[BreachExchange] How COSCO responded to a cyberattack on its systems

[Destry Winant]

https://www.supplychaindive.com/news/COSCO-cyberattack-response-timeline/529008/

The attack shut down the carrier's customer service phone lines and
emails in the Americas, forcing a contingency plan on one of the
world's largest shipping lines.

Tuesday July 24

News breaks of cyberattack on US operations

COSCO acknowledges a network issue @ 1 p.m. (COSCO)

“We regret to inform you that our local network and systems in US are
breakdown, and some email boxes are not available now,” the carrier
wrote in a customer advisory.

Systems in other regions of the world, vessel operations and terminal
operations remained “as normal,” however. COSCO asked customers to
submit booking requests through its website’s e-commerce function or
use one of about 40 temporary email addresses to communicate with
representatives.

First reports of COSCO’s outage @ 1:14 p.m. (JOC.com)

News breaks: COSCO Shipping’s U.S. operations were struck by a
cyberattack, “compromising the ability of the carrier to communicate
with its vessels, customers, vendors, and marine terminals,” JOC.com’s
Bill Mongelluzo wrote.

“We have got work-arounds in place,” Howard Finkel, senior vice
president of trade at COSCO, told the publication.

COSCO suggests attack is limited to U.S. @ 3:29 p.m. (Press Telegram)

Fears of a worst-case scenario subside as the Long Beach Press
Telegram writes the terminal remains operational, although COSCO’s
U.S. website and toll-free number were shut down.

The first mention of a “ransomware” attack emerges. “A spokesman for
the Shanghai-based company, which acknowledged the ransomware attack
Tuesday, said the company’s operations outside the United States were
not affected,” writes Mark Edward Nero for the Press Telegram.

Wednesday, July 25

Details emerge, revealing an Americas-wide problem

COSCO publishes a customer advisory @ 4:56 a.m. (COSCO)

Less than a day after the first notice, COSCO recognized the problem
originated “within our America regions,” and could extend further.

“For safety precautions, we have shut down the connections with other
regions for further investigations,” the customer advisory reads. “We
are glad to inform you that we have taken effective measures. Except
for above regions affected by the network problem, the business
operation within all other regions will be recovered very soon.”

Media reports of attack accelerate, but details remain sparse

- COSCO US hit by cyberattack (Splash 24/7)
- 10:55 AM | Cosco Reports Cyberattack at its U.S. Operations
(Maritime Executive)
- 11 AM | Ransomware attack hits COSCO in US (Supply Chain Dive)
- 3:55 PM | China’s Cosco Shipping Hit by Cyberattack in U.S. (The
Wall Street Journal)
- COSCO responds to media claims on Twitter
“Despite some recent media reports, neither our Long Beach terminal at
Pier J nor our COSCO Shipping UK offices have been affected by the
network breakdown.” – @COSCOSHPGLines at 11:15 a.m.
“Pacific Container Terminal (PCT) is operating smoothly and has not
been affected by the network breakdown. Our Long Beach customer
service center (COSAG), however, has been adversely affected.” –
@COSCOSHPGLines at 11:28 a.m.

Thursday, July 26

All hands on deck to reach customers, control impact

COSCO: Impact of cyberattack has been contained to Americas  @ 6:45 a.m. (COSCO)

In an update to its customer advisory, COSCO said it had taken
“proactive measures to isolate internal networks” and carried out
inspections on a global scale.

“With the reliable confirmation from the technical experts that the
networks in all other regions are secure, the network applications
were recovered” at 4:00 a.m. on July 25, the carrier wrote.

Problems in the Americas were still being investigated, and fixed,
however. “During this network failure period, there could be delays in
service response in the Americas,” said COSCO.

Carrier accelerates social media outreach to route service requests

As part of its contingency plan, COSCO takes advantage of social media
to reply directly to Facebook comments and tweets regarding its
service issues.

COSCO posts first FAQ, detailing broad extent of problem (FAQ)

The detailed document reveals the “Americas” problem extends beyond
the U.S. to Canada, Panama, Argentina, Brazil, Peru, Chile and
Uruguay, with varying degrees of disfunction.

It also reveals it cannot take hazardous or specialist cargo in Panama
and Peru, and details specific emails to address various business
functions per region.

Friday, July 27

Shippers receive more details, targeted guidelines

Network applications begin to recover ‘gradually,’ according to notice
@ 9 a.m. (COSCO)

COSCO says it recovered its Americas network applications – which
include electronic data connections with customs, terminals and
railways in North America – as of 12 p.m. on July 26.

“Currently, global network of COSCO SHIPPING Lines is running stably
and safely. The network applications in the Americas are being
recovered gradually,” the carrier wrote.  “We are now taking further
security measures to recover local email service.”

COSCO makes it a habit to update its FAQs upon each change in status.

By July 30, there would be three general versions of the FAQ, and six
versions of a U.S.-specific document.

Los Angeles and Long Beach port customers receive special advisory @
11 a.m. (COSCO)

Shippers are asked to resend any emails sent prior to the network
problem to a new set of email addresses. “These emails would be used
until the network problem is solved,” the advisory reads.

COSCO updates Rail Ramp Storage and Per Diem Policy @ 7:20 p.m. (COSCO)

The carrier extended the timeframes on these two fee policies to
accommodate delays caused by its network failure, as it showed more
activity on its U.S. operations.

The U.S. website remained offline, but attempts to reach it now
redirected to a separate webpage with dedicated advisories.

Monday, July 30

COSCO (mostly) restores service

Network applications in Americas are ‘fully recovered’ @ 1:58 a.m. (COSCO)

“All communication channels including telephone, email, and electronic
data exchange have been restored,” a new update read. “We are working
at a full stretch to process all the service requests received
previously, and the service response is expected to be back on track
within this week.”

Except for Los Angeles / Long Beach … @ 4:15 p.m. (FAQ)

The sixth version of the U.S. specific FAQ revealed COSCO would still
use its Yahoo contingency email for service in the country’s largest
port complex.

“Our company customer service email is back to normal except LA/LGB,”
the FAQ wrote. “Under the premise of ensuring network security,
www.cosco-usa.com has not yet open,” it added.

Details on the type of cyberattack remain scarce (Facebook Post)

Although reports suggest the attack was induced by ransomware, COSCO
has publicly released few details from its investigation.

In a comment on the carrier’s Facebook page, Matt Webster, a purported
customer asked “what was the cause and type of the incident? If
ransomware then what type and is the source known?”

COSCO replied: “Thank you for your comment. This type of information
will not yet be released. Thanks for your understanding and patience.”

Takeaways from the 5-day sprint

The way COSCO handled its cyberattack may serve as a lesson, in future
cases. Details remain sparse, but the record shows a 5-day sprint to
activate contingency plans and keep customers aware of solutions.

Some hiccups occurred, but that is to be expected with a cyberattack,
Keith O’Byrne, head of solutions at supply chain cybersecurity firm
Asavie, told Supply Chain Dive.

"Incident response is a challenging field — if services are restored
quickly, it's legitimate to ask why they were impacted in the first
place,” O’Byrne wrote in an email. “Equally, there is the question as
to whether malware or infection has been truly purged. InfoSec teams
can face huge pressure to ‘just get it back working’.”

That some services remain down points to a “better scenario — COSCO’s
services are being brought back on a phased basis,” he said. “In the
absence of insider information, this is a sign that a methodical
approach is being followed.”