or computer system. This information can be found on the dark web, or attackers can use specialized tools to input hundreds or even thousands of common passwords until one works.

In the incidents Cyber Command reviewed, weak passwords were a recurring theme, Greene said. “The average password we collected was like, seven characters. That’s trivial.”

It is also not unusual for mariners or maritime industry employees to use simple passwords or even the default passwords that came with a specific system. Such passwords can be easy for bad actors to guess.

Multifactor authentication is the best tool companies and their employees can use to protect themselves, Greene said. This is becoming increasingly common in everyday computing and one many of us are familiar with. Users must first enter their password and then input a numeric code sent to their phone or email to access to their account.

Greene emphasized the importance of vigilance in maintaining cyber-guard, saying that it should be considered part of safe operations that are already ingrained among mariners and others in the maritime industry.

“In a lot of organizations, people think that cybersecurity is not part of their job description, or they can forget about it and come back to it later,” he said. “With the world we are living in, cybersecurity is part of the job, just like physical security.”