The Kuwait transportation and shipping industry has undergone two major cyber attack campaigns on their IT systems between May and June 2019, identified by Unit 42, a global threat intelligence team at Palo Alto Networks.
It is believed that the tools used to carry out the attacks were created by the same developer, according to a Unit 42 report.
The first campaign was discovered in May 2019 and has been dubbed ‘xHunt’ as the tools associated with the attack are named after characters from an anime series called Hunter x Hunter.
The report states that the attack was carried out when hackers managed to install a backdoor tool known as Hisoka 0.8 in the IT network of a Kuwaiti transport and shipping organisation. Backdoor tools are malicious computer programs that provide the attacker with unauthorised remote access to a compromised PC system and the program works in the background without the knowledge of the PC system user.
It is not known exactly how many PC machines were affected by this software. Unit 42 found that xHunt was behind a second attack on networks at another Kuwait shipping and transport firm in June 2019.
This campaign used an updated version of the original backdoor tool, called Hisoka 0.9, which allowed the tool to be diffused to other network systems such as gaining server message block protocol privileges. This allowed the hacker to attempt to login using legitimate credentials and gain access to sharing folders, printers, and serial ports within a network.
Additional programmes were used in the xHunt attacks, such as Gon and EYE, which allowed the hacker “to scan for open ports on remote systems, upload and download files, take screenshots, find other systems on the network, run commands on remote systems, and create a Remote Desktop Protocol session”, according to the Unit 42 report.
In layman’s terms, these programs allow the hackers to monitor every action that is carried out by the PC system that has been attacked and can steal all data and files that are contained within.
Following analysis from IBM X-Force, a security research branch of IBM and information technology company, the developers of xHunt may have been carrying out cyber attacks through variations of the tools dating back to July 2018. These previous attacks are thought to have used a predecessor of Hisoka, known as Sakabota, as the code to build these two programmes shared many similarities.
The importance of cyber security remains a constant worry for the shipping industry, as highlighted in the 2016 IHS Markit and BIMCO Maritime Cyber Security survey shipping companies that experienced cyber breaches experienced loss of corporate data (48%), financial loss (21%), and impacted their IT system functionality (67%) and shipborne system functionality (4%).
Commenting on the Kuwait cyber incidents, Professor Kevin Jones, executive dean of the faculty of Science and Engineering at the University of Plymouth said, “We are now seeing that the maritime sector is becoming more of a target and the risk profile is changing from more traditional attacks, such as piracy, to more cyber-based risks such as the attacks that were carried out in Kuwait.
“The criminal market has realised that the shipping industry is both a vulnerable and valuable target and we can, as a sector, expect to see more of these kind of attacks as more media attention is being put on it. The Maersk incident was an accident while these are deliberate targeted attacks, in the future we can expect to see attacks on shipping specific tech, for example bridge systems, this is the start of ongoing trend.”
The US Coast Guard (USCG) released urgent warnings to shipping this year after it uncovered attempts to hack commercial vessels using phishing scams and malware. It said cyber adversaries had attempted to access sensitive information, including the content of an official Notice of Arrival, by using fake email addresses pretending to be official Port State Control. It also received reports of malicious software designed to disrupt shipboard computer systems.
Safety at Sea and BIMCO has produced a free cyber security whitepaper, supported by ABS Group, that combines an analysis of four years of survey findings and matches them to cyber behaviour and investment trends observable in the wider maritime industry. Click here to download your copy.
The Unit 42 report titled, xHunt Campaign: Attacks on Kuwait Shipping and Transportation Organisations, can be found here.