From Ports to Production: Insights into Supply Chain Cyber Threats

From Ports to Production: Insights into Supply Chain Cyber Threats

Executive Summary

  • The growing dependence on supply chain digitalization places businesses at an ever increasing risk with the exponential growth of supply chain cyber attacks. In the past five months, there have been 49 supply chain cyber incidents, reflective of an increasing trend since the 2017 WannaCry/NotPetya ransomware incident.
  • Noticeable cyber attacks in recent months include the intercontinental COSCO ransomware attack, the Level One Robotics data breach, and the multi-million dollar TSMC hack. These demonstrate how quickly such events can spread globally, interrupt daily operations, compromise sensitive trade data, incur costs borne due to substandard IT security practices, and serve as testaments to the need to prioritize cyber defense as a flagship security practice.
  • Up 4% from last year, average costs per capita of a data breach are estimated to be approximately USD 150 and is growing exponentially with frequency and size of breaches.
  • The pharmaceutical, transportation, energy, and industrial sectors bear some of the highest costs and risks going forward.
  • Proper risk identification, incident monitoring, analysis, and response, combined with top-notch IT security practices offer firms the opportunity to withstand this ever growing threat.

Background

While cyber attacks have taken place in a variety of forms since the 1990s, the threat has become more palpable and acute in the past decade with businesses increasingly relying on networked systems and the internet of things (IoT), especially in the logistics and supply chain space. In a recent survey conducted by the American cybersecurity technology company Crowdstrike, 66% of IT decision makers said that their companies had suffered a supply chain cyber incident in the past 12 months, bringing to light a threat that many considered an abstract concept.

Between 2016 and 2017 alone, the amount of data breaches caused by a third party in one’s supply chain due to negligence has risen 14%, while no fault data breaches have risen 23%. Whether the risk stems from a virus, internal bug, or insider threat from within one’s organization, the effects on production line, distribution network, shipping, supplier communication, or even residual risks left over from a terminated vendor relationship, pose considerable danger to firms and beyond. Moreover, the scope with which cyber events must be observed and mitigated require an ever-more invested and communicative approach to ensure that when the inevitable does occur, all parts of one’s supply chain can effectively work together to defend and keep operations moving.

Knowing what each type of cyber attack entails can facilitate understanding, communication and coordination throughout one’s supply chain. Most well-known cyber attacks affecting supply chains include data breaches, ransomware, denial of service, vulnerabilities, and phishing. These can put businesses that are targeted at considerable risk. The various types of cyber attacks affecting supply chains are outlined below.

Data breachRelease of secure information to an untrusted environment, including: trade data, schematics, manufacturing systems, shipping data, and other confidential company information
RansomwareA form of malware which encrypts a user or end system, rendering all data within inaccessible, and demanding the payment of ransom to decrypt.
Denial of ServiceA cyber attack performed by many actors to render a firm’s website or system unavailable to users.
VulnerabilityThe discovery of a weakness, known or unknown, which may be exploited by a threat actor to perform unauthorized actions on a system
PhishingA fraudulent attempt to obtain security credentials from entry to executive levels for malicious purposes
Types of Cyber Attacks

2017: The tipping point for supply chain cyber attacks

The US National Counterintelligence and Security Center declared 2017 a “watershed” in terms of cyber attacks, made via supply chain infiltration, with an escalation of 400% since the previous year. This only represents known incidents, as those unrecorded are anticipated to be far greater than those which are recorded. 2017 saw seven significant supply chain cyber attacks, a notable one of which was the worldwide WannaCry attack, which caused a multi-continental ransomware lockout that cost a single shipping line over USD 300 million. Other events in 2017 include the Netsarang breach, which entailed an 18 company backdoor hack affecting major IT manufacturers, resulting in stealing information from energy, manufacturing, pharmaceutical, telecommunication, and transportation companies, among several others.

Among the known cyber attack incidents in 2017, 1 in 13 were malware related, with a 92% increase in new downloader variants, meaning a constantly escalating threat environment with the lightning-fast evolution of malware. Spam-based phishing has increased by 3.6% annually. While 5.4 billion WannaCry attacks have been blocked in total, there has been a recorded 46% increase in new variants of WannaCry-like applications which threaten ransomware attacks on supply chain elements from manufacturing to distribution. Overall vulnerabilities have increased by 13%, while there has been a 29% increase in vulnerabilities within Industrial Control Systems (ICSs).

2018: Supply chain cyber attacks continue to surge

Ever since the global outbreak of WannaCry and NotPetya, manifestations of cyber attacks have been relatively contained in comparison, yet with considerable potential for proliferation. In recent months, companies have been increasingly vulnerable to these proliferations. From May to September 2018, there was an average of 7 cyber attack incidents per month. One of the most prominent cyber attacks has been the COSCO outage on July 24, 2018. After initially manifesting at the Port of Long Beach, the attack spread across nine countries on two continents (see case study below). Moreover, the threat actor named Leafminer has targeted businesses in finance, shipping, energy, telecommunications, construction, and more across Iran, Azerbaijan, Afghanistan, Egypt, Israel, Saudi Arabia, Lebanon, Jordan, Kuwait, the UAE, and Qatar.

As seen in the map below, a railway company, an online retailer, two airlines, three airports, three seaports, eight manufacturers, and numerous miscellaneous firms and governments have been hit across 28 countries on all 6 continents over the past five months. The collection of incidents over this period illustrates a growing awareness of the omnipresent nature of cyber threats, and how the ever connected nature of one’s supply chain requires proactive mitigation. (A complete list of cyber attacks recorded from May to September 2018 can be found of Annex 1 of this report.)

Figure 01: Cyber attacks recorded between May-September 2018

Case Studies

The proliferation of supply chain related cyber attacks after WannaCry requires a better understanding of the growth in incidents impacting different logistics nodes, such as airports, seaports and warehouses, as well as own and third party production sites. The following case studies illustrate the risks involved and the importance of having professional monitoring and communication mechanisms in place. The first of these studies describes the attack suffered by COSCO Group on July 24, 2018, which halted shipping operations at different port terminals and exposed the preparedness of COSCO’s network segmentation, but lack thereof for continuity of operations. The other two studies review the identified vulnerability and the ransomware attack suffered by two important manufacturers in the automotive and technology industries, Level One Robotics and TSMC, respectively.

Ransomware attack on COSCO Group

On July 24, China Ocean Shipping Company (COSCO) was hit by a ransomware attack against its operations in the United States. While COSCO vessels’ schedules and its North American operations were not severely impacted, telecommunication systems such as emails and phones at a number of COSCO sites, including the Pier J terminal at the Port of Long Beach, were affected. To solve the issue, the Chinese state-owned shipping conglomerate resorted to unconventional solutions such as setting up a Yahoo email account temporarily as an alternative to their corporate email to communicate with customers. To book cargo, customers had to use an Electronic Data Interchange (EDI) channel, book online or send an email to the Yahoo email account.

Despite IT issues, COSCO’s vessels operating in the North American region were mostly on schedule as vessels’ documentation are already exchanged electronically days before the vessel reaches the port, thus reducing the impact. Nevertheless, the cyber attack did hinder documentation processing, and delivery delays at US ports were reported as data exchange was conducted via emails rather than with a web-based system. Cargo owners and truckers also reported delays in container receipt.

On July 25, reports suggested that the attack had spread to the company’s operations in the United Kingdom and Turkey, though exact details of the impact were not specified. COSCO’s customer communication on July 26 reported that locations in Canada, Panama, Argentina, Brazil, Peru, Chile and Uruguay had also experienced network issues, indicating the escalation of the IT problems. To mitigate further propagation, COSCO shut down its connections with the other regions by isolating them from the Shanghai server in China.

However, COSCO’s regular operations resumed after a week. On July 30, COSCO announced that all communication channels have been restored while the public mailbox for customer services and the company’s hazardous cargo booking were still suspended. As of September 10, 2018, COSCO has not publicly stated the financial damages it had incurred from the attack. However, in June 2017, the NotPetya ransomware attack caused Maersk shipping line between USD 250 to 300 million (EUR 216 million to 260 million) as the international carrier’s global network was forced to halt operations at many port terminals around the world. Given that COSCO was able to recover within a short amount of time without a large-scale impact indicates that the damage may not be as high as that of Maersk; COSCO did not have to replace thousands of servers and computers in the aftermath of the attack as Maersk did. Nevertheless, the threat of cyber attacks against shipping and logistics firms looms as the industry transitions towards digitally enhanced supply chain activities.

Figure 02: COSCO locations affected by the ransomware attack July 2018

Data vulnerability exposed at Level One Robotics

On July 20, 2018, the New York Times reported that a Canadian robotics firm exposed over 157 gigabytes of sensitive data from over 100 manufacturers by storing it on a publicly accessible server (rsync). The implicated company was Level One Robotics and Controls Inc., an engineering service provider specializing in process automation and assembly. According to various media reports, the company stored more than 10 years’ worth of sensitive information, such as production, personnel and financial data, from over 10 automakers including Volkswagen, Chrysler, Ford, Toyota, GM, Tesla and ThyssenKrupp on an online server that was not restricted by IP or user. The type of data exposed included:

Data exposed by Level One Robotics and Controls Inc.
– Assembly line schematics
– Factory floor plans and layouts
– Robotic configurations and documentation
– ID badge request forms
– VPN access request forms
– Non-disclosure agreements
– Personal details of Level One employees, including scans of driver’s licenses and passports
– Level One business data, including invoices, contracts and bank account details

The vulnerability was discovered by UpGuard, an Australian cybersecurity company, which noted that documents such as those for requesting ID badges and VPN credentials are particularly useful for social engineering attacks (i.e. phishing, baiting or tailgating). Although the data that Level One Robotics stored in the server did not include employees’ passwords, the combination of official forms and personal information could be used by attackers to gain access to restricted facilities.

Industry experts agree that the Level One Robotics data breach is an example of a fundamental misunderstanding of security around internet-facing systems. There were no IP-based access controls in place or username/password requirements, meaning that the content was downloadable to anyone with a rsync account and with connection to the rsync port. Moreover, the permissions set on the Level One Robotics’ rsync server indicated that it was publicly writable, meaning that a malicious actor could have potentially altered financial documents or embedded malware.

This kind of data breach represents a significant risk for supply chains not only because manufacturers want to keep sensitive information confidential, but also because employee data often contains sensitive information as well. Using the information contained in the files Level One Robotics stored in rsync, attackers could potentially sabotage or undermine operations, or competitors could use this information to gain an unfair advantage. Similarly, Level One put employees’ information at risk, including scans of state IDs and driver’s licenses. These kinds of documents should never be publicly exposed, because they can be used for malicious purposes such as identity theft and other types of fraud.

Ransomware attack on TSMC

Another notorious cyber attack involving an OEM occurred as recent as August 7, when Apple’s chip supplier Taiwan Semiconductor Manufacturing Corporation (TSMC) was affected by the WannaCry malware. The attack affected fabrication tools at the world’s largest maker of made-to-order chips and the company was forced to stop production of its chipsets for three days. The disruption caused delays in the shipments of chips for Apple’s new iPhones and iPads, knocking close to 3% (estimated to be about USD 171 million) off TSMC’s quarterly revenue.

In a public statement, TSMC blamed the infection of its computer systems on mismanagement during the software installation process for new equipment. The company confirmed that the new equipment was not first isolated and confirmed to be virus-free, allowing the virus to spread as soon as the equipment was connected to the company network.

WannaCry, the virus used in this attack, is one of the most dangerous malware seen in the history of Windows OS. The virus operates by locking down machines, prompting system owners to pay a ransom to resolve the issue. While Windows OS has been patched by Microsoft to secure it against the WannaCry malware, systems at the Apple chipset manufacturer’s company were not updated to the latest version of Windows, which led to the attack. The WannaCry ransomware was first seen in May of last year, and it is estimated that over 300,000 computers were affected in over 150 countries.

Cyber-sabotage in which hackers interfere with physical assets, like the one suffered by TSMC, is one of the easiest ways to affect global companies. This is a risk that is expected to grow in the near future as cloud computing expands and millions of machines, sensors and other electronic devices are connected to the internet. Targets of cyber-sabotage could range from consumer products, such as self-driving cars or household robots, to industrial plants. As demonstrated by the TSMC case, it is not difficult for an individual or an organization to use a ransom virus to demand money from a company. Small to medium- sized companies are especially vulnerable to this type of threat because they usually do not have the most advanced technologies to protect their systems.

Stages of a Cyber Attack

The types of possible cyber attacks and potential targets lead to a wide range of implications for businesses. In order to understand these implications and potential mitigation measures, it is important to understand the different stages involved in a supply chain cyber attack:

Figure 03: Stages of a Cyber Attack. Source: Lockheed Martin (2015)

As seen in the figure above, a malicious actor will start by collecting information on a specific organization or company, such as schematics, business emails, and the source code for internal applications, among others. Once information is collected, the next step is to assemble the virus, bug, or malware. Then, the attack is sent to the target organization, which could be in the form of a phishing email, a hardware or software vulnerability unknown to the user or manufacturer, or a brute force entry through a network weak point. The next step is for the malware to open the door or break the locks to enter, which can either be done through stolen credentials, an end-user unknowingly providing permission, or running password combinations until the right one is used. Once a malware has gained access to a company’s network, a virus, bug, or malware is placed inside by either pre-programmed code containing the source location, or through remote access by the bad actor. Finally, after the malware is installed, the last step is to have it phone home through a network port programmed by its author, and accomplish what it chooses, which could range from data theft to ransomware installation.

One the key characteristics of a cyber attack affecting a company’s supply chain is that the closer a target is to being hit, the more visible the threat will be, and therefore easier to discover. The challenge, however, is an ever-increasing need to mitigate threats before they escalate, thus requiring nonstop improvement in cyber defense. This involves not only a firm’s initial organizational set-up, but the need to defend any IT applications on an ongoing basis to ensure the continuity of service. Therefore, supply chain managers should monitor the earliest indications of malicious cyber activity, learn about potential attacks sustained by their suppliers & industry peers, and maintain a bird’s-eye view of their supply chain in the context of cyber space in order to address threats before they grow.

Impacts

Operational impacts

Perhaps the most immediate implications of a cyber incident are the ability for daily operations to function at a normal pace. Ransomware can typically cause daily operations to be impacted to the point of severely disabling the production lines, with resumption using contingency plans being an optimistic approach at best. If the issue persists beyond a day, the cost of reconstruction, resumption and making up for lost time can be expensive, such as the USD 300 million lost by Maersk during the WannaCry attack in 2017.

There are three basic types of operational impacts that a company and its supply chain can sustain from a cyber attack. One is the loss of real capital, such as intellectual property or data crucial to the organizations’ functions that will have an immediate and tangible loss. Another is the loss of communication, where due to anything from ransomware to disabled servers, a firm will lose revenue by virtue of its inability to access customers and the outside world. The final one is the loss of supply chain control, where through breaches at suppliers and transportation hubs, organizations are unable to perform normal operations, and thus lose revenue.

Companies face the most immediate challenges in the first hours and days of a cyber security incident, where visibility is crucial to the decision making that reassures customers and provides for continuity of operations. The ability to monitor one’s supply chain and take the most immediate decision can make the difference in terms of customer satisfaction and impact to the bottom line.

Reputational impacts

In addition to the operational risks posed by cyber threats, the reputational risks borne as a result of a cyber attack can be deleterious when it becomes known outside of an organization. The risks can range from exposure as a vulnerable entity, and therefore a ripe target for further attacks, to distrust and skepticism by customers, thus adversely impacting future business. A PwC survey of British firms in 2015 revealed that of firms reporting a cyber attack’s damage to reputation, 57% of the damage was due to media coverage and customer complaints.

Once a cyber attack occurs, the response time and its immediate actions are not only critical to any organization’s operations but also for the firm’s reputation. Organizations are normally judged on their approach to a certain crisis. The stake of losing trust from customers and stakeholders are high if an organization does not handle the attack appropriately, particularly if it involves large volumes of sensitive data. As seen in the graph below, the total costs of a data breach can easily reach seven figures, with a significant loss of reputation after the disclosure of an attack.

Figure 04: Average Total Cost of Data Breaches in 2018. Source: Ponemon Institute and IBM Security, 2018 Cost of a Global Data Breach

It is important to note that pharmaceutical, technology, energy, and industrial industries typically bear a higher per capita cost when it comes to data breaches. As the graph below shows, industries that face challenges in discovery and mitigation of cyber issues are predominantly the consumer and transportation industries. On average, companies in the consumer industry take 194 days to identify a cyber threat after it initially hits the organization and 82 days to counter it, while the transportation industry takes 192 for identification and 60 days for mitigation. Meanwhile, the energy sector takes an average of 150 day to identify a cyber threat and 72 day to counter it.

Figure 05: Mean times to identify and counter cyber threats by industry (# of days). Source: Ponemon Institute and IBM Security, 2018 Cost of a Global Data Breach

Legal impacts

A third source of risks associated with cyber attacks is the increasing legal and regulatory scrutiny faced by firms that have fallen victim to these types of incidents. Today, firms face a dilemma when disclosing the occurrence of an attack as per the customers’ wishes, or to prevent further trade secret exposure beyond that which has already occurred. This challenge has been compounded by regulations that place the burden on firms. Such regulations include the European Union’s General Data Protection Regulation (GDPR), which came into effect from May 2018. GDPR mandates that any organization that suffers data breach is required to notify the authorities as well as any parties that have been affected within 72 hours. A failure to do so could result in a fine of EUR 20 million (USD 23.15 million) for non-compliance.

In the United States, all 50 states and the District of Columbia maintain their own data breach regulations. A flagship of these regulations is California’s Consumer Privacy Act, which makes companies liable for consumer data breaches and sets a liability cap of USD 750 per consumer per breach and a USD 7,500 fine by the California Attorney General for intentional invasions of privacy. Aside from these, should the Federal Trade Commission determine that a firm is derelict in its duty to protect consumer data, the compensatory measures can include burdens that range from mandated CISSP audits to multi- million dollar fines, such as the USD 100 million fine faced by Lifelock for violating a consent order.

Recommendations

To prevent and manage cyber risks, firms are advised to have a response plan which includes implementing risk control processes to detect threats in the early stages:

  1. Identify risks: Determine which vendors or third party entities may have access to your firewall and could have the highest impact to your organization in the event of a cyber attack. When selecting possible vendors to work with, it is best to consider the amount of sensitive data that the vendor is handling, such as personally identifiable data, protected health information or financial transactions such as bill payments, etc. and assess suitable measures needed to ensure data security.
  2. Monitor incidents: As cyber threats are continuously evolving and news reports of a cyber incident becomes known, it is a continuous effort to assess and understand events impacting the vendors or third party entities that your organization works with. The ability to persistently monitor one’s supply chain and the cyber threat environment will be the best determinant in responding adequately to a cyber incident.
  3. Assess potential impacts: Organizations should be aware of potential impact on their business operations and assess the areas of vulnerability from multiple angles so as to understand the areas that are likely to be hit first. By understanding the risks to your supply chain through the strength of your network, ability to counter a hack, recover, and evaluate exposure, one may strengthen the supply chain as a whole.
  4. Develop risk scenarios: Develop potential threat scenarios and plan accordingly to different situations with the resources required on what the impact would be for a particular risk. Response processes that include technology and human intelligence analysis are likely to be required. Protocols and emergency response teams should be established and understood by all parties once the cyber attack unfolds.
  5. Response actions: Once a threat has been identified, it is imperative to investigate the matter and cascade information in a timely manner to all relevant authorities. Once it is confirmed, organizations should pro-actively inform affected internal and external stakeholders, and activate and deploy internal and external emergency response teams to rectify the issue.

In addition to having a response plan in place, companies should follow three overarching principles that can best prepare them for potential vulnerabilities in the supply chains in the context of cyberspace: a) Accepting the inevitability of an attack, b) Ensuring continuous monitoring, and c) Communicating across one’s supply chain to ensure a consistent standard.

Adoption of such principles is of invaluable assistance in crafting a strategy, and below are some commonly used best-practices that may assist in network defense.

  • Protection and encryption of remotely stored data: As seen with the Level One incident, protecting remotely stored data will greatly reduce the risk of sensitive material being compromised in the event of a breach, and if encrypted, will provide even further protection beyond the scope of what is within one’s power. This is especially necessary when organizations share data with their suppliers.
  • Segment your networks: As exemplified in July 2018, good network segmentation can make the difference in operation, recovery, and cost between a COSCO and a Maersk. By ensuring a common understanding of segmentation in your organization and in that of your suppliers, risks can be significantly diminished.
  • Thorough auditing of suppliers and planning for accidental or intentional manipulation: Development of custom software and network configurations when possible to account for accidental or intentional manipulation or disclosure. Conducting these exercises with suppliers can ensure readiness in the face of an uncertain cyber threat environment.
  • Preparation of multiple backup options: The establishment of backup means of communication and operation through a formalized continuity plan can make all the difference in operations mid-breach; even more preferable would be a contingency employing internal and non-open source tools.

Cyber-attacks are one of the biggest threats to supply chains for the future to come, and one that is expected to worsen with time. With mitigation as early as possible serving as the credo for businesses, persistent monitoring, awareness, and communication will be crucial to remain on top in this new threat environment. As such, businesses should seize the earliest opportunity to incorporate supply chain visibility and cyber incident monitoring tools into their daily operations to stay abreast of developments.

Appendix

Affected Entity Date (2018) Location Description Category 
United States Postal Service November 8 United States Cybercriminals hijacking informed delivery feature to steal financial data of users Ground shipper 
Correios November 6 Brazil Phishing emails sent in Correios’s name to illicit sensitive information Ground shipper 
Aerospace manufacturers November 2 Russia, Iran, Egypt Hackers used cyber weapons called Danderspritz and Fuzzbunch to hijack aerospace manufacturer servers Manufacturer 
Honeywell November 2 US Discovery of Stuxnet, WannaCry, and Mirai infection of B2B-distributed USB drives Manufacturer 
Ingerop November 2 France French nuclear power plant contractor breached of sensitive data relevant to Fressenheim plant Manufacturer 
Bluetooth chip manufacturers November 1 US Vulnerabilities discovered in Bluetooth chips made by TI, Cisco, and Aruba leaving IoT devices open to hacking Manufacturer 
Cisco November 1 US Cisco remote access tools have been exploited to propagate a Denial-of- Service (DoS) attack Manufacturer 
Austal Ltd November 1 Australia Shipbuilder suffered breach of data management systems, believed with the intent of extortion Manufacturer 
Iranian infrastructure and strategic networks October 31 Iran New variant of Stuxnet worm threatens Iranian critical infrastructure in a similar manner as its 2010 manifestation Various 
Arik Air October 31 Nigeria Data storage deficiencies lead to the disclosure of 994 [.]csv files worth of all sources of proprietary data Airport/Airlin e 
Telecrane F25 Crane Controller October 29 Taiwan Critical vulnerability discovered in port crane controllers by ICS-CERT Manufacturer 
South Korean infrastructure construction firms October 18 South Korea APT 1 activated an 8-year-old dormant implant to seize control of target systems to steal financial data Manufacturer 
Italian maritime industry October 17 Italy Spear phisher campaign activating 8- year-old vulnerabilities to steal sensitive trade documents Manufacturer 
Medtronic October 12 US FDA issued alert related to discovered vulnerability in Medtronic pacemakers Manufacturer 
Teledyne Controls and Airbus October 11 US Several vulnerabilities discovered in aircraft flight analysis software revealing client data Manufacturer 
Managed Service Providers October 5 US Advanced Persistent Threat 10 (APT10) using spear phishing to conduct espionage on logistics providers Blanket Cyber Security Warning 
Port of San Diego September 27 US Port registry sites and the Harbor Police are brought offline by a ransomware attack Seaport / Shipping Line 
Cisco products September 25 US Linux-using Cisco IT products vulnerable to a new Denial-of-Service bug Manufacturer 
Infrastructure construction firm September 24 India Infrastructure construction firm in Bengaluru hit in data breach Manufacturer 
Newegg September 21 US Newegg customers’ financial data compromised by cyber gang’s point-of- sale hack Retailer 
Port of Barcelona September 20 Spain Goods reception system at Port of Barcelona brought offline by cyber attack Seaport / Shipping Line 
Smeg UK September 18 UK Data breach compromises personally identifiable information at Smeg corporate headquarters Manufacturer 
Bristol Airport September 16 UK Ransomware blacks out screens at Bristol Airport Airport / Airline 
British Airways September 7 UK 380,000 payments affected in breach of British Airways’ mobile app and website Airport / Airline 
Middle East governments and businesses August 14 Israel, Lebanon, Saudi Arabia Multifaceted Iranian threat actor seen targeting the petrochemical, shipping, and electrical sectors Various entities 
TSMC August 6 Taiwan Virus causes production shutdown of Apple supplier Manufacturer 
COSCO Shipping Lines August 1 US An IT outage at the COSCO office at the Port of Long Beach reverberated throughout its parallel Americas, UK and Turkish offices Seaport / Shipping Line 
COSCO Shipping Lines in Argentina, Chile, Canada, Turkey, Peru, Brazil, and Panama August 1 Argentina, Chile, Canada, Turkey, Peru, Brazil, and Panama Residual restoration of service issues remain in the wake of the spread of ransomware that disabled the customer facing end of COSCO’s website  
National Cyber Security Centre July 25 UK Blanket warning of phishing campaign targeting transportation and supply firms Blanket Cyber Security Warning 
National Counterintelligence and Security Center July 25 US Blanket warning of brute force campaigns against the supply chains of biotechnology, energy, defense, environmental protection, high-end manufacturing, and IT firms. Blanket Cyber Security Warning 
Federal Bureau of Investigation July 23 US Blanket warning of broad ransomware campaign on actors ranging from household to government Blanket Cyber Security Warning 
Durban Container Terminal July 23 South Africa Fraudulent emails circulated to employees of port operator impersonating bank soliciting personally identifiable and financial information. Seaport / Shipping Line 
Level One Robotics & Controls July 20 Canada An intrusion into an unprotected backup yielded the blueprints for several major auto manufacturers Manufacturer 
Aviation ID July 20 Australia Breach of aviation security card company places access to Australian airports at risk Airport / Airline 
UK & EU supply companies July 17 UK A large-scale phishing campaign targeted supply companies to forge purchase orders to steal goods. Various entities 
Major international airport July 13 US Breach of a major international airport’s security credentials led to sale for possible ransomware purposes Airport / Airline 
Tesla June 19 US Insider threat resulted in manufacturing operating system intrusion Manufacturer 
Tabriz International Airport June 7 Iran Non-state hackers breach internal messaging system at Tabriz International Airport Airport / Airline 
Rail Europe North America May 15 US Data breach compromising financial and personally identifiable information of customers Railway Company 
Annex 1: Cyber Attack Incidents since May 2018, as reported by Everstream Analytics.

Share this post