There was a ransomware intrusion at a Maritime Transportation Security Act (MTSA) regulated facility, said officials at the U.S. Coast Guard (USCG).
The virus, identified as Ryuk ransomware, may have entered the network of the MTSA facility via an email phishing campaign, officials said.
“Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files. The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations,” officials said in the marine safety alert released Dec. 16.
The facility suffered a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems. These combined effects required the company to shut down the primary operations of the facility for over 30 hours while a cyber-incident response was conducted. Forensic analysis is currently ongoing.
At a minimum, the USCG said the following measures may have prevented or limited the breach and decreased the time for recovery:
• Intrusion detection and intrusion prevention systems to monitor real-time network traffic
• Industry standard and up to date virus detection software
• Centralized and monitored host and server logging
• Network segmentation to prevent IT systems from accessing the Operational Technology (OT) environment
• Up-to-date IT/OT network diagrams
• Consistent backups of all critical files and software