Known incidents

18/05/2020 3175 words 15 minutes

Contents

This article lists nearly 80 public incidents that have affected the maritime sector, deliberately or otherwise, over the past twenty years. It is not intended to be exhaustive, but please let me know if you are aware of other public and corroborated cases. The aim is not to single out a company or a state, but to raise awareness of incidents that have already occurred and, when known, their consequences. I will add more over time. As always, attribution and sources should be treated with caution, as should the apparent increase in the public number of incidents. I am also gradually adding submarine cable outages.

Why is it so difficult to obtain a comprehensive view of incidents?

Because reporting them, whether publicly or privately, is not mandatory in many countries, and there is often no central reporting body.
Because it damages a company’s share price and reputation.
Because the definition of a cyberattack varies greatly. Some consider a single ping from an unknown IP address to be a cyberattack. The Grand Port Maritime de Marseille, for example, stated that it was the target of 11,000 cyberattacks per week.
Because a cyber event does not necessarily mean a cyberattack. A service outage caused by an IT failure is still a cybersecurity incident.

Beware of shortcuts as well: when a researcher demonstrates vulnerabilities, it does not automatically mean they are a hacker or that the action was carried out “for real.” There are also many approximations and misleading summaries. In maritime information systems, here is a good example among others, very well analyzed.

Warning: this article is no longer updated: the list of public maritime cybersecurity incidents is now maintained by the M-CERT of France Cyber Maritime, which I thank for taking over. The incidents previously listed in this article, as well as new ones, are therefore included in the ADMIRAL dataset maintained by the M-CERT ( https://www.m-cert.fr/admiral/ ).

2021:

19 February 2021: Groupe Bénéteau was the victim of a cyberattack affecting several of its sites [ 1]
18 February 2021: in the tense political context in Myanmar following the coup, the Myanmar Port Authority was hit by a cyberattack [ 1] [ 2]

2020:

28 December 2020: German cruise operator AIDA Cruises was hit by a cyberattack [ 1] [ 2]. The incident reportedly also affected its vessels, as well as other ships in the Carnival group, which had already been hit by other cyberattacks that year.
14 December 2020: Norwegian cruise operator Hurtigruten was hit by a ransomware attack [ 1]
17 November 2020: the inland port of Kennewick, in the northwestern United States, was hit by a ransomware attack [1]
30 September 2020: the International Maritime Organization was the target of a “sophisticated” cyberattack 1 2 3
28 September 2020: French shipping company CMA CGM, the world’s fourth-largest carrier, was hit by the Ragnar Locker ransomware, which had already claimed many victims in France 1 2. A possible data theft was reported by the company. The company announced a return to normal on 11 October.
20 September 2020: French multimodal freight operator GEFCO was hit by a ransomware attack
August-September 2020: various spear-phishing attacks targeted the U.S. Maritime Transportation System, notably by sending realistic fake emails impersonating the U.S. Coast Guard and containing malicious attachments.
15 August 2020: an employee of classification society DNV-GL was arrested in Norway, suspected of having provided sensitive information on defense-related activities to foreign intelligence services.
15 August 2020: Carnival Corporation & PLC, a cruise ship operator, was hit by a ransomware attack. It led to a major theft of personal data. [ 1]
23 July 2020: Garmin, a manufacturer of GPS systems and maritime systems through its Navionics brand, was hit by a ransomware attack [ 1].
19 June 2020: Fountaine Pajot was the victim of a cyberattack [ 1]
9 June 2020: Norwegian shipyard Vard in Langsten was hit by a ransomware attack
10 May 2020: one or more Iranian ports were hit by a cyberattack (notably Shahid Rajaee, near Bandar Abbas). Few precise details emerged [ 1].
May 2020: AIS “crop circles” off California 1
5 May 2020: Australian transport group Toll Group, which is active in maritime freight among other sectors, was hit by a cyberattack involving the theft of personal data.
10 April 2020: shipping company MSC was hit by a cyberattack, later confirmed by the company, which led it to temporarily shut down part of its logistics services.
7/8 April 2020: Danish pump manufacturer DESMI, which serves the maritime sector, was hit by the Ragnar Locker ransomware 1
21 March 2020: the Mespinoza/Pysa ransomware attack affecting the Aix-Marseille metropolitan area disrupted operations at Marseille/Fos Med Europe Terminal 1 2 3 4 5 6
10 January 2020: French multimodal freight group Clasquin was hit by a Sodinokibi ransomware attack
January 2020: cuts to the WACS and SAT3 submarine telecommunications cables off Cameroon.
January 2020: during a TV report for a French television program about cruise ships, a password could clearly be seen written on a post-it stuck to an integrated screen (CCTV?) on the ship’s bridge.
January 2020: the Falcon submarine telecommunications cable, serving several countries on the Arabian Peninsula, was cut. Several tens of millions of people were affected.

2019:

30 December 2019: the 400 employees of London-based offshore consultancy London Offshore Consultants were affected by the Maze attack, involving the theft of 300 GB of data.
December 2019: AIS spoofing off Elba Island 1 2
December 2019: several articles referred to a large number of GPS spoofing incidents during 2019 in China 1
December 2019: a U.S. maritime operator was hit by the Ryuk ransomware, causing more than thirty hours of service interruption and affecting industrial systems and physical security systems.
10 November 2019: Mexican offshore company Pemex was hit by the Ryuk ransomware 1 2 3 4
November 2019: British maritime services provider James Fisher & Sons was the victim of a cyberattack following an intrusion.
July 2019: GPS “crop circles” in Shanghai
July / August 2019: GPS spoofing and jamming in the Persian Gulf
July 2019: cyberattack targeting a U.S. administration responsible for inland waterway security. Thirteen user profiles were reportedly compromised. Estimated cost: $103 million
June and July 2019: the Israeli ports of Haifa and Ashdod experienced disruptions to port crane operations and container handling following GPS-related problems, without it being clear whether this involved spoofing or jamming. Operators had to switch back to manual mode, causing delays in unloading.
May 2019: two Princess Cruises vessels (Carnival group) were hit by cyberattacks (phishing). The attack, which in fact lasted from April to July 2019, led to a personal data breach involving passenger names, addresses, social security numbers, health information, and financial information [ 1].
May/June 2019: cyberattacks against maritime transport in Kuwait
February 2019: the U.S. Coast Guard intervened on board a vessel facing a cyber event.

2018 :

02/11: Australian company Austal, which builds warships for several countries, was the victim of an intrusion. The attackers demanded a ransom in exchange for the stolen data. The manufacturer, which notably builds Littoral Combat Ships for the U.S. Navy, stated that data related to its U.S. contracts was not affected. The Australian Department of Defence issued a press release.
October: the port of Vancouver (USA) faced an attempted cyberattack: 225,000 accounts were probed through a brute-force attack, whereas the normal daily figure was closer to 6,000 ;-)
25/09: a ransomware attack hit the port of San Diego. It notably affected permits, documents, and other commercial services. See press releases n°1, n°2 and n°3.
20/09: a cyberattack on the port of Barcelona (Spain) affected loading and unloading operations. Very little information emerged about the nature of the attack. Ironically, the port had published a study only a few months earlier on the impact of cyberattacks in the port sector.
24/07: shipping company COSCO was hit by a cyberattack in the port of Long Beach (U.S.): loss of internet and port services, with other regions disconnected to prevent the spread of the ransomware
08/06: disclosure of the theft, in January and February 2018, of 614 GB of sensitive data from a U.S. subcontractor working in the submarine sector. Attributed to China.
16/03: hackers known as TEMP.Periscope (also known as Leviathan) carried out a cyber campaign against companies in the defense and engineering sectors linked to the South China Sea. The purpose of this campaign was espionage against those companies and also against the naval research sector. Apparently active since 2014.

2017 :

29/11: British company Clarkson, a major player in the UK maritime sector, was the victim of a cyberattack. Remote access to the company’s servers was made possible through the use of an access account that was later disabled. Very little information was provided on the volume of data that may have been exfiltrated. The company later issued a new statement, analyzed here.
26/10: IOActive issued an alert regarding a vulnerability in certain Inmarsat satellite terminals (hard-coded credentials, SQL injection). No information was given on whether the vulnerability had been exploited. See Inmarsat’s response.
16/10: a cyber campaign targeted the maritime and defense sectors in the United States and Western Europe. The spear-phishing group behind the campaign, known as Leviathan, has long shown interest in the maritime and defense sectors, especially shipbuilding.
July: BW Group, a major player in the oil industry, was the victim of a cyberattack. This appears to have involved remote access rather than ransomware.
July: the Eastern Africa Submarine System (EASSy), the only cable connecting Somalia to the rest of the world, was cut for three weeks after a container ship accidentally severed it. Estimated economic losses: €9 million per day (half of the country’s daily GDP).
13/07: the Ro-Ro vessel Siem Cicero suffered a steering failure and grounded in the River Ems (Germany) after deviating from its route. The cause of the failure was a software error. Two tugboats were dispatched to tow the vessel back to the port of Emden. Various inspections carried out by divers did not reveal any impact on the hull. The software error, which was a design flaw as the vessel had been launched only ten days earlier, was corrected and the ship was then able to resume its voyage to Halifax.
30/06: the port of Rotterdam was in turn hit by NotPetya. Although this is not clearly specified, Maersk is widely suspected. It is worth noting that the port of Rotterdam launched a strong initiative by creating a port cybersecurity officer and a hotline. In 2020, Admiral Lunday, head of Coast Guard Cyber Command, acknowledged during a conference that several U.S. ports had also been affected by NotPetya.
June: shipping company Maersk was hit by the NotPetya worm, which affected many countries and companies worldwide. The consequences for the well-known carrier were severe: the ports of Rotterdam, New York, Mumbai, and Argentina were shut down due to the inability to load containers. Losses are estimated at $300 million. The company had to reinstall no fewer than 4,000 servers, 45,000 PCs, and 2,500 applications… even retrieving a copy of its Active Directory from… Ghana by private jet. Its share price temporarily lost 15%. See also this article on the internal experience of the incident.
May: the APT.32 group had been conducting campaigns for several years (since 2014?) targeting, among others, the naval sector. Charming code name: Ocean Lotus.
69% of Danish shipowners were affected by a cyber event during 2017.

2016 :

April (again): South Korean authorities ordered around 280 vessels back to port after observing major problems with their navigation systems (GPS jamming/spoofing?).
April: Daewoo Shipbuilding was the victim of a cyberattack: exfiltration of sensitive data, including warship blueprints. North Korea was blamed.
02/03: the Gulf of Guinea anti-piracy center (Maritime Trade Information Sharing Center, Gulf of Guinea, MTISC-GoG) was affected by a flaw apparently exploited for data theft. Information reported by Maritime Executive, but denied by the center.
The administrative services of the port of Oakland were affected by a denial-of-service attack. Very little official information is available.
A shipowner suffered a cyberattack over several months, allowing criminals to identify containers of interest and divert their contents.
An email account belonging to a charterer was compromised. Funds intended to pay the agent were instead transferred to a bank account in Nigeria. The vessel was detained in port because the agent had not received the funds required in time to authorize departure.
An agent’s email accounts were compromised. An email was sent to the shipowner requesting a transfer to a new bank account. The shipowner did not verify the request and made the transfer. Total loss: $500,000 (which therefore required two transfers!).
See the survey conducted by IHS and BIMCO on cyber incidents in the sector during 2016.

2015 :

October: Breton company Sabella was affected. Its tidal turbine, submerged at a depth of 55 meters near the island of Ushant, had to be stopped for nearly 15 days after a ransomware attack (again) on the turbine’s control computer. This computer handled the satellite link between the turbine and the city of Quimper. However, the turbine was still in a test phase, so the incident had no impact on the electricity supply of Ushant. The ransom, known to have amounted to $4,000, was not paid by the company, which was a good decision and in line with ANSSI recommendations on the subject). The fifteen-day interruption therefore reflects the time required to restore the system, which is a long time.
August: criminals stole approximately $644,000 from a Cypriot shipowner based in Limassol. The company received an email supposedly from an African oil supplier requesting that the payment be sent to a different account than usual. The company complied, only discovering the fraud later.
A Mobile Offshore Drilling Unit was infected with malware, affecting the dynamic positioning system and requiring an emergency procedure to avoid an accident.

2014 :

During the year, around fifty cyber events affected the energy, oil, and gas sector in Norway, and there were 50 successful intrusions into the information systems of subcontractors working for the U.S. Transportation Command (air and naval components).
December: Nautilus Minerals ordered a mining exploration vessel in China and paid a $10 million prepayment. The bank account to which the money was transferred actually belonged to a cybercriminal.
October: the Massachusetts Maritime Academy was the victim of website defacement (twice).
World Fuel Services was defrauded of $18 million: it delivered fuel to a vessel off Côte d’Ivoire, but the invoice was never paid, because the operation was an imposture.

2013 :

September: several cyber campaigns targeting the naval defense sector in the United States, Japan, and South Korea were publicly identified, affecting shipyards and industrial players. These campaigns, with charming names such as Icefog or Dagger Panda, reportedly began in 2011 or 2012 and used a compromised Java archive (.jar). This is a rather classic case of Advanced Persistent Threat. More information here.
September: cyberattack on the non-classified intranet of the U.S. Marine Corps (NMCI) in San Diego. Attributed to Iran, this cyberattack reportedly occurred as part of Operation Cleaver. Revealed in September 2013, it is believed to have actually taken place between August and November 2012. Estimated cost: $10 million.
March: Anchor Panda campaign (yes, many panda names, do not ask me why :-) ) targeting the maritime sector, including telecommunications, in the United States, Germany, Australia, and elsewhere.
January: the U.S. Navy mine countermeasures ship USS Guardian ran aground on a reef off the Philippines. Incorrect digital charts had been used on its ECDIS. The vessel was ultimately destroyed by the U.S. Navy ($277 million).
A GPS anomaly in a U.S. port affected four automated cranes for more than seven hours. Loss of the GPS signal caused two cranes to stop and disrupted the proper functioning of the other two.
Off Houston, malware was unintentionally downloaded by company workers. Laptops and USB drives infected on shore were brought on board and downloaded pornographic content and pirated music via satellite, affecting the operation of onboard networks.

2012 :

September: under the charming names Sneaky Panda, The Elderwood Gang, and The Beijing Group, one finds the same attempted cyber campaign mainly targeting the United States and, in particular, the naval sector, mainly through spear-phishing.
August: oil company Saudi Aramco was hit by the Shamoon malware. The contents of more than 35,000 computers were simply wiped. Five months of rebuilding followed. Unable to invoice the oil leaving its refineries, the company had to let some shipments leave for free. It also caused a temporary hard drive shortage, because it ordered 35,000 of them at once.

2011-2013 :

For two years, traffickers hacked the port of Antwerp and managed to manipulate the container routing system for their own benefit, in order to prevent containers carrying drugs from being inspected by customs.

2011 :

13-14/12/2011: commercial transactions at the port of Rotterdam were halted due to an outage in the Customs information system. Ships could not depart and trucks could not leave the port.
19/09: Japan’s largest defense manufacturer, Mitsubishi Heavy Industries Ltd, was the victim of a cyberattack, which resulted in access to the company’s computers. The company acknowledged in a statement that information may have been stolen. The Yomiuri newspaper reported that 80 computers were infected with malware at the Tokyo headquarters and at design and research facilities, notably the Kobe and Nagasaki shipyards, as well as Nagoya. The Kobe shipyard builds submarines and nuclear plant components, Nagasaki builds surface ships, and Nagoya manufactures missiles and rockets.
August: Iranian shipping company IRISL was the victim of a cyberattack. Few details are available, but losses were reportedly substantial, including data loss and financial losses.
May: a hacker claimed to have gained access to certain U.S. Navy department servers.

2010 :

An oil platform, transferred from its construction site in South Korea to its operating site, was compromised by several malware strains. The platform had to be shut down for 19 days while the malware was handled, and it appears to have affected sensitive systems on board.

2009 :

March: a former employee hacked his company’s offshore platforms as retaliation. Damage amounted to thousands of dollars, but fortunately there was no environmental impact.
12/01: the internal network of the French Navy was hit by the Conficker virus. Containing the spread of the malware required several subnetworks to be isolated.

2006 :

06/11: cyberattack against the website of the U.S. Naval War College.

2002 :

April: a group of hackers calling themselves “Dymanic Duo” managed to break into computer systems belonging to U.S. Navy command, among others. The hackers defaced the U.S. Navy website to demonstrate weaknesses in its security. A defense contractor developing a website for the U.S. Navy shut down its network after the hackers gained access, notably to employee passwords. Pages on that site were also defaced, information was made public, and messages again claimed responsibility under the name “Dynamic Duo.”

1998 :

The U.S. Navy was one of the targets affected by a denial-of-service attack targeting computers running Windows NT and Windows 95.