Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Threat Landscape
Transportation
Vulnerabilities

Port of Lisbon targeted by LockBit ransomware hackers, website still down

January 02, 2023
Port of Lisbon targeted by LockBit ransomware hackers, website still down

The website of the Port of Lisbon (Porto de Lisboa) is still down a week after officials confirmed cyber attackers targeted it. Around the same time, the LockBit ransomware group added the organization to its extortion site, claiming the ransomware attack.

News reports disclosed that the Administration of the Port of Lisbon confirmed that the cyber attack did not compromise operational activity at the critical infrastructure. Following the attack, the administration notified the National Cybersecurity Center and the Judiciary Police of the incident.

“All security protocols and response measures planned for this type of occurrence were quickly activated,” port officials told the newspaper Publico. “The Administration of the Port of Lisbon (APL) is working permanently and closely with all the competent authorities, in order to guarantee the security of the systems and respective data.”

The LockBit ransomware gang claims to have stolen financial reports, audits, budgets, contracts, cargo information, ship logs, crew details, customer PII (personally identifiable information), port documentation, email correspondence, and more. The group has already published samples of the stolen data, though the legitimacy of the data published could not be verified and confirmed.

LockBit has threatened the Port of Lisbon to publish all files they stole during the computer intrusion on Jan. 18, 2023, if their payment demands aren’t met. The hacker set the ransom to US$1,500,000 and also gives the possibility to delay the publication of the data by 24 hours by paying $1,000. 

Last month, the LockBit ransomware gang attacked and stole 76Gb from the California Department of Finance and threatened to leak the stolen data if the victims will not pay the ransom by Dec. 24. The gang claimed to have stolen databases, confidential data, financial documents, certification, court and sexual proceedings in court, IT documents and more.

Confirming the attack, the Californian department said in a statement that “the California Cybersecurity Integration Center (Cal-CSIC) is actively responding to a cybersecurity incident involving the California Department of Finance. The intrusion was proactively identified through coordination with state and federal security partners. Upon identification of this threat, digital security and online threat-hunting experts were rapidly deployed to assess the extent of the intrusion and to evaluate, contain and mitigate future vulnerabilities,” it added.

Hacker groups have previously released data when their ransomware demands are not met. In October, news reports identified that the Hive ransomware-as-a-service (RaaS) group had begun leaking data stolen from India’s Tata Power Energy Company. Less than two weeks earlier, the hacker group claimed responsibility for a cyber attack against Tata Power that was confirmed by the company.

Previous research has suggested that LockBit 3.0 appears to have adopted (or heavily borrowed) several concepts and techniques from the BlackMatter ransomware family. Researchers have found a number of similarities that strongly suggest that LockBit 3.0 reuses code from BlackMatter.

The Port of Lisbon attack is the latest in a series of cyberattacks on ports across Europe that have caused massive issues. Last February, cyberattacks affected oil transport and storage companies across Europe, as authorities confirmed that large-scale cyber attacks also targeted port facilities in Belgium, Germany, and the Netherlands. IT systems were disrupted at SEA-Invest in Belgium and Evos in the Netherlands. At the same time, unconfirmed reports suggest that BlackCat ransomware may have compromised systems at Oiltanking GmbH Group and Mabanaft Group in Germany.

In November, Alejandro N. Mayorkas, secretary of the U.S. Department of Homeland Security (DHS) said in a testimony before the Committee Homeland Security and Governmental Affairs United States Senate on ‘Threats to the Homeland,’ that as of last February, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, and victims in the first half of 2021 paid an estimated $590 million in ransoms, compared to $416 million over all of 2020. 

“We continue to believe there is significant under-reporting of ransomware incidents,” Mayorkas said. “We assess that ransomware attacks targeting U.S. networks will increase in the near and long term because cybercriminals have developed effective business models to increase their financial gain, likelihood for success, and anonymity,” he added.

In recent years, ransomware incidents have become increasingly prevalent among the U.S. state, local, tribal, and territorial (SLTT) government entities, and critical infrastructure organizations, with ransom demands in 2020 exceeding $1.4 billion in the nation.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations