Tradewinds and Maritime Executive, among others covered a news article on cyber attacks to commercial shipping last week. The reports reference an NBC article which quotes an ESET spokesperson. The original NBC article can be found here: China-linked group uses malware to try to spy on commercial shipping, new report says.

A number of shipping companies have reached out seeking more information on recent maritime media coverage on potential targeted attacks on shipping companies. In the interest of supporting the sector by providing some clarity on this matter, we are providing further guidance based on the activities we have seen across the vessels we monitor.

ESET are attributing the attacks to an Advanced Persistent Threat (APT) group known as Mustang Panda. This links back to a report they published on Advanced Persistent Threat Activity in the period October 2023 to March 2024. ESET reports the presence of Mustang Panda’s Korplug loaders on computer systems belonging to cargo shipping companies based in Norway, Greece and the Netherlands. In certain cases, the initial dropper appears to have been launched from a USB drive.

We are familiar with the threat actor and have been tracking their “PlugX” malware (same family as Korplug) for several years. The malware spreads via USB devices and is therefore relatively common onboard ships where USB devices are frequently used.

However, in the vast majority of cases, we do not believe that vessels were intentionally targeted and the remote access capabilities of the malware have not been activated. Please reference our previous detection of the same malware family and Advanced Persistent Threat (APT) in the article we wrote on page 16 in the Great Disconnect for more information. Since this report, we have detected several newer variants including one detected recently on a vessel while it was in port in China – but again we have not seen evidence of intentional targeting.

Antivirus (AV) software like ESET is generally good at detecting and blocking older PlugX malware variants but where out-of-date AV signatures or a newer variant is encountered, it is possible for successful infections of assets to occur. To help mitigate the risk, we recommend ensuring that your AV signatures are up-to-date on all systems. We also recommend that any USB devices flagged by AV as infected are fully wiped to ensure the infection does not spread to unprotected OT devices.

CyberOwl will continue to monitor this threat and provide further information on this where meaningful. For users of CyberOwl’s Medulla and those of you on the CyberOwl SOC monitoring service, we will provide further details where we believe additional actions are required. This may include using our onboard dashboard to trigger nudges to the crew on USB-related risk. We also recommend that you review your compliance verification metrics in Medulla to ensure your AV’s are up to date.

Get support to understand if your fleet is affected here.

Ask for the indicators of compromise of related malware we have observed here.