Daily Northern

Nordic News, Every Day

Menu

European shipping companies targeted in cyberattacks linked to China-based group Mustang Panda

Tuesday 9th 2024 on 19:25 in  
Norway

Several European shipping companies, including those from Norway, have recently faced attempted cyberattacks involving malware-infected memory sticks, writes NRK. The series of attacks began in January when a USB stick containing malicious software was plugged into a computer on a Norwegian freight ship. These cyber incidents are believed to be part of a coordinated espionage campaign orchestrated by Mustang Panda, a hacker group associated with China. This marks the first known instance of a China-linked hacker group targeting commercial shipping operations. It is suspected that not all affected shipping companies have identified or reported similar intrusion attempts, leaving room for undisclosed cases.

The initial alert was raised in January on a Norwegian freight ship when a USB stick carrying harmful software was connected to a computer located on the ship’s bridge. This action triggered an alarm at Eset, a global provider of digital security solutions, which managed to intercept the threat. Subsequent alerts were received by Eset in Greece on two separate occasions involving Greek freight ships and later in the Netherlands during March, April, and May. Additional alerts were also reported in Greece in mid-May and early June.

Oslo’s port, serving as Norway’s largest container terminal, plays a crucial role in handling consumer goods nationwide. The recent cyber incidents have shed light on the vulnerability of Norwegian freight ships to hacking attempts.

Alexandre Côté Cyr, a malware researcher at Eset, confirmed that their security measures successfully thwarted all attacks against their European clients. However, there is a possibility that other ships or companies might have been targeted similarly but remain undetected or unreported. This marks the initial instance of a China-linked hacker group focusing on disrupting commercial shipping operations, as highlighted by findings from Eset. Mustang Panda, known for engaging in cyber espionage, likely aimed to extract confidential information through these attacks using the Korplug malware, a tool previously associated with their cyber campaigns.

Korplug is an advanced form of malware utilized in targeted cyber intrusions, functioning as a backdoor trojan granting unauthorized access to compromised systems. It has been previously linked to Chinese APT organizations involved in cyber offensives against various institutions globally. The familiarity with this type of malware enabled the prevention of these attacks.

Richard Utne, heading the maritime security department at the Norwegian Coastal Administration, believes that the threat actor’s objective was to target multiple ships or company structures within the maritime sector. With Norway being the world’s fourth-largest shipping nation, it becomes a plausible target for such cyber threats.

The maritime industry in Norway holds significant economic importance, influencing shipyards, equipment suppliers, and other related sectors. The sector’s critical role in the economy makes it an attractive target for espionage activities seeking to gain a competitive advantage globally.

In response to these cyber incidents, collaboration between authorities like the Norwegian Coastal Administration and the Directorate of Shipping with cybersecurity companies like Norma Cyber has been crucial. Norma Cyber provided support and technical analysis following malware incidents on two Norwegian shipping companies.

The source of these infected memory sticks remains uncertain; however, experts suggest scenarios where compromised USB sticks might have unknowingly been brought on board by individuals with legitimate access to the ships. The Chinese embassy in Oslo responded to inquiries concerning the cyberattacks, emphasizing China’s stance against cybersecurity threats while also urging vigilance against misinformation and political manipulation in handling such incidents.