Tradewinds and Maritime Executive, among others, covered a news article on cyber attacks to commercial shipping last week. The reports reference an NBC article which quotes an ESET spokesperson.
The original NBC article can be found here: China-linked group uses malware to try to spy on commercial shipping.
A number of shipping companies have reached out seeking more information on recent maritime media coverage on potential targeted attacks on shipping companies. In the interest of supporting the sector with clarity on this matter, we are providing further guidance based on activities we have seen across the vessels we monitor.
ESET is attributing the attacks to an Advanced Persistent Threat (APT) group known as Mustang Panda. This links back to a report they published on APT Activity between October 2023 and March 2024. ESET reports the presence of Mustang Panda’s Korplug loaders on computer systems belonging to cargo shipping companies based in Norway, Greece and the Netherlands. In certain cases, the initial dropper appears to have been launched from a USB drive.
We are familiar with the threat actor and have been tracking their “PlugX” malware (same family as Korplug) for several years. The malware spreads via USB devices, and is therefore relatively common on board ships where USB devices are frequently used.
However, in the vast majority of cases, we do not believe that vessels were intentionally targeted, and the remote access capabilities of the malware have not been activated. For more information, please refer to our article in page 16 of global maritime industry report The Great Disconnect (page 16), for our previous detection of the same malware family and APT.
Since the publishing of this report, we have detected several newer variants, including one recently detected on a vessel while it was in port in China – but again, we have not seen evidence of intentional targeting.
Antivirus (AV) software like ESET is generally good at detecting and blocking older PlugX malware variants, but where out-of-date AV signatures or a newer variant is encountered, it is possible for successful infections of assets to occur. To help mitigate this risk, we recommend ensuring that your AV signatures are up-to-date on all systems. We also recommend that any USB devices flagged by AV as infected are fully wiped, to ensure the infection does not spread to unprotected OT devices.
CyberOwl will continue to monitor this threat, and provide further information on this where meaningful. For users of CyberOwl’s Medulla and those on CyberOwl’s SOC monitoring service, we will provide further details where we believe additional actions are required. This may include using our onboard dashboard to trigger nudges to the crew on USB-related risks. We also recommend that you review your compliance verification metrics in Medulla to ensure your AV’s are up to date.
Get support to understand if your fleet is affected here.
Ask for the indicators of compromise of related malware we have observed here.
