Tech-savvy pirates once breached the servers of a global shipping company to locate the exact vessel and cargo containers they wanted to plunder, according to a new report from Verizon’s cybersecurity team.
“They’d board the vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate — and that crate only — and then depart the vessel without further incident,” says the report, Verizon’s Data Breach Digest.
Verizon released the report detailing 18 case studies among hundreds its RISK Team (Research, Investigations, Solutions, and Knowledge) investigated ahead of a talk on Tuesday at the RSA Conference, one of the world’s largest information security conferences.
While piracy is a common problem for global shipping, the unnamed company contacted RISK after a group of pirates started acting differently than in the past. Usually, pirates would capture a vessel, then hold its crew hostage until a ransom was paid.
But this group instead would board a ship and then leave soon after, leaving the company suspicious. As usual, the pirates would board the ship and herd the crew into one area. But a few hours later, the crew would come out and they would be gone, with only certain cargo containers opened.
As Verizon’s investigation uncovered, the pirates had uploaded malicious software onto the company’s content management system, allowing them to access data such as bills of loading for future shipments. With this information, the hackers would know exactly where to look on the ships they were after.
While more sophisticated than your average pirates, they made plenty of mistakes that ultimately made them easier to stop. The pirates didn’t use proxies to hide their network address, and they sent all of their commands over the web in plain text, which allowed RISK to get a clear picture of every command they had ever issued.
“These threat actors, while given points for creativity, were clearly not highly skilled,” the report says. “For instance, we found numerous mistyped commands and observed the threat actors constantly struggled with the compromised servers.”
Once the pirates were figured out, the company then shut down the servers, changed passwords, and blocked the attackers’ IP addresses.