717
1 INTRODUCTION
CyberattacksonUkrainehavebeenasignificantissue
in recent years, with various serious incidents that
showtheincreasingimpactofsuchattacks.In2014–
2023 [1]–[3], Ukraine became the object of massive
cyberattacks aimed at its political, social, and
economicdestabilization.Ontheotherhand,
Russian
cyberoperationshavebeenrelativelyunsophisticated,
and the threat actors used well‐known malware [3].
The visibility of the actions of hackers was
consequently very high. Unfortunately, that doesnʹt
mean they were unsuccessful, especially in the first
attack stage in February 2022. For this reason, it is
worth noting
that in the annual US Coast Guard
CyberTrendsandInsightsintheMarineEnvironment
2021 Report, the most disturbing of the finds were:
easily crackable passwords, open mail relay or
unsupported (vulnerable)OS or non‐essential useof
elevated access [4]. On many marine units, one can
still find
systems (ECDIS) based on Windows XP or
Windows 7 operating systems [5] vulnerable to
EternalBlue CVE‐2017‐0144 and other RCE class
vulnerabilities. That indicates how much must be
donetoachievemaritimecyberresiliency.
Ontheotherhand,thesecuritymeasurescreated
todayquicklyturnouttobebothnecessary,
required,
and insufficient. On August 20, 2019, Microsoft
announced that one simple action could prevent
99,9%ofattacksonuseraccounts–mentioningMulti‐
FactorAuthentication[6].Today–fouryearslaterwe
knowatleastafewtechnicstobypassorbreakMFA,
such as Evilginx2 (proxy), Pass the
Cookie (cookie
stealing),manytechnictostealSMS‐basedtokens,or
attacking software tokens like Google Authenticator
orRSAʹsSecureIDAuthenticatebyutilizingoneofthe
recent significant zero‐days found in Androids and
iOSdevices,andlastbutnotleastHafniumzero‐day
exploit which targeted server side to
disable MFA
altogether[7],[8].
State-Sponsored and Organized Crime Threats
to Maritime Transportation Systems in the Context
of the Attack on Ukraine
R.Cichocki
GdyniaMaritimeUniversity,Gdynia,Poland
ABSTRACT:Duetoitsstrategicimportanceandvastimpact onthe worldeconomy, maritime transporthas
becomeacyberbattlefield.Cybersecurityorganizationsacrosstheworldnoticeandanalyzeadversariessuchas
BearfromRussia,PandafromChina,BuffalofromVietnam,ChollimafromNorthKorea(DPRK),and
others
fromColumbia,India,Turkey,andIran,aswellashacktivistandE‐Crime.In2014‐2023,Ukrainebecamethe
objectofmassivecyberattacksaimedatitspolitical,social,andeconomicdestabilization.Thissituationchanges
theperceptionofcyberspaceanditsimportanceforensuringthesecurityoftheglobaleconomy,
inparticular,
themaritime economy.Reportspublishedbythe US Coast Guardshowthat.Inthis publication,theauthor
reviews the cybersecurity threat landscape targeting the maritime industry and transportation systems and
analyzesthetechnics,tactics,andprocedures(TTPs)usedbythreatactors.
http://www.transnav.eu
the International Journal
on Marine Navigation
and Safety of Sea Transportation
Volume 17
Number 3
September 2023
DOI:10.12716/1001.17.03.24
718
All those facts show that the game between
cybercriminals, often state‐sponsored or financially
motivated,andcybersecurityteamsisaconstantand
unequalstruggle.
2 UKRAINEATTACKS
RussianAPTgroupscarriedoutmulti‐levelattackson
UkraineinJanuary2022.OnJanuary14,2022,about
seventy government websites were hacked.
Kyiv
claimsthatattackersappeartohaveusedthesoftware
administration rights of a third‐party company that
developedthesites.However,itisworthmentioning
that these sites utilize the Octobercms CMS system,
whichwasvulnerabletoCVE‐2021‐32648,discovered
on May 2021, and allows attackers to gain
access to
user accounts through specially crafted password
resetrequests[9].TheDEV‐0586groupconductedthe
second and parallel destructive malware attack on
January 13 against the government, army, defense
ministry, and significant banks. Wiper, known as
WisperGate,was used again on February 23 against
multiple Ukrainian organizations such as
the
financial, defense, aviation, and IT sector. ESET
reportedthismalwareas HermeticWiper,namedfor
its genuine code signing certificate. On February 15,
anextensiveDDoSattackbroughtdownthewebsites
of the defense ministry, the army, and the most
prominent Ukrainian banks: PrivatBank and
Oschadbank[10].OnFebruary24,
theViasatKA‐SAT
hackwasconductedandwasintendedtodisruptthe
Ukrainian military network, which used the Viasat
network to provide communication services. Ten
thousandpreviouslyonlinemodemsactivelydropped
connection and did not attempt to reconnect again.
Investigation and forensic analysis show that threat
actors exploit a misconfiguration
in the VPN
appliance to gainaccess to theinternalmanagement
network segment of KA‐SAT systems. Subsequent
lateral movement through a trusted network allows
theattackertogainaccesstothesegmentallowingit
to send management commands to thousands of
modemssimultaneously[11].Thelaststageofthe
first
quarter of 2022 begins on March 6, when Russia
significantly increases the frequency of cyber‐attacks
against Ukrainian civilians and refugees in Poland.
Onlytwoorganizations–Quad9andPacketClearing
House, both protecting against attack by observing
DNS trafficand blocking queries that show signs of
attacks, reported interception
and mitigation of 4,6
millionattacksagainstcomputers,bothUkrainianand
Polish(70%ofrefugeestookrefugeinPoland)[12].
3 APTANDTHREATLANDSCAPE
In 2014, Kevin Mandia, Senior Vice President of
MANDIANTtheRSAConferencefirsttime,publicly
spoke about the Chines government and military
attacksagainstUS
commercialcorporations.Hestated
that when the technological protection and controls
are more sophisticated, the attack vector shifts and
targets humans as the weakest link [13]. That
statement was true as far back as 1979 when Kevin
Mitnick most wanted FBI computer criminal gained
access to Digital Equipment Corporation (DEC). The
termsocialengineeringwasinventedbyMitnick,who
said that he always hacks the people, not the
technology. This same principle applies nowadays.
ThelasttwoyearsʹFBIIC3reportsshow[14]thatthe
mostdangerousattacksintermsoflossescausedare
those human targeted: Business Email
Compromise/Email Account
Compromise, Personal
Data Breach, Identity Theft, and Government
Impersonation. Attacks described in FBI IC3 Report
cover a broad cyber landscape, including network
attacks, critical infrastructure attacks, large‐scale
fraudschemes,andthreatstonationalsecurity.
MandiantM‐Trends2022specialreports[2]show
that this year the time between the attacker
gaining
access to the victim system and detection of its
presenceisdecreasingfrom24daysin2020to21days
in2021.However,thisisonlygoodnewsaccordingto
thecybersecuritylandscape.
Figure1MalwarebyCategory2021
Only in 2021, Mandiant observed 733 malware
families,andthefive topcategorieswere:backdoors
(40%), droppers (12%), ransomware (10%),
downloaders(7%),andcredentialstealers(5%).
Analysis of Technics, Tactics, and Procedures
(TTPs)usedbythreatactorsshowsthatthefivemost
used techniques, according to MITRE ATT&CK
systematics,are:
T1027:ObfuscatedFilesorInformation‐51.4%
T1059:CommandandScriptingInterpreter‐44.9%
T1071:ApplicationLayerProtocol‐36.8%
T1082:SystemInformationDiscovery‐31.8%
T1083:FileandDirectoryDiscovery‐31.7%
Andtopfivemostfrequentsub‐techniquescover:
T1071.001:WebProtocols32.0%
T1059.001:PowerShell29.4%
T1070.004:FileDeletion27.1%
T1569.002:ServiceExecution26.5%
T1021.001:RemoteDesktopProtocol23.4%
Advanced Persistent Threat Kill Chain covers
more steps than classical seven stages kill chains.In
thecaseofAPTorTargetedAttackLifecycle,wecan
distinguish:
719
Figure2.TargetedAttackCyberKillChain
In 2021 threat actors are using new techniques,
tactics, and procedures to deploy malware rapidly
andefficientlythroughabusinessenvironment.Many
attackerstargetVMWarevSphereandESXiplatform
and vCenter Server. Most used tools cover Apache
Log4j exploitation (CVE‐2021‐44228). It is worth
notingthat in 2020VMwaresolutions
were used by
25,8%ofallvirtualizationmarkets.
Since the first group APT1 PLA (Peopleʹs
Liberation Army)Unit 61398, was reported by
Mandiantin2013,in2021,theyobservedtheactions
of 36 APT Chinese groups. Moreover, between 2016
and 2021 activity of 244 distinct Chinese cyber
espionage threat
actors are observed. Concerted
efforts by the US, UK, and other European
governments allow for detection and link to Chinaʹs
extensiveespionageoperations,includingexploitation
of Microsoft Exchange servers and ransomware
campaigns.
Mandiantfoundoutthatmostofthecompromises
thataffectedtheobservedsystemwerecausedbyon‐
premises
misconfigurations,lackof strong password
and least‐privilege principle,privileged user
account usage on unnecessary assets, GPO edit
permission for non‐privileged users, use of account
delegation, and Microsoft Certificate Authority
misconfiguration.On MicrosoftAzureandMicrosoft
365cloudsolutions,mostriskisconcentratedonthe
lack of MFA or
its relaxed use. Even if MFA is
appropriatelyconfigured,theuseofsomecommonly
known legacy authentication protocols such as
IMAP4, Autodiscover, Exchange Active Sync (EAS),
POP3, Outlook Anywhere, Active Sync, or
AuthenticatedSMTPallowsattackerstobypassMFA
mechanisms.
Cloud‐based services are commonly used across
the entire world economy.
The US Coast Guard
reports that they noticed a significant trend in the
transition to cloud‐based email and office
productivityservicesintheMaritimeEnvironment–
85%ofobservedorganizationsusecloud‐basedemail
solutions.
The same problems Mandiant observed are
reported in the annual US Coast Guard Report
[4],
[15].ThatisalackofLeastPrivilegePrinciples,alack
of Strong Password Policy, or a lack of MFA. The
authors state that the problem of insufficient Patch
Management Policy or misconfigurations problem is
utilized by APT actors that target Maritime
Environment and often gain access by targeting
company
users with methods such as Phishing for
Information or by Compromising Systems with
Known Exploitable Vulnerabilities (KEV). In 2022
therewasa20%increaseincyber incidentreporting
comparedto2021.TheCoastGuardCyberProtection
Teams (CPTs) reported the identification of 139
known exploitable vulnerabilities during 2022
missions.They
discoveredover3000hashesofeasily
crackablepasswordswithlessthan13characters.That
means we must work hard to improve the cyber
securitylandscapepostureinMaritimeEnvironments.
While 90% of US imports and exports flow
throughMaritimeEnvironments,whichismorethan
5.4trillionUSD,theMEisconstantly
targetedbyAPT
and Financially motivated Threat Actors [16]–[19].
The Threat Actors in these cases often utilize well‐
knownTTPandUSCGReportsshowingthatPhishing
(T1598) and Valid Accounts (T1078) were the most
frequentlyobservedtechnics.TheCoastGuardCyber
Protection Teams emulate attacks by using well‐
knownTTP:
Figure3. MITRE ATT&CK Techniques Used First CY22.
Developedbasedon[15]
The password hashes used for Brute Force were
obtained using: LLMNR/NBT‐NS Poisoning, SMB
Relay,StealorForgeKerberosTickets:Kerberoasting
andCredentialDumpingsub‐techniques.
The achieved result shows improvements in the
mitigationsoftherisks.
Table1.MitigationStatus2021vs2022
________________________________________________
AllFindingsCY21 CY22
________________________________________________
FullyMitigated48% 62% ↑
PartiallyMitigated 33% 31% ↓
AcceptedRisk5%0% ↓
FalsePositive2%0% ↓
NoActionTakentoDate 12% 8% ↓
________________________________________________
Developedbasedon[15]
720
Oneofthemostcommonanddangerousthreats–
ransomware attacks, evolved in the last years. The
current trends show three disturbing trends which
can be observed in a variety of organizations,
includingMaritime.First–VictimShaming‐attackers
use multi‐extorsion technics to ensure organizations
payaransomdemand.
Releasingsamplesofvictimsʹ
data on the darknet, including details on the total
amountofdatatryingtoshamevictimsintopayment.
So far, criminals have encrypted organizationsʹ files,
andnowtheyleverageleaksitesandthreatenfollow‐
on DDoS attacks. The second trend is using
Ransomware‐as‐a‐Service
forransomwarecampaigns
whichquicklylowersthetechnicalskillsrequiredfor
such attacks. And the third aspect is the numerous
and extensive use of Zero‐Days vulnerabilities in
ransomwareattacks[20].
At the 2022 Cyber‐SHIP Lab conference,
researchers from the University of Plymouth
presentedasimulatedattackonPortof
NewYorkand
NewJersey.ItisthelargestportontheUnitedStates
East Coast and the third largest in the US. The
simulatedattackstartedwithsendingafakephishing
emailregardinganurgentelectronicchartupdateand
finishedwiththetargetedvesselʹscompleteblockage
of the
fairway. Malware hidden in the update
managed to take control of the shipʹs engine and
rudder and disabled any control signals from the
shipʹsbridgeatthedesignatedgeographicalposition.
Simulation shows that in case of such attacks, crew
members were utterly helpless, and in one minute
and thirty
seconds, the traffic in one of the most
sensitive points of the fairway was blocked. The
expected losses have been estimated at 180 million
dollars in the first six hours [21]. That was only a
simulated incident; however, the Ever Given
container ship Suez Canal grounding incident [22]
shows the
impact of such an incident on the
worldwideeconomy.
4 CONCLUSIONS
TheongoingconflictinUkraineandthecyberattacks
carried out as part of it show the meaning of cyber
security and cyber resilience in the nowadays
worldwide economy. Numerous cyber incidents in
MaritimeEnvironment[16],[17],[19],[23]–[28]clearly
show
how much has to be done to achieve desired
resiliency level. Activity of the APT nation‐state or
state‐sponsored groups observation is constantly
increasing,andduetothecomplexityoftheMaritime
Environment, threats to the maritime industry
continuetogrow.
REFERENCES
[1]ʺCrowdStrike 2023 Global Threat Report | Executive
Summary,ʺ crowdstrike.com.
https://www.crowdstrike.com/resources/reports/global‐
threat‐report‐executive‐summary‐2023/ (accessed June
14,2023).
[2]ʺM‐Trends 2022: Cyber Security Metrics, Insights and
Guidance From the Frontlines,ʺ Mandiant.
https://www.mandiant.com/resources/blog/m‐trends‐
2022(accessedJune14,2023).
[3]K.Monica,S.James,andS.Max,ʺTheCyber
Operations
during the 2022 Russian invasion of Ukraine: Lessons
Learned (so far),ʺ Jul. 2022. [Online]. Available:
https://eccri.eu/wp‐
content/uploads/2022/07/ECCRI_WorkshopReport_Versi
on‐Online.pdf
[4]ʺ2021 Cyber Trends and Insights in the Marine
Environment (CTIME) Report,ʺ Aug. 2022. Accessed:
June 14, 2023. [Online]. Available:
https://safety4sea.com/uscg‐cyber‐trends‐and‐insights‐
in‐the‐marine‐environment/
[5]B.
Svilicic,K. Junzo, M. Rooks, and Y.Yano,ʺMaritime
Cyber Risk Management: An Experimental Ship
Assessment,ʺJ.Navig.,vol.72,pp.1–13,Feb.2019,doi:
10.1017/S0373463318001157.
[6]M.Maynes,ʺOnesimpleactionyoucantaketoprevent
99.9 percent of attacks on your accounts,ʺ Microsoft
Security Blog, August 20, 2019.
https://www.microsoft.com/en
‐
us/security/blog/2019/08/20/one‐simple‐action‐you‐can‐
take‐to‐prevent‐99‐9‐percent‐of‐account‐attacks/
(accessedJune14,2023).
[7]D. Freeze,ʺMulti‐Factor Authentication Is (Not) 99
Percent Effective,ʺ Cybercrime Magazine, February 23,
2023. https://cybersecurityventures.com/multi‐factor‐
authentication‐is‐not‐99‐percent‐effective/(accessedJune
14,2023).
[8]ʺHackingTwoFactor
Authentication:Four Methods for
Bypassing 2FA and MFA – The CISO Perspective,ʺ
January 13, 2022.
https://cisoperspective.com/index.php/2022/01/13/hackin
g‐two‐factor‐authentication‐four‐methods‐for‐
bypassing‐2fa‐and‐mfa/(accessedJune14,2023).
[9]“CVE‐CVE‐2021‐32648.” https://cve.mitre.org/cgi‐
bin/cvename.cgi?name=CVE‐2021‐32648 (accessed June
14,2023).
[10]Editorial,ʺUkraine banking and defense platforms
knocked out amid heightened tensions with Russia,ʺ
NetBlocks, February 15, 2022.
https://netblocks.org/reports/ukraine‐banking‐and‐
defence‐platforms‐knocked‐out‐russia‐conflict‐
JBQX7mAo(accessedJune14,2023).
[11]https://news.viasat.com/viasat,ʺKA‐SAT Network
cyber attack overview,ʺ viasat.com, March 30, 2022.
https://news.viasat.com/blog/corporate/ka‐sat‐network‐
cyber‐attack‐overview(accessedJune14,2023).
[12]ʺ2022Ukraine
cyberattacks,ʺWikipedia. May 04, 2023.
Accessed: June 14, 2023. [Online]. Available:
https://en.wikipedia.org/w/index.php?title=2022_Ukrain
e_cyberattacks&oldid=1153205698
[13]State of the Hack: One Year after the APT1 Report,
(February 28, 2014). Accessed: June 14, 2023. [Online
Video]. Available:
https://www.youtube.com/watch?v=88o‐uifbJSE
[14]“Internet Crime Complaint Center(I C3) | Annual
Reports.” https://www.ic3.gov/Home/AnnualReports
(accessedJune14,2023).
[15]Coast
GuardCyberCommand,ʺ2022CyberTrendsand
Insights in the Marine Environment (CTIME) Report,ʺ
United States Coast Guard, May 2023. [Online].
Available:
https://www.uscg.mil/Portals/0/Images/cyber/2022CTIM
EReport_Final.pdf?ver=lFYiLZqt4dbVf2RFTgL15g%3d%
3d×tamp=1685643398263
[16]A. Ajdin,ʺHapag‐Lloyd flags spear phishing attack,ʺ
Splash247,March08,2022.https://splash247.com/hapag‐
lloyd‐flags‐spear‐phishing‐attack/ (accessed June 15,
2023).
[17]ʺPhishing
impersonatesshippinggiantMaersktopush
STRRAT malware,ʺ BleepingComputer.
https://www.bleepingcomputer.com/news/security/phis
hing‐impersonates‐shipping‐giant‐maersk‐to‐push‐
strrat‐malware/(accessedJune15,2023).
721
[18]ʺCyberattackThreatensReleaseofPortofLisbonData,ʺ
The Maritime Executive. https://maritime‐
executive.com/article/cyberattack‐threatens‐release‐of‐
port‐of‐lisbon‐data(accessedJune15,2023).
[19]ʺVoyager Worldwide hit by cyber attack‐Splash247.ʺ
https://splash247.com/voyager‐worldwide‐hit‐by‐cyber‐
attack/(accessedJune15,2023).
[20]Unit 42,ʺ2022 Unit 42 Ransomware Threat
Report
Highlights:RansomwareRemainsaHeadliner,ʺUnit42,
March 24, 2022.
https://unit42.paloaltonetworks.com/2022‐ransomware‐
threat‐report‐highlights/(accessedJune14,2023).
[21]ʺCyber‐SHIP Lab Annual Symposium,ʺ University of
Plymouth, November 01, 2023.
https://www.plymouth.ac.uk/whats‐on/cyber‐ship‐lab‐
annual‐symposium(accessedJune16,2023).
[22]ʺEverGiven,ʺWikipedia.May31,2023.Accessed:
June
16, 2023. [Online]. Available:
https://en.wikipedia.org/w/index.php?title=Ever_Given
&oldid=1157809412
[23]ʺRansomware attack on maritime software impacts
1,000 ships.ʺ https://therecord.media/ransomware‐
attack‐on‐maritime‐software‐impacts‐1000‐ships
(accessedJune14,2023).
[24]S. Lyngaas,ʺHackers breached computer network at
key US port but did not disrupt operations | CNN
Politics,ʺ CNN, September 23, 2021.
https://www.cnn.com/2021/09/23/politics/suspected‐
foreign‐hack‐houston/index.html (accessed June 14,
2023).
[25]ʺSpoofing in the Black Sea: What really happened?,ʺ
GPS World, October 11, 2017.
https://www.gpsworld.com/spoofing‐in‐the‐black‐sea‐
what‐really‐happened/(accessedJune12,2023).
[26]ʺGPS freaking out? Maybe youʹre too close to Putin,ʺ
NRKbeta, September 18, 2017.
https://nrkbeta.no/2017/09/18/gps‐
freaking‐out‐maybe‐
youre‐too‐close‐to‐putin/(accessedJune12,2023).
[27]T. Neumann (2017). Automotive and telematics
transportation systems. Paper presented at the 2017
International Siberian Conference on Control and
Communications, SIBCON 2017‐Proceedings,
doi:10.1109/SIBCON.2017.7998555
[28]A. Weintrit, T. Neumann (2019). Advances in marine
navigation and safety of sea
transportation.
introduction.AdvancesinMarineNavigationandSafety
ofSeaTransportation‐13thInternationalConferenceon
Marine Navigation and Safety of Sea Transportation,
TransNav2019.
