Toll company data for sale on the dark web

The major challenge that shipowners face is the fast growing cyber world and the complexities of security requirements. Credit: Getty Images
Credit: Getty Images

Ransomware attackers who hacked Toll Group’s corporate server files in May 2020 have published stolen data on the dark web, the company has announced.

The hackers, using Nefilim ransomware, stole large tranches of information including workers’ names, home addresses, age, birthdates, and payroll details including salary, superannuation, and tax file numbers, according to Toll.

Corporate data has also been leaked on an ‘onion’ site [a dark web page] for corporate leaks, according to IT publication Data Breach Today (DBT). The hackers scolded Toll for its lack of security measures.

“Toll Group failed to secure their network even after the first attack (in January),” read the post, screengrabbed by DBT. “We have more than 200 GB of archives of their private data.”

Toll refused ransom demands by the yet-unidentified hackers in both instances.

The first attack, which took place in January and targeted the company’s land and sea operations, has since been attributed to Russian players. However, a Toll spokesperson told SAS the second attack was unrelated.

The second security breach, which took place in May where computer and IT systems needed to be shut down, was in concert with a spate of attacks on BlueScope Steel company and other industries in Australia. In the backdrop, Australia’s trade and diplomatic relationships with China worsened over issues regarding the COVID-19 pandemic.

Lani Refiti, partner of the Cyber & Emerging Risk Advisory practice at Deloitte Asia Pacific, told SAS he has been inundated with cyber incident responses to breaches in recent weeks.

“It’s a bit early to be able to attribute the attacks,” he said. “The method they used – ‘ransomware’ – is traditionally the domain of cyber criminals, i.e. pay us a ransom for your stolen information. Nothing suggests there was a destructive element to this attack, known as Wiper malware.”

Refiti said Wiper attacks similar to that were used against Maersk to bring their down their global shipping and ports empire in 2017, and were usually associated with nation state actors. However, he noted a worrying “blending” of the two at work.

“Nation states are now working with affiliated criminal groups where they farm out specific parts of the campaign, for example, malware infiltration or obfuscation,” he said. “It’s an interesting trend as the criminal groups involved are sometimes ex-government types.”

A recent joint Safety at Sea and BIMCO 2020 cyber security survey found the “attack surface” or human element to be a major factor in industry breaches.

The survey noted that training in the maritime industry was important to prevent seafarers and dockers opening emails containing malware or inserting infected USB sticks into company computers.

What is susceptible to attack at sea is navigation control and propulsion, automatic identification system (AIS), electronic chart display and information system (ECDIS), or radar. In ports, ships’ cargo handling or container tracking could be compromised.

The survey found 68% reported phishing incidents where email attachments or web links led to breaches. Contractors or third parties were also a liability.

The International Maritime Organization has given shipowners and managers until January 2021 to incorporate cyber risk management into their respective ship management systems.

Toll said it had further strengthened its systems. Operations across its global network are now moving as normal.