Ransomware Attack Brings Japanese Port Operations to a Halt
The largest port in Japan, the Port of Nagoya, was forced to suspend its operations following a ransomware attack on July 5, 2023, disrupting the port’s communication systems and preventing the facility from processing import and export operations. The port’s operator, Yokohama Kawasaki International Port Corporation (YKIP), responded by shutting down their network to prevent further spread of the ransomware and launched an investigation into the incident. YKIP responded by isolating the affected servers and restoring their systems from backups, allowing the port to resume normal operations within a few days. According to the Nagoya Harbor Transportation Association, one cargo terminal resumed operations in the afternoon of July 6 with others scheduled to restart later in the day.
While the ransomware attack did not impact the shipment of new cars for Toyota, the world’s largest carmaker, it affected the loading and unloading of imported and exported parts at the port. Additionally, Toyota Motor Corporation plans to suspend operations at a packaging line for export-bound components, after the cyber attack triggered a system glitch and stalled work for more than two days.
Ransomware Targeting Shipping Ports is Growing
Ransomware attacks on shipping ports are not isolated incidents. As reported in the Dragos ICS/OT Cybersecurity Year in Review, the transportation sector, which includes shipping, had 11 ransomware incidents in 2022, compared to 437 in manufacturing. Similar incidents have occurred at other ports worldwide, such as the Port of Lisbon in Portugal in January 2023 and NotPetya deployed against Maersk in June 2017. The attack on the Port of Nagoya highlights the ongoing threat of ransomware to critical infrastructure and the need for robust cybersecurity measures.
Discover the Dragos Platform
Confidently visualize your OT environment – identify assets, key vulnerabilities, and potential threats to your organization.
Request a DemoLockBit Claims Responsibility for Nagoya Attack
Japanese media reported that LockBit was the ransomware variant used in the attack and that the hacker group, LockBit 3.0, demanded a ransom for returning control of the system. In 2022, Lockbit led with the most ransomware activity of all ransomware groups. They accounted for at least 169 ransomware incidents that targeted industrial organizations and infrastructures in the last year, equating to 28 percent overall.
In the third quarter of 2022, an unknown adversary claimed they had hacked Lockbit servers and leaked the Lockbit 3.0 builder, allowing anyone access to their ransomware creation feature. Dragos assesses with moderate confidence that Lockbit 3.0 will continue to target industrial organizations and will pose a threat to industrial operations into 2023, whether through the Lockbit threat group itself, or others creating their own version of Lockbit ransomware.
The Value of Building a Defensible Architecture
Dragos monitors and analyzes the activities of more than 50 different ransomware groups that target industrial organizations and infrastructures. Ransomware has numerous variants, but in most cases, it relies on similar threat behaviors. Dragos has analyzed the most common strains of ransomware utilized by the ransomware groups in our ICS/OT Cybersecurity Year in Review, and plotted the most recurring TTPs to the ICS Cyber Kill Chain. Defenders should utilize kill chains as the input for data collection requirements in a collection management framework (CMF). A CMF identifies the sources of data that can be used to detect the TTPs of an identified threat scenario. The earlier in the kill chain that an attack is detected, the more opportunities and options defenders have to respond and recover before the attack.
In working with hundreds of industrial organizations, Dragos has developed a tried and tested approach to helping our customers defend against, or respond to, disruptive ransomware incidents in their operations environments. You can view our whitepaper, How to Prepare For & Respond to Ransomware in Operational Technology (OT) Environments, to learn more about our approach.
A good place for organizations to start is with an OT Cybersecurity Architecture Review, which will inform you of the prime locations or “Crown Jewels” to monitor in your OT environment. This review ensures that the OT environment is adequately segmented from your IT network and the internet. Tabletop Exercises also are beneficial, bringing your IT and operations teams together to run through a simulated ransomware attack against your OT environment. In these exercises, the Dragos team leverages intelligence on an ICS-targeting threat group to create a realistic scenario based on real adversary tradecraft. Additionally, deploying the Dragos Platform, an industry leading ICS visibility and monitoring solution, helps you better understand your network architecture and validates the effectiveness of your deployed security controls.
There are a variety of reasons why deployed security controls could lose their effectiveness over time including new vulnerabilities, unanticipated equipment being connected, unplanned changes in firewall rules, and other events that occur to support the organization’s mission. The Dragos Platform can also detect early threat behaviors and indicators of ransomware groups and adversary activity in your OT environment. In the event a cyber incident is declared, the Dragos Incident Response (IR) team is ready to respond when you need us, with SLA response times through a Rapid Response Retainer.
A Case Study: Maritime Operator Partners with Dragos to Improve OT Security
As the maritime shipping and logistics industry faces mounting OT cybersecurity risks and looks more carefully at oversight from governments around the world, it is imperative for organizations to adopt a proactive and comprehensive approach to protect their critical systems. Dragos recently published a new case study demonstrating how a leading container terminal operator partnered with us to enhance their OT cybersecurity posture.
Several years ago, a prominent container terminal operator recognized the significance of OT cybersecurity and proactively prioritized the protection of its OT systems. Understanding the potential consequences of cyber threats, this company deployed Dragos technology and expertise across its enterprise to ensure the uninterrupted flow of cargo and maintain the safety and reliability of its operations. As a result, the company has fortified its environments, improved threat visibility, and developed effective incident response capabilities.
Learn more about how the team strengthened their defenses, safeguarding their operations and ensuring the secure and uninterrupted flow of global trade – download the case study today.
Maritime Operator Improves OT Security
Sources
- https://www.bleepingcomputer.com/news/security/japans-largest-port-stops-operations-after-ransomware-attack/
- https://www.reuters.com/business/autos-transportation/japans-biggest-port-plans-resume-operations-thursday-after-cyberattack-2023-07-06/
- https://www.porttechnology.org/news/cyber-attack-threatens-release-of-port-of-lisbon-data/
- https://amp.cnn.com/cnn/2023/07/06/tech/japan-port-ransomware-attack/index.html
- https://www.porttechnology.org/news/port-of-nagoya-recovers-from-ransomware-attack/
- https://www.dragos.com/blog/ransomware-attack-analysis-q1-2023/
- https://hub.dragos.com/whitepaper-how-to-prepare-for-and-respond-to-ransomware-in-operational-technology-environments
- https://www.dragos.com/year-in-review/
- https://www.dragos.com/defend-against-ransomware-in-ot/
- https://industrialcyber.co/transport/operations-at-japans-port-of-nagoya-resume-after-probable-lockbit-ransomware-attack/
- https://www.dragos.com/blog/how-smbs-use-the-collection-management-framework-to-prepare-for-a-cyber-incident/
Ready to put your insights into action?
Take the next steps and contact our team today.