[BreachExchange] Shipping Giant Cosco Hit by Ransomware Attack

Destry Winant destry at riskbasedsecurity.com
Fri Jul 27 00:55:29 EDT 2018


https://www.databreachtoday.com/shipping-giant-cosco-hit-by-ransomware-attack-a-11256

A "local network breakdown" - reportedly caused by a ransomware
infection - led Chinese shipping giant Cosco to shut down all networks
for its offices in the United States and seven other countries while
it scrubbed and restored systems.

"For safety precautions, we have shut down the connections with other
regions for further investigations," state-owned Cosco, aka China
Ocean Shipping Company, said in a customer alert published Wednesday.
"So far, all the vessels of our company are operating as normal, and
our main business operation systems are performing stably."

Cosco has offices in 27 North American and South American countries,
but not all of them are affected. "The network failures affected areas
include the United States, Canada, Panama, Argentina, Brazil, Peru,
Chile and Uruguay," the company says in a Thursday FAQ.

The company said Thursday that corporate email remained offline in the
U.S., Canada, Panama and Peru.

Cosco's Canadian website, for example, resolves to an error message
that says: "We regret to inform you that our local network and systems
in Canada are breakdown, and some email boxes are not available now."
The page lists Microsoft Hotmail email accounts as contact points.

Outbreak Not Global

In a Thursday update, Cosco said the ransomware outbreak was limited
to parts of North and South America, and that remediation efforts were
continuing.

"We are trying [our] best to investigate and fix the network problem
in the Americas, and it is expected that the network applications will
be gradually back to normal soon," it says. "We have started
contingency plans, such as transfer of operations and conducting
operation via remote access, to ensure continuous service in the
Americas. During the network failure period, there could be delays in
service response in the Americas, and we are expecting your kind
understanding."

The company appears to have responded quickly to the ransomware
outbreak. When it was detected, Cosco said it proactively opted "to
isolate internal networks to carry out technical inspections on global
scale." By Wednesday, the company said that its information security
experts had verified that aside from its Americas operations,
"networks in all other regions are secure."

"The business [recovery] operations in the Americas are still being
carried out, and we are trying our best to make a full and quick
recovery," the company said, apologizing for the "inconvenience."

Reports Cite Ransomware Infection

Multiple maritime news outlets, including Lloyd's List, said that
internal Cosco emails reported that the company's network interruption
was due to a ransomware outbreak.

Cosco didn't immediately respond to a request for comment, including a
query about what type of ransomware might have been responsible, how
many systems were affected or if it's received a ransom note.

Affected Cosco offices, including those in the U.S., have been left
unable to use corporate email or phone systems.

"Due to the local network breakdown within our Americas region, local
email and network telephone is not working properly at the moment. For
safety precautions, we have shut down connections with other regions
for further investigations," the company said in a Facebook post on
Wednesday.

Cosco's U.S. operations have been using social media channels and
Yahoo webmail addresses to communicate with customers.

Port of Long Beach Sees No Disruptions

The ransomware outbreak comes shortly after Cosco took over Orient
Overseas Container Lines - one of its Asian rivals - which also gave
it control over a large container facility at the Port of Long Beach,
The Wall Street Journal reports.

Port of Long Beach is the country's second-busiest container port,
after the Port of Los Angeles.

"Ships, trains and trucks are coming in and out as usual," Port of
Long Beach spokesman Lee Peterson told shipping publication TradeWinds
on Wednesday.

"As of this point, because perhaps Cosco has a separate terminal
operating system, the attack has not affected operations at the
terminal, he said.

To satisfy national security concerns over its Chinese state
ownership, Cosco has promised to put its large container terminal into
a trust, The Wall Street Journal reports.

Follows NotPetya Outbreak

Last year, the world's biggest shipping firm, Maersk, fell victim to
NotPetya ransomware in late June, forcing it to reroute ships and
leaving it unable to dock or unload cargo ships in dozens of ports.

The Danish shipping giant estimated that it would suffer up to $300
million in losses due to the ransomware outbreak.

In recent months, security experts say many criminals have shifted
from crypto-locking malware attacks to using malware that is designed
to infect systems and mine for cryptocurrency. But while these
"cryptojacking" attacks are on the rise, many criminal gangs continue
to run ransomware campaigns (see Cryptojacking Displaces Ransomware as
Top Malware Threat).

James Lyne, global research adviser at Sophos, says that since
January, three strains of ransomware have been especially prevalent:
Data Keeper, Satan and Gandcrab (see Ransomware: No Longer Sexy, But
Still Devastating).

Researchers say that SamSam ransomware, which has been used this year
in targeted attacks against a number of organizations, also remains a
potent threat (see SamSam Ransomware Offers Volume Decryption
Discount).


More information about the BreachExchange mailing list