New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems

The U.S. Coast Guard Cyber Command (CGCYBER) announced on Monday that network-connected OT (operational technology) introduces potential vulnerabilities to the marine environment (ME). Organizations within the marine infrastructure are increasingly adopting internet-connected OT systems, thereby expanding the attack surface for cyber threats.

“In 2023, Coast Guard Cyber Protection Teams (CPTs) found that OT network segments often contained an organization’s most critical and most vulnerable systems. In most cases, CPTs observed OT systems running End-of-Life software with known exploitable vulnerabilities (KEV),” the CGCYBER detailed in its second annual Cyber Trends and Insights in the Marine Environment (CTIME) report. “Additionally, OT systems often utilize vulnerable network protocols allowing for further exploitation and privilege escalation. These risks are further exacerbated when OT networks lack sufficient access controls, allowing adversaries to jump from the information technology (IT) networks to the OT networks. This could allow adversaries to deliver effects in the physical domain.”

The CGCYBER report identifies a significant uptick of reported Advanced Persistent Threats (APTs) targeting owners, operators, and industry partners in the marine environment. It also disclosed that reports of ransomware incidents increased 80 percent from 2022 to 2023 and the average requested ransom more than tripled, as the types of organizations targeted include maritime shipping companies; liquid natural gas processors/distributors and petrochemical companies; and maritime logistics and technology service providers.

The report underscores the escalating proliferation of ransomware incidents. According to CGCYBER’s Maritime Cyber Readiness Branch (MCRB), there was an 80 percent surge in incidents in 2023, rising from 18 to 10 incidents in 2022. “Furthermore, malicious cyber actors were observed using more sophisticated techniques. One such technique includes a new partial encryption method where actors can change how much of a file is encrypted by ransomware. This technique makes the ransomware harder to discover by anti-malware solutions and increases the speed at which the adversary can encrypt victim files. In addition to financial extortion, these incidents often result in months of reduced operational capacity and potential reputational impacts,” it added. 

Furthermore, the CGCYBER identified similar cybersecurity deficiencies that were in the two previous CTIME reports. “In 2023, CPT missions reinforced many of the same recommendations to partners as provided to other organizations in past years. This confirms the presence of persistent vulnerabilities within the ME. Recommendations focused on improving basic cyber hygiene, including implementing a Patch Management Policy, enforcing the principle of Least Privilege, and implementing Multi-Factor Authentication (MFA),” it added.

“As U.S. Coast Guard missions expand into the cyberspace domain and across the global maritime commons, CGCYBER remains strategically postured to protect maritime critical infrastructure from advanced cyber threat actors,” Rear Admiral Jay Vann, Commander of the Coast Guard Cyber Command, said in a media statement. 

The CGCYBER report disclosed that in 2023, the marine environment saw an increase in industry reporting of nation-state actors targeting U.S. critical infrastructure. “In response, CGCYBER focused CPT resources towards finding these actors and focused on incorporating OT in CPT missions. 2023’s CTIME report reflects the change in priority with the added sections for Hunt & Incident Response RECAP and Securing OT.”

CGCYBER continued to build capacity to support the growing demand from partners in the ME seeking CPT assistance. The 2003 CPT reached Initial Operating Capability last August and is expected to reach Full Operating Capability this year. Additionally, the CGCYBER established a Reserve Component CPT, 1941 CPT, which will supplement the Active Duty CPTs and provide specialized expertise to support and augment operations. 

In 2023, the MCRB and local Coast Guard units conducted 46 investigations on reports of cyber incidents. This included several incidents which significantly affected large-scale international organizations. Though the overall number of reported incidents has decreased since 2022, MCRB believes many incidents go undetected or unreported by organizations that are fearful of the public’s perception as a result of a cyber incident. Nation-state hackers and opportunistic cybercriminals consistently target the marine environment, given more than 90 percent of U.S. imports and exports flow through U.S. maritime ports annually.

The MCRB has observed a similar number of phishing/spoofing events in 2023 compared to other years. In 2023, 22 percent of incidents were phishing/spoofing events compared to 25 percent in 2022 and 20 percent in 2021. When it comes to other types of cyber incidents, denial of service (DoS) is a method attackers continue to use in efforts to disrupt maritime operations. 

Maritime shipping companies continue to be targeted by cybercriminals. However, MCRB has also observed a significant increase in malicious cyber actors targeting maritime logistics integrators and technology service providers. In addition to targeting maritime logistics integrators and technology service providers, malicious cyber actors have also been observed exploiting vulnerabilities in public-facing systems to obtain initial access to the networks of entities in the marine environment. 

For example, Microsoft reported that the threat actor Volt Typhoon was observed gaining unauthorized access to U.S. critical infrastructure provider networks by exploiting vulnerabilities in internet-facing devices. After gaining initial access, Volt Typhoon threat actors would leverage use of native administrative tools and capabilities, known as living off the land techniques, to find information on systems, discover additional devices, and exfiltrate data. 

Beyond the Volt Typhoon, the CGCYBER report identified that the CL0P ransomware gang were also observed exploiting vulnerabilities in internet-facing devices, specifically Progress Software’s managed file transfer solution known as MOVEit Transfer. “CL0P has been observed gaining initial access to MOVEit Transfer databases using an SQL injection vulnerability and leveraging their unauthorized access to steal data,” it added.

As the Coast Guard continues to combat illicit actions by malicious cyber actors, the CGCYBER report reveals that the agency relies on cyber incident reports to the National Response Center (NRC) to activate response capabilities and increase awareness across the marine environment. Regulations require reporting by some entities of cyber incidents, but the Coast Guard urges all organizations in the ME to report all cyber incidents to the NRC. Through free-flowing multi-directional information sharing in the marine environment, the Coast Guard and marine environment organizations can best address these evolving cyber threats.

Addressing recent reports of the continued use of ‘Living off the Land’ TTPs by malicious cyber actors, the CGCYBER recommends that organizations review recommendations detailed in CISA’s cybersecurity advisory (CSA). To detect malicious LotL activity, organizations should start by establishing an accurate baseline of how system utilities are used in an environment, retain logs for extended periods, and then investigate uses that differ from that baseline.

Looking ahead, the CGCYBER report details ransomware is on the rise, as cybercrime will continue to impact the marine environment. “In 2023, a variety of new vulnerabilities impacted the ME, and novel threat actors targeted these vulnerabilities. ME organizations often employ network-connected software and hardware specialized for maritime functions, in which vulnerability identification and patching may be slower than for mainstream IT applications,” it added. 

Additionally, reported ransomware incidents within the marine environment increased markedly from 2022 to 2023. MCRB received more reports of ransomware incidents in the first quarter of 2023 than all of 2022. Based on CPT missions and cyber events investigated by MCRB, financial incentives appear to have remained the driving motivation behind most threat activity in the marine environment, which is consistent with 2023 industry reports on ransomware. 

The report also recognized that the financial impact on compromised organizations also remained high. Based on the spike in the number of reported ransomware incidents in the marine environment, the continued financial incentives for threat actors, and the vulnerabilities impacting technologies within the marine environment, it is likely that financially motivated cybercrime will continue to have a significant impact in 2024. The Coast Guard expanded its capacity for cyber operations in 2023 and plans to expand partnerships with industry partners in the marine environment and government stakeholders to combat this trend of ransomware and cybercrime.

It also said that the adoption of AI-based technology within the marine environment is likely to continue to increase. Although understanding of the cybersecurity risks and mitigations is in its infancy, marine environment organizations should still apply known cybersecurity best practices to AI-enabled systems. This includes minimizing interfaces directly exposed to the Internet, monitoring system activity, and implementing strict access control policies. CGCYBER will continue to advance its understanding of these technologies and determine how to better assess, monitor, and utilize new AI-based systems.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.